New York Regulator Urges Oversight for Social-Media Giants Following Twitter Cyber Attack

New York’s top financial watchdog said a dedicated regulator should oversee large social-media platforms, which should also be designated as systemically important, following a successful cyberattack on Twitter Inc. during the summer.

Source: WSJ | Published on October 15, 2020

close up on man hand holding smartphone with futuristic of social media marketing icon for internet network technology and business concept

The New York State Department of Financial Services made the recommendations Wednesday as part of a 37-page report about the July 15 attack in which a number of prominent accounts, including those of former Vice President and Democratic Party presidential candidate Joe Biden and Tesla Inc. Chief Executive Elon Musk, were used to promote a cryptocurrency scam. Authorities have since charged three people with breaking into Twitter’s systems over a period of months by posing as employees, gaining access to accounts and selling credentials to scammers.

The relative simplicity of the hackers’ tactics and the reach of the largest social-media platforms shows that a dedicated regulator is needed, DFS said in its report. While these companies are subject to certain state laws—such as New York’s 2019 Stop Hacks and Improve Electronic Data Security Act—and fall under some oversight from the Securities and Exchange Commission, the Justice Department and the Federal Trade Commission, no specific regulatory agency oversees social media as a whole.

“Social-media platforms have quickly become the leading source of news and information, yet no regulator has adequate oversight of their cybersecurity. The fact that Twitter was vulnerable to an unsophisticated attack shows that self-regulation is not the answer,” said Superintendent of Financial Services Linda Lacewell in a statement accompanying the report.

“Protecting people’s privacy and security is a top priority for Twitter, and it is not a responsibility we take lightly,” a spokesperson for the company said. Twitter cooperated with the DFS investigation and has since launched a number of initiatives dedicated to security and privacy, including training for employees, the spokesperson added.

DFS recommended that the new regulator, which could be a part of an existing agency or a stand-alone body, should be allowed to designate the largest social media platforms as systemically important. The label is usually reserved for the very largest banks and institutions underpinning financial markets, which are subject to stronger oversight than their peers.

The ability for deliberate misinformation to spread quickly over social networks, for instance, demonstrates the necessity for greater oversight and dedicated regulation for cybersecurity at these companies, DFS argued.

In its report, DFS lauded the actions of cryptocurrency exchanges, which it directly regulates, while criticizing Twitter for its cybersecurity arrangements. The social-media company had been without a security chief since December 2019, DFS said, and access to its core administration software was available to thousands of staff with minimal security protections. Twitter hired Rinki Sethi from data-protection company Rubrik Inc. as chief information security officer in September, and has since limited staff access to key functions on its platform, DFS said.

During the Twitter hack, cryptocurrency exchanges blocked around 6,000 transactions worth $1.5 million, DFS said, citing its own cybersecurity regulations as a reason for their preparedness, although exchanges have been criticized for weak cybersecurity controls.

Lawmakers have held several hearings regarding the operations of social networks in recent years, and recent hearings held by Congressional committees have included examinations of how they handle radicalization through their platforms as well as antitrust concerns. Top executives from Twitter, Facebook Inc. and Alphabet Inc.’s Google are scheduled to appear before the Senate Commerce Committee on Oct. 28 regarding a rule that shields companies from liability for the content their users post.