Cybersecurity is likely the most important issue that the New York Department of Financial Services (DFS) will face in 2015, and perhaps for many years to come after that, New York Financial Services Superintendent Benjamin Lawsky said in a speech last Wednesday.

Benjamin Lawsky
Benjamin Lawsky

Lawsky said financial regulators are concerned about a potential “Armageddon-type cyber event” in the financial sector within the next decade.

“A question we often get as financial regulators is: ‘What keeps you up at night?’ The answer is ‘a lot of things.’ But right at the top of the list is the cybersecurity at the financial institutions we regulate,” Lawsky said during his speech at Columbia Law School in New York, according to his prepared remarks.

“I am deeply worried that we are soon going to see a major cyber attack aimed at the financial system that is going to make all of us to shudder,” said Lawsky. “Cyber hacking could represent a systemic risk to our financial markets by creating a run or panic that spills over into the broader economy.”

“Indeed, we are concerned that within the next decade—or perhaps sooner—we will experience an Armageddon-type cyber event that causes a significant disruption in the financial system for a period of time—what some have termed a ‘cyber 9/11,'” said Lawsky.

“We worry that, when that major cyber event happens, we will all look back and say, ‘How did we not do more to prevent it?’ Of course, the question, then, is: What should we do to help prevent that nightmare scenario?”

He said DFS is spending a lot of time working on concrete actions to help strengthen cybersecurity at its regulated institutions.

“In particular, we are focused on ways to incentivize market participants to do more to protect themselves from cyber attacks,” he said. “This issue is also clearly at the top of the agenda for federal regulators. Sarah Bloom Raskin—the deputy treasury secretary—in particular has been a leader on these issues.”

But Lawsky said he believes this area is one example where—even though federal regulators are very focused on the problem—there is still room for financial federalism at the state level in experimenting with various solutions. “Given the magnitude of the problem, we need all the ideas and proposals we can get,” he said.

Examining Cybersecurity of Banks, Insurers

Lawsky outlined several DFS initiatives in this area. First, he said, DFS is revamping its regular examinations of banks and insurance companies to incorporate new, targeted assessments of those institutions’ cybersecurity preparedness.

“The idea is simple: If we grade banks and insurers directly on their defenses against hackers as part of our examinations, it will incentivize those companies to prioritize and shore up their cybersecurity protections,” said Lawsky.

He said institutions care deeply about their examination grades since those scores can impact their ability to pay dividends, or enter new business lines, or acquire other companies.

Cybersecurity Protections for Third-Party Vendors

Second, Lawsky said DFS is considering steps to address the cybersecurity of third-party vendors, which he said is a significant vulnerability.

“Banks and insurers rely on third-party vendors for a broad-range of services—whether it is a law firm that provides them with legal advice or even a company that is contracted to run their HVAC system,” he said. “Those third-party vendors often have access to a financial institution’s information technology systems — which can provide a backdoor entrance for hackers.”

In many ways, Lawsky said, a company’s cybersecurity is only as strong as the cybersecurity of its third-party vendors. And as such, DFS is considering mandating that the financial institutions receive robust representations and warranties from third-party vendors that those vendors have critical cybersecurity protections in place.

“In other words, those third-party vendors will have to strengthen their cybersecurity or risk losing out on business from those financial institutions,” he said. “That is tough medicine, but we believe it is likely warranted given the risks that cyber hacking presents to the stability of our financial markets and economy.”

Adopting ‘Multi-Factor Authentication’ System

Third, Lawsky spoke about adopting the “multi-factor authentication” system.

He said the internet architecture has grown up over the years with a username and password system for verifying users’ identities and that has proven to be a very vulnerable system.

“The password system should have been dead and buried many years ago. And it is time that we bury it now,” said Lawsky.

He said all firms should be moving towards—and many of them already are—a multi-factor authentication system.

“In a multi-factor authentication system, you still have a username and a password, but there is also a second layer of security,” Lawsky explained. “For example, when you attempt to log in, you could receive an immediate, randomly generated additional password that is texted to your phone.”

“As a result, if someone steals or guesses your password, they would not be able to get into the system unless they also have your cell phone. That simple, extra step can actually prevent a significant amount of hacking. And it is something all firms should do.”

DFS is currently considering regulations that would mandate the use of multi-factor authentication for its regulated financial institutions. “We would be the first financial regulator to take this step,” said Lawsky.

He said DFS still has some work to do in crafting its new cybersecurity examinations, as well as any potential regulations related to multi-factor authentication and third-party vendors. In particular, the regulators need to be careful to make sure that they do not place an undue burden on smaller institutions, such as community banks, he said.

“But if we get the balance right, perhaps these steps can serve as a positive model for other regulators as we all confront this critical issue,” he said. “We will never eliminate the risk of cyber hacking entirely. But we must do everything we can so that we do not look back years from now—after a devastating attack—and ask ourselves: ‘Why didn’t we see this coming? And why didn’t we do more?'”