NY Financial Regulator Wants Banks to Step-Up Cybersecurity, Money Laundering Measures

New York’s Superintendent of Financial Services, Benjamin M. Lawsky, is looking to pressure financial systems to tighten up security against cyber attacks and money laundering.

During a speech at Columbia Law School in New York City today, Lawsky suggested such items as conducting random audits on regulated firms' transactions and filtering systems and having senior executives personally attest to the adequacy of systems that the firms have in place.

The following is the relevant portion of Lawsky's speech, which can be read in full here:

Cyber Security in the Financial Sector

The final topic I would like to discuss is cyber security in the financial markets.

At DFS, we believe that cyber security is likely the most important issue we will face in 2015 – and perhaps for many years to come after that.

A question we often get as financial regulators is: “What keeps you up at night?”

The answer is “a lot of things.” But right at the top of the list is the cyber security at the financial institutions we regulate.

I am deeply worried that we are soon going to see a major cyber attack aimed at the financial system that is going to make all of us to shudder. Cyber hacking could represent a systemic risk to our financial markets by creating a run or panic that spills over into the broader economy.

Indeed, we are concerned that within the next decade (or perhaps sooner) we will experience an Armageddon-type cyber event that causes a significant disruption in the financial system for a period of time – what some have termed a “cyber 9/11.”

And we worry that, when that major cyber event happens, we will all look back and say, “How did we not do more to prevent it?”

Of course, the question, then, is: What should we do to help prevent that nightmare scenario?

We do not profess to have all the answers at DFS. But we are spending a lot of time working on concrete actions to help strengthen cyber security at our regulated institutions.

In particular, we are focused on ways to incentivize market participants to do more to protect themselves from cyber attacks.

This issue is also clearly at the top of the agenda for federal regulators. Sarah Bloom Raskin – the Deputy Treasury Secretary – in particular has been a leader on these issues.

But I believe this area is one example where – even though federal regulators are very focused on the problem – there is still room for financial federalism at the state level in experimenting with various solutions.

Given the magnitude of the problem, we need all the ideas and proposals we can get.

With that in mind, I would like to briefly outline several DFS initiatives in this area.

First, we are revamping our regular examinations of banks and insurance companies to incorporate new, targeted assessments of those institutions’ cyber security preparedness.

The idea is simple: If we grade banks and insurers directly on their defenses against hackers as part of our examinations, it will incentivize those companies to prioritize and shore up their cyber security protections.

Indeed, institutions care deeply about their examination grades since those scores can impact their ability to pay dividends, or enter new business lines, or acquire other companies.

Second, we are considering steps to address the cyber security of third-party vendors, which is a significant vulnerability.

Banks and insurers rely on third-party vendors for a broad-range of services – whether it is a law firm that provides them with legal advice or even a company that is contracted to run their HVAC system.

Those third-party vendors often have access to a financial institution’s information technology systems – which can provide a backdoor entrance for hackers.

In many ways, a company’s cyber security is only as strong as the cyber security of its third-party vendors.

As such, we are considering mandating that our financial institutions receive robust representations and warranties from third-party vendors that those vendors have critical cyber security protections in place.

In other words, those third-party vendors will have to strengthen their cyber security or risk losing out on business from those financial institutions.

That is tough medicine, but we believe it is likely warranted given the risks that cyber hacking presents to the stability of our financial markets and economy.

Third, I would like to discuss something called “multi-factor authentication.”

Our Internet architecture has grown up over the years with a username and password system for verifying our identities.

That has proven to be a very vulnerable system.

The password system should have been dead and buried many years ago. And it is time that we bury it now.

All firms should be moving towards – and many of them already are – a multi-factor authentication system.

In a multi-factor authentication system, you still have a username and a password, but there is also a second layer of security.

For example, when you attempt to log in, you could receive an immediate, randomly generated additional password that is texted to your phone.

As a result, if someone steals or guesses your password, they would not be able to get into the system unless they also have your cell phone.

That simple, extra step can actually prevent a significant amount of hacking. And it is something all firms should do.

In fact, we are currently considering regulations that would mandate the use of multi-factor authentication for our financial institutions. We would be the first financial regulator to take this step.

We still have some work to do when it comes to crafting our new cyber security examinations, as well as any potential regulations related to multi-factor authentication and third-party vendors.

In particular, we need to be careful to make sure that they do not place an undue burden on smaller institutions, such as community banks.

But if we get the balance right, perhaps these steps can serve as a positive model for other regulators as we all confront this critical issue.

We will never eliminate the risk of cyber hacking entirely. But we must do everything we can so that we do not look back years from now – after a devastating attack – and ask ourselves: “Why didn’t we see this coming? And why didn’t we do more?”

You May Also Be Interested In

• Hibbett Sports (HIBB) Acquired by JD Sports Fashion for $87.50/sh or $1.1B
• Quanex (NX) to Acquire Tyman in $1.1B Deal
• Advent Technologies (ADN) Receives Nasdaq Notice on Late Filing of its Form 10-K