A New York financial regulator called on banks and financial institutions to tighten their security measures against cyber intrusions to prevent a financial meltdown similar to what happened to the mortgage market in 2008.
In a speech delivered at Columbia University, Benjamin Lawsky, New York's head of its Department of Financial Services (DFS) said he fears that an "Armageddon-type cyber event" could potentially devastate the state's financial industry and trickle over into the larger national economy.
Lawsky said he was considering instituting more rules that would require the licensed banks and insurance companies it oversees to be more vigilant against cyber attacks that could lead to such a scenario. Although the U.S. Treasury and the Federal Reserve are the main financial regulators, New York is significant because it is home to major financial institutions, such as Bank of New York Mellon, Bank of America, and Wells Fargo, and the effect of a catastrophic cyber attack on these organizations would be felt all across the United States.
"I am deeply worried that we are soon going to see a major cyber attack aimed at the financial system that is going to make all of us shudder," Lawsky said. "Indeed, we are concerned that within the next decade or perhaps sooner we will experience an Armageddon-type cyber event that causes a significant interruption in the financial system for a period of time -- what some have termed a cyber 9/11."
Lawsky's speech comes a week after Moscow, Russia-based security firm Kaspersky Labs released a report that says it found evidence that an international group of hackers has been going after banks and breaching their internal networks to steal up to $1 billion from their customers' accounts. Kaspersky says around 100 banks from 30 countries were affected by the attack.
Among the measures proposed by Lawksy is to use multi-factor authentication for bank employees to verify their identities. New York could become the first state to require banks to do this. For all their security needs, many banks still use passwords and usernames for identity authentication, a system that "should have been dead and buried many years ago," said Lawsky. Last year's high-profile theft of more than 80 million customer details at J.P. Morgan Chase was possible because the hackers were able to use an employee's credentials on a server that did not require multi-factor authentication.
"That simple, extra step can actually prevent a significant amount of hacking," said Lawsky. "And it is something all firms should do."
Lawsky said he is also considering requiring financial institutions to require their third-party vendors to guarantee that they have robust security systems in place to prevent online criminals from using them as a "backdoor entrance."
Lastly, the regulator is thinking of including cybersecurity as a criterion for determining the grades banks receive from the DFS. Lawsky said financial institutions "care deeply" about their grade because it determines their ability to make acquisitions or pay dividends.