New York Regulator Warns Of ‘Cyber 9/11’

By Arthur D. Postal
InsuranceNewsNet

WASHINGTON – An “Armageddon-type cyber event” that some have termed “a cyber 9/11” could happen within the next decade, a state financial regulator warned.

Benjamin Lawsky, Superintendent of the New York Department of Financial Services (DFS), said today he is “deeply worried” that there soon will be a major cyberattack aimed at the financial system “that is going to make all of us to shudder.”

He added that, “Cyberhacking could represent a systemic risk to our financial markets by creating a run or panic that spills over into the broader economy.”

Indeed, Lawsky added, “We are concerned that within the next decade (or perhaps sooner) we will experience an Armageddon-type cyber event that causes a significant disruption in the financial system for a period of time – what some have termed a ‘cyber 9/11.’”

Speaking about financial regulation at Columbia University Law School in New York, Lawsky said that the issue of cyber security at financial institutions is “right at the top of the list” of things that keep financial regulators up at night.

To deal with the issue, the DFS will grade banks and insurers doing business in New York on their cyberattack defenses. The department also will consider taking steps to address the cyber security of third-party vendors, “which is a significant vulnerability,” Lawsky said.

The DFS is considering regulations that would mandate the use of multi-factor authentication for financial institutions, Lawsky said, and would be the first financial regulator in the U.S. to take that step.

He added that the DFS “still has some work to do” when it comes to crafting new cyber security examinations, as well as any potential regulations related to multi-factor authentication and third-party vendors.

Specifically, Lawsky said, the DFS is considering mandating that financial institutions he oversees “receive robust representations and warranties from third-party vendors that those vendors have critical cyber security protections in place.”

In other words, those third-party vendors will have to strengthen their cyber security or risk losing out on business from those financial institutions, Lawsky said.

“That is tough medicine, but we believe it is likely warranted given the risks that cyber hacking presents to the stability of our financial markets and economy,” Lawsky said.

Lawsky made his comments as the huge magnitude of the Anthem security breach came to light, and as it was disclosed that bipartisan Senate legislation dealing with cybersecurity is being drafted by Sen. Richard Burr, R-N.C., and Dianne Feinstein, D-Calif., the chairman and ranking minority members, respectfully of the Senate Intelligence Committee.

Anthem disclosed Monday that the database that was hacked contained personal data for 78.8 million people. These include 60 million to 70 million current and former customers and personnel.

The Senate bill would mirror provisions in a Senate bill last year that would allow companies to use countermeasures to essentially protect their own network, according to The Wall Street Journal. They also could use countermeasures to protect the network of another company or of the U.S. government if first given written permission, the Journal said.

As to assessing institutions on their cyber security preparedness, Lawsky said, “The idea is simple: If we grade banks and insurers directly on their defenses against hackers as part of our examinations, it will incentivize those companies to prioritize and shore up their cyber security protections.”

InsuranceNewsNet Washington Bureau Chief Arthur D. Postal has covered regulatory and legislative issues for more than 30 years. He can be reached at [email protected].