Superintendent of Financial Services for the New York State Department of Financial Services (DFS) Benjamin Lawsky recently commented about his cybersecurity concerns for the agency:
"I am deeply worried that we are soon going to see a major cyber attack aimed at the financial system that is going to make all of us to shudder. Cyber hacking could represent a systemic risk to our financial markets by creating a run or panic that spills over into the broader economy. Indeed, we are concerned that within the next decade (or perhaps sooner), we will experience an Armageddon‐type cyber event that causes a significant disruption in the financial system for a period of time—what some have termed a 'cyber 9/11.'"
In Mr. Lawsky's remarks, titled Financial Federalism: The Catalytic Role of State Regulators in a Post-Financial Crisis World, which he delivered this week at Columbia Law School, he presented a case for the vital role that state regulators must play in the typically federally regulated financial markets, including with respect to the cybersecurity of financial institutions, accountability on Wall Street (both at the firm level and at the individual senior executive level), and prevention and detection of money laundering.
After noting the importance of cybersecurity for the upcoming year and beyond and the magnitude of the cybersecurity risks, Mr. Lawsky proceeded to outline the following actions that the DFS intends to pursue to strengthen cybersecurity for financial institutions.
- New assessment processes. The DFS intends to revise its standard processes for evaluating banks and insurance companies so that overall assessment of an institution directly addresses the institution’s cybersecurity measures.
- Qualification and monitoring of third-party vendors. The DFS recognizes that cybersecurity risks presented by a financial institution’s third-party vendors that have access to the institution’s data and information are part and parcel to the financial institution’s cybersecurity preparedness. The DFS is contemplating methods of regulating the protections in place with these third-party vendors, including “mandating that [DFS’s] financial institutions receive robust representations and warranties from third-party vendors that those vendors have critical cyber security protections in place.”
- Multifactor authentication. DFS is considering the implementation of regulations that would require financial institutions to use multifactor authentication rather than typical username/password structures (such as a username/password structure with an additional layer of protection via a follow-up, randomly generated code texted to a user’s mobile phone).
Although Mr. Lawsky’s remarks were specifically targeted at the financial sector where his expertise lies, his concerns and proposed approaches are valuable resources for assessing all businesses’ cybersecurity risk factors and potential mitigation strategies, regardless of industry.