New York financial regulators are considering tougher cybersecurity requirements for banks to mandate more complex computer sign-ins and certifications from the contractors of their cyberdefenses, the state’s top regulator said Wednesday.
They already are revamping regular examinations of banks and insurance companies by adding targeted assessments of barriers against hackers, Department of Financial Services Superintendent Ben Lawsky said. He said he was “deeply worried” that within the next decade, or sooner, there will be “a major cyberattack aimed at the financial system” that could create a run or panic that spills over into the broader economy.
“At DFS, we believe that cybersecurity is likely the most important issue we will face in 2015 and perhaps for many years to come after that,” Lawsky said in an address at Columbia Law School. Internet architecture has grown up with usernames and passwords to verify identities, but all companies now should be moving toward “a multi-factor authentication system” with an additional layer of security , he said.
That could be, for example, a randomly generated second password immediately sent to users’ cellphones when they log in and is then needed for computer system access, Lawsky said. “As a result, if someone steals or guesses your password, they would not be able to get into the system unless they also have your cellphone,” he said.
The Department of Financial Services regulates more than 250 banks. Proposed regulations on cybersecurity should be issued in the coming weeks, spokesman Matt Anderson said.
DFS also is considering random audits of financial firms’ monitoring and filtering computer systems used to spot illicit transactions, Lawsky said. Over the past four years, it has reached several multimillion-dollar settlements with banks accused of currency transactions through their New York branches on behalf of clients in countries prohibited from U.S. trade.
“Money is the oxygen feeding the fire that is terrorism. Without moving massive amounts of money around the globe, international terrorism cannot thrive,” he said. Since his office cannot simultaneously audit every bank, he said, it also is considering making senior executives personally attest to the adequacy of their monitoring systems