Big cyber thefts at banks and retailers have left millions of people’s credit cards and other personal information exposed. But financial regulators are girding for something much bigger: A cyber attack that could cripple the entire financial system.
Raising the possibility of what he called a “cyber 9/11,” New York’s top banking regulator warned of an “Armageddon-type” attack on the financial system that pushes the cyber security debate well beyond issues of consumer protection and toward protection against a cyber raid that could have ripple effects across the economy.
“Cyber hacking could represent a systemic risk to our financial markets by creating a run or panic that spills over into the broader economy,” Benjamin Lawsky, New York State’s superintendent of financial services, said in a speech at Columbia Law School this week.
He outlined changes to his agency’s regular examinations of banks and insurance companies to now include grades on the strength of their cyberattack defenses alongside other checks like how they are fighting money-laundering and fraud.
But while recent cyber attacks like the the one against JPMorgan Chase illustrate the need for holding banks more accountable for thwarting cyber thieves, the idea that periodic checks on defenses would be all that effective is not very convincing—not in a world where data thieves simply move quicker than large corporations.
Take the precedent set by retailers, which are required to undergo periodic payment security checks to prove their compliance with rules for accepting customers’ credit cards. The gigantic thefts of customer and company data at Target and Home Depot show that approach hasn’t worked out too well. That’s because being compliant during a snapshot in time just isn’t enough to fend off cyber crooks who are speedily developing new ways of weaving in and out of corporate systems, often without detection.
Lawsky acknowledges the need to be nimble. “The methods hackers use are always changing so the danger in being too prescriptive is that we would be outdated very quickly,” he said.
But he said it’s important to make sure financial firms are doing more to protect themselves. Just knowing that regulators are watching should help keep bank and insurance executives focused on the importance of cyber-attack preparedness, he said.
“That is tough medicine, but we believe it is likely warranted,” he said.