NEW YORK (Reuters) - Benjamin Lawsky, New York’s financial services regulator, said on Monday he hopes to propose new cybersecurity regulations for banks and insurance companies under his aegis by year-end.
Lawsky said the regulations would aim to plug security gaps that could make financial institutions more vulnerable to hacking.
“The one thing we find to be an existential threat right now is whether our financial institutions and systems are adequately protected when it comes to cybersecurity,” Lawsky, superintendent of the New York Department of Financial Services, said at the Reuters Financial Regulation Summit in New York.
The planned regulations would follow a report issued by the department in April, which revealed that one-third of the 40 banks it surveyed did not require outside vendors to notify them of breaches, which could compromise bank data.
One regulation may require banks to get warranties from their vendors about what cybersecurity protections they have in place. The massive breach at Target Corp (TGT.N) in 2013 was tied to its heating and ventilation systems contractor, Lawsky pointed out.
A second regulation could require banks to adopt a multi-stepped process for allowing employees, and possibly customers, to log into their systems in order to make sure they are authorized users, Lawsky said.
Cybersecurity has become an increasing focus for banking regulators and could soon be a “major part” of their routine examinations of banks.
“If they fail, there would be pretty severe consequences,” Lawsky said. But the regulator, not usually shy about going public with bank misconduct, said he would not be so inclined to publicize which specific bank is prone to a possible security failure.
“I think we have to think hard about telling the world that a particular bank is vulnerable to a cyberattack,” Lawsky said.
New York’s Department of Financial Services regulates state-chartered banks and foreign banks licensed to operate in the state, including Goldman Sachs Group (GS.N), Barclays (BARC.L) and Deutsche Bank (DBKGn.DE), and all insurance companies that do business in the state.
The U.S. Justice Department also has been focusing on curbing cybercrime and prosecuting predators.
“We’re trying to help people to close their door and lock their door,” said Assistant Attorney General Leslie Caldwell, head of the department’s criminal division.
Caldwell, also speaking at the Reuters Financial Regulation Summit, said the department is focusing on cases that stand to help the most victims.
Last month, the department issued guidance outlining steps companies can take after an attack.
Follow Reuters Summits on Twitter @Reuters_Summits
Reporting by Suzanne Barlyn and Karen Freifeld; additional reporting by John McCrank. Editing by Soyoung Kim and Ken Wills