Regulator warns of 'Armageddon' cyber attack on banks

Kaja Whitehouse | USA TODAY

A New York financial regulator said he is considering new rules to protect against "an Armageddon-type" cyber attack that would devastate U.S. financial markets.

Ben Lawsky, head of New York's Department of Financial Services (DFS), said he fears a large enough hack on Wall Street firms could "spill over into the broader economy" — not unlike the mortgage meltdown of 2008.

"We are concerned that within the next decade, or perhaps sooner, we will experience an Armageddon-type cyber event that causes a significant disruption in the financial system for a period of time," Lawsky said Wednesday in a speech at Columbia Law School.

He called such an attack a "cyber 9/11."

Lawsky said he is considering new rules to force banks and insurance companies regulated by DFS to better protect themselves against hackers.

DFS has regulatory oversight over dozens of N.Y. licensed banks and insurance companies, including Goldman Sachs, MetLife and Barclays. As head of DFS, Lawsky has power to punish banks for bad behavior and to impose new standards on their operations.

To help prevent against a devastating hack, Lawsky said he wants to add cyber security to the grades DFS gives the banks and insurance companies it regulates. Financial firms "care deeply" about their grades because they can impact their ability to pay dividends or acquire other companies, Lawsky said.

DFS could also mandate multifactor authentication systems for employees of DFS-regulated financial firms. Single-step passwords "should have been dead and buried many years ago," Lawsky said.

Lawsky may also require banks and insurance companies licensed by DFS to get guarantees from third-party vendors that their security meets certain standards. Such vendors can often acts as a "backdoor entrance for hackers," he said.

Lawsky's warning of a cyber attack on Wall Street follows a report last week warning of a band of international cyber crooks who have taken to infiltrating banks' internal systems instead of going after their customers. The report, by Moscow-based security firm Kaspersky Lab, said it found evidence that hackers have stolen up to $1 billion from 100 banks across 30 countries this way.

In his speech, Lawsky also touched on new rules he is considering to better protect against money laundering, including random audits for DFS licensed banks to assess how well they flag suspicious transactions.

Lawsky said he might also start requiring bank executives to certify that their money transaction monitoring is up to snuff to better protect against terrorism and other crimes.

"Money is the oxygen feeding the fire that is terrorism," Lawsky said. "Without moving massive amounts of money around the globe, international terrorism cannot thrive."

Yet, Lawsky said his office has discovered that some banks don't take monitoring of financial transactions seriously.

Indeed, British bank Standard Chartered got into hot water recently after Lawsky accused it of turning a blind eye to money laundering. In August, the bank agreed to settle its dispute with DFS by forking over $300 million and cutting off dealings with certain customers that were flagged for their suspicious transactions.

Lawsky told the crowd at Columbia that DFS caught Standard Chartered by simply comparing the company's flagging of suspicious transactions with its own system for finding suspicious activity.

"We basically ran the company's transactions through our own filtering system and compared the results. This was a new approach," Lawsky said, noting that regulators typically rely on self reporting of the firms they oversee.

"What regulators have not done is actively tested the effectiveness of the filtering systems banks are using. That needs to change," he said.