“I don’t cast aspersions on any institutions because the cyberthreat has evolved so quickly,” Mr. Lawsky said in an interview discussing the survey results. “Things are in a great state of flux in terms of the institutions and for regulators, too, but all of these things need to be tightened up in a very serious way.”

Mr. Lawsky’s office is working on proposals and guidelines for banks and other financial institutions, in particular the security of outside vendors. One recommendation could be that financial firms, as part of the contracting process, obtain guarantees from vendors about the quality of their security.

Over the last year, financial regulators nationwide have increasingly focused on steps taken by banks and financial firms to not only safeguard their own networks, but to ensure the outside firms they use are adequately protected as well. The concern about the security of outside vendors comes in the wake of big intrusions at Target and Home Depot that took place in part because the hackers used logon credentials that were apparently stolen from an outside vendor.

One particular area of concern on Wall Street is the security of large law firms, which not only do regulatory work for banks but also advise on corporate transactions. This year, a cybersecurity team at Citigroup issued an internal report that said law firms were a logical target for hackers because they are rich repositories for confidential data. The report also cautioned bank employees that digital security at many law firms, despite improvements, generally remains below the standards of other industries.

For some time now, Mr. Lawsky has called on banks and other financial institutions to improve their security measures. He said Wall Street and other financial services firms did appear to be paying more heed to the threat posed by hackers, especially after a breach last summer at JPMorgan Chase that resulted in hackers gaining access to email addresses and phone numbers of 83 million households and small businesses. Mr. Lawsky said the apparent theft of customer information at the health insurer Anthem in February had similarly heightened awareness of the importance of data security in the insurance industry.