Wall Street watchdog to propose cyber rules in 2015

New York’s Wall Street watchdog is planning to propose new cybersecurity regulations for banks by the year's end, Reuters reported Monday.

The rules are intended to tighten banks’ security systems, which hackers have repeatedly infiltrated over the last year. In the most extreme case, a hack at JPMorgan Chase last fall exposed data from 76 million households.

Benjamin Lawsky, New York's financial services regulator, called the breaches “the one thing we find to be an existential threat right now,” during remarks at a Reuters event on Monday.

The updated set of cybersecurity guidelines would address cyber defense gaps the New York Department of Financial Services (NYDFS) identified in a recent survey of 40 banks cybersecurity procedures.

ADVERTISEMENT

The department found many financial firms did not require outside vendors to notify them of breaches, and many failed to properly inspect the system security of third-party partners.

Hackers take advantage of these oversights. The digital invaders that breached Target got into the company through an outside heating and air conditioning company, eventually pilfering millions of customers’ personal data.

The NYDFS regulations may try to address this issue by requiring financial firms to get warranties from outside companies guaranteeing certain cybersecurity measures are in place.

The updated rules could also force companies to use a multi-factor authentication system for employees and even customers accessing their systems.

Security experts note the majority of breaches today could be avoided by two-step logins, which require a password paired with another form of verification, like a personal question or a code sent to a mobile phone.

If banks run afoul of these rules “there would be pretty severe consequences,” said Lawsky, who has led the regulatory push for heightened cyber regulations on the financial industry.

But they might not publicize the failure, he added.

“I think we have to think hard about telling the world that a particular bank is vulnerable to a cyberattack,” Lawsky said.