Security Experts:

Connect with us

Hi, what are you looking for?



Bank Regulator Eyes Tougher Rules to Fight Hacking

Banks could be required to beef up their online password systems under new regulations designed to avert a so-called “cyber 9/11,” a top financial regulator said Wednesday.

Banks could be required to beef up their online password systems under new regulations designed to avert a so-called “cyber 9/11,” a top financial regulator said Wednesday.

Benjamin Lawsky, who leads New York state’s Department of Financial Services, said more steps were needed to prevent what he called an “Armageddon-type cyber event” that disables the financial system.

The current password system for online accounts is “very vulnerable,” said the regulator, who rose to prominence with big financial settlements negotiated with the US against BNP Paribas and other financial heavyweights.

“I am deeply worried that we are soon going to see a major cyber attack aimed at the financial system that is going to make all of us to shudder,” he said.

“Indeed, we are concerned that within the next decade or perhaps sooner we will experience an Armageddon-type cyber event that causes a significant disruption in the financial system for a period of time — what some have termed a ‘cyber 9/11.'”

Lawsky said such an event could create “a run or panic that spills over into the broader economy.”

He said the department is considering mandating banks and other financial institutions to establish a “multifactor authentication” system whereby users would log in with a randomly generated password sent to a smartphone in addition to a conventional password.

The agency is weighing whether such new password requirements would fall on bank employees or consumers who do online banking, a Lawsky spokesman said.

Other proposals under consideration include rating banks and insurers on their cybersecurity as part of regular oversight of the banks used to determine if banks can pay dividends or make acquisitions.

Lawsky is also considering forcing financial institutions to require certifications of cybersecurity controls from third parties working in a bank, such as a law firm or a company brought in to do maintenance.

Cybersecurity was spotlighted at a summit two weeks ago in California at which President Barack Obama, Apple chief executive Tim Cook and others called for closer collaboration between government and the private sector to hold hackers at bay.

The biggest hacking episode on a bank came last year when contact details were taken for some 76 million households and seven million businesses in an attack on JPMorgan Chase.

However, JPMorgan said there was no evidence that critical account information such as account numbers, user identities or social security numbers were stolen by the hackers.

While the Treasury and Federal Reserve are main US bank regulators, New York is important because it is home to many large banks. Lawsky’s office has the authority to revoke the charters of banks and insurance companies operating in the state.

Written By

AFP 2023

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.