Benjamin Lawsky, superintendent of the New York Department of Financial Services, outlined his case for a strong state regulatory presence at a speech he gave at Columbia School of Law today, and announced new areas of enforcement for the NYDFS.
Lawsky argued that states can maneuver in ways that the federal government doesn't have the time or focus to do. And in the current unstable security situation, both federal and state regulatory bodies are necessary to prevent an "Armageddon-type cyber event."
The wideranging speech covered Wall Street accountability after the financial crisis and the prevention of money laundering, but really lasered in on cyber security in the financial sector, and included three new enforcement areas for the NYDFS:
First, we are revamping our regular examinations of banks and insurance companies to incorporate new, targeted assessments of those institutions’ cyber security preparedness…
Second, we are considering steps to address the cyber security of third-party vendors, which is a significant vulnerability…As such, we are considering mandating that our financial institutions receive robust representations and warranties from third-party vendors that those vendors have critical cyber security protections in place…That is tough medicine, but we believe it is likely warranted given the risks that cyber hacking presents to the stability of our financial markets and economy.
Third, I would like to discuss something called “multi-factor authentication.” Our Internet architecture has grown up over the years with a username and password system for verifying our identities. That has proven to be a very vulnerable system…In fact, we are currently considering regulations that would mandate the use of multi-factor authentication for our financial institutions. We would be the first financial regulator to take this step.
Other notable excerpts:
On states as the catalyst for change:
Indeed, state governments can often serve as incubators for new approaches to vexing policy problems.
States can experiment.
Try new things.
And if their ideas prove effective – and rise to the top of the crowded marketplace of ideas – those policy proposals may be adopted beyond their borders.
On holding individuals accountable:
And, in my opinion, if in any particular instance we cannot find someone, some person, to hold accountable, that just means we have stopped looking.
On the need for more regulation:
Ineffective regulation can sometimes be worse than no regulation at all since it breeds a false sense of security. And, as we saw during the financial crisis, it is everyday consumers and workers who usually end up paying the biggest price.
On the stakes of anti-money-laundering efforts:
Money is the oxygen feeding the fire that is terrorism. Without moving massive amounts of money around the globe, international terrorism cannot thrive.
And finally, on what keeps him up at night:
I am deeply worried that we are soon going to see a major cyber attack aimed at the financial system that is going to make all of us to shudder. Cyber hacking could represent a systemic risk to our financial markets by creating a run or panic that spills over into the broader economy.
Indeed, we are concerned that within the next decade (or perhaps sooner) we will experience an Armageddon-type cyber event that causes a significant disruption in the financial system for a period of time – what some have termed a “cyber 9/11.”
Read the whole speech here.