Banks chartered in New York could soon be required to appoint chief information security officers and submit to quarterly tests of their systems' vulnerabilities under a cybersecurity regime being considered by state regulator Benjamin Lawsky.
Those strict requirements appear in the Department of Financial Services' sweeping, controversial proposal for regulating virtual currency businesses. Lawsky said this week he is thinking of using the cybersecurity provisions of the so-called BitLicense framework as a model for banks and insurance companies on his watch. Those rules would be far more stringent than any existing data-security regulations for financial institutions.
"They read like a consent decree for a company that has already been breached, investigated and found to be lacking in security measures," said Jason Weinstein, a partner at Steptoe & Johnson and a former cybercrime prosecutor for the Department of Justice.
Speaking at Benjamin N. Cardozo School of Law in Manhattan Tuesday, Lawsky, the department's superintendent, addressed several criticisms of the BitLicense proposal, which his department released for public comment in July. One such criticism is that the rules would hold digital money startups to much higher standards than those applied to incumbent financial institutions.
Instead, Lawsky may raise the bar for banks, too.
"To the extent that there are some specific areas of the regulation that are somewhat stronger for virtual currency firms than those for other financial institutions such as our cybersecurity rules that is primarily because we are actually considering using them as models for our regulated banks and insurance companies," Lawsky said in his prepared remarks.
Noting the recent breach at JPMorgan Chase, which the bank says exposed the information of 76 million households and seven million small businesses, Lawsky hinted his department could have a new cybersecurity regime for banks in the works.
"Cybersecurity is one of the most important issues the Department of Financial Services will face as a regulator in the months and years ahead across the entire financial system," he said. "And you will be hearing a lot more from our agency about this in the near future."
A spokesman for Lawsky did not respond to questions about the proposed cybersecurity rules.
The BitLicense standards include a requirement that firms implement a cybersecurity program designed to identify possible threats, detect breaches, and recover from attacks. They would require quarterly tests of the vulnerability of companies' systems and annual "penetration tests," which simulate an external attack.
The proposal would also require licensed companies to designate a "chief data security officer" who would be responsible for implementing this security program. The department would conduct examinations of security measures "whenever the superintendent deems necessary," but at least every two years, the proposed requirements state.
The main federal statute on cybersecurity is in the Gramm-Leach-Bliley Act of 1999, which requires banks to institute and test an information-security plan, but doesn't specify the security measures like Lawsky's proposed rules do.
"The BitLicense cybersecurity regulations are at least as restrictive as the existing regulations governing traditional financial institutions in New York or any other state," Weinstein said.
Under Lawsky, New York has been a leader in the regulatory push for tighter cybersecurity rules. His department announced in May that it would begin cybersecurity exams for the companies it supervises, which include state-chartered banks and credit unions and foreign banks with headquarters in New York.
Since then, massive breaches have made data security a higher priority for federal regulators. Aside from the JPMorgan hack, breaches at major retailers including Home Depot have hurt confidence in the payments system and spurred regulators to act.
As a result, cyber threats are quickly rising to the top of banking regulators' agenda. The Federal Financial Institutions Examination Council this year began a pilot program of cybersecurity assessments as part of its regular bank exams. Federal Deposit Insurance Corp. head Martin Gruenberg said last month that federal banking regulators were working to assess the readiness of banks and regulators to deal with cyberattacks, and a regulatory working group is developing a framework for bank cybersecurity exams.
And on Friday, President Obama signed an executive order directing the government to "lead by example in securing transactions and sensitive data," such as by upgrading federal payment cards and terminals to chip-and-PIN technology.
Michael Smith, the president of the New York Bankers Association, lauded Lawsky's commitment to cybersecurity, saying in a statement that Department of Financial Services has "been at the forefront in addressing and implementing best practices on cybersecurity."
Weinstein called Lawsky's cybersecurity proposals "sound advice," but said that "it seems odd that virtual currency regulations would be the driver for expanding this to traditional financial institutions."
Despite holding only state-level authority, Lawsky has established himself as one of the country's toughest financial regulators since taking his post three years ago. He has aggressively pursued payday lenders, debt collectors and bank consultants for violating New York law, and has called for harsher penalties for individual executives of large banks found to have committed misconduct.
Lawsky's aggressiveness has at times led to conflicts with other regulators. The fines his department levied against Standard Chartered and Tokyo Mitsubishi UFJ for anti-money-laundering lapses reportedly irked national regulators that have primary responsibility for enforcing AML rules.
His office's efforts to regulate digital currency have also been criticized by some as an overreach, and on Tuesday he sought to clarify his proposals and address some of the criticism. He emphasized that the July proposals were not final rules, and would be tweaked in response to public comments.
The department proposed the rules in response to the collapse of the Bitcoin exchange Mt. Gox this year, in which more than $400 million worth of the virtual currency disappeared. In addition to the cybersecurity provisions, the proposed framework includes requirements for complying with anti-money laundering rules, handling customer complaints and safeguarding customer accounts.
In his speech Tuesday, Lawsky said banks, no less than nonbanks, would have to be approved by his agency in order to provide virtual currency services, and would have to follow the proposed rules to do so. He also emphasized that companies that do not handle customer information, like software developers and investors, would not be required to hold virtual-currency licenses.
"The rules generally mirror the types of requirements that other banks, financial institutions and money managers have to live by with some alterations owing to the unique nature of virtual currencies," Lawsky said.
The goal is "to help ensure that a consumer's money does not just disappear into a black hole," Lawsky said Tuesday. The comment period on the proposed rules ends next week.