Impact of N.Y. Agency Head's DepartureSizing Up the Fate of Planned Cybersecurity Initiatives
Will the upcoming departure of Benjamin M. Lawsky, superintendent of the New York State Department of Financial Services, slow down recently announced plans for new cybersecurity initiatives?
On May 20, Lawsky said he was moving on, just a week after announcing plans to push for new cybersecurity regulations aimed at addressing third-party risks and beefing up user authentication (see N.Y. to Propose Cybersecurity Regulations).
"Lawsky set the tone for the office," she says. "The problem is that any successor is very likely to be less versant in cybersecurity issues, given that most regulators and policymakers are just beginning to understand what they need to do in this realm."
That's unfortunate, she contends, because many of Lawsky's proposals have helped to push New York banks to get ahead of looming cybersecurity issues.
Like Litan, Shirley Inscoe, a financial fraud analyst for consultancy Aite, says Lawsky's successor will need to focus on cybersecurity and financial fraud. But she says more emphasis needs to be placed on enhancing cybersecurity throughout the financial and payments infrastructure.
"All financial institutions should be more concerned about cybersecurity, and regulatory exams should focus on this issue, since it is one of the greatest threats against the U.S. economy," Inscoe says. "The problem is that retailers, merchants, universities, hospitals, governmental agencies and many others do not focus on adequate security, and settlements of massive data breaches are negligible."
Financial services regulators and politicians should not "expect financial services to provide all the protection needed in an environment where other parties are not investing appropriately," she contends. Placing all of the burden on the shoulders of the banking industry, she says, "is the equivalent to expecting a security guard to protect a building with both hands tied behind his back. Investments need to be made by all types of entities for adequate security to be achieved."
Lawsky has been at the helm of the New York State Department of Financial Services since its inception four years ago. Over the course of his career with the department, he has built a reputation for being critical of banks that have inadequate fraud prevention and weak cyber-risk mitigation practices.
While the state agency has not named Lawsky's successor, nor publicly said what Lawsky plans to do next, various media reports claim he plans to open a private legal and consulting practice. The agency did not respond to Information Security Media Group's request for comment about Lawsky's departure and candidates being considered for his replacement.
Earlier this month, Lawsky said he planned by the end of the year to propose new regulations for New York banks to address significant gaps in cybersecurity risks identified by the agency in April.
Lawsky said that the poor marks banks gave themselves earlier this year in a survey of cybersecurity practices conducted by his agency spurred the proposal for new regulations.
Two new cyber-related regulations were being considered, Lawsky said. One would be aimed at ensuring banks require vendors to provide warranties of cybersecurity protection in the event they are breached. The other would require banks to adopt multiple-step authentication processes for employees and customers that log into their systems.