Banks could be required to beef up their online password systems under new regulations designed to avert a so-called "cyber 9/11," a top financial regulator said Wednesday.
Benjamin Lawsky, who leads New York state's Department of Financial Services, said more steps were needed to prevent what he called an "Armageddon-type cyber event" that disables the financial system.
The current password system for online accounts is "very vulnerable," said the regulator, who rose to prominence with big financial settlements negotiated with the US against BNP Paribas and other financial heavyweights.
"I am deeply worried that we are soon going to see a major cyber attack aimed at the financial system that is going to make all of us to shudder," he said.
"Indeed, we are concerned that within the next decade or perhaps sooner we will experience an Armageddon-type cyber event that causes a significant disruption in the financial system for a period of time -- what some have termed a 'cyber 9/11.'"
Lawsky said such an event could create "a run or panic that spills over into the broader economy."
He said the department is considering mandating banks and other financial institutions to establish a "multifactor authentication" system whereby users would log in with a randomly generated password sent to a smartphone in addition to a conventional password.
The agency is weighing whether such new password requirements would fall on bank employees or consumers who do online banking, a Lawsky spokesman said.
Other proposals under consideration include rating banks and insurers on their cybersecurity as part of regular oversight of the banks used to determine if banks can pay dividends or make acquisitions.
Lawsky is also considering forcing financial institutions to require certifications of cybersecurity controls from third parties working in a bank, such as a law firm or a company brought in to do maintenance.
Cybersecurity was spotlighted at a summit two weeks ago in California at which President Barack Obama, Apple chief executive Tim Cook and others called for closer collaboration between government and the private sector to hold hackers at bay.
The biggest hacking episode on a bank came last year when contact details were taken for some 76 million households and seven million businesses in an attack on JPMorgan Chase.
However, JPMorgan said there was no evidence that critical account information such as account numbers, user identities or social security numbers were stolen by the hackers.
While the Treasury and Federal Reserve are main US bank regulators, New York is important because it is home to many large banks. Lawsky's office has the authority to revoke the charters of banks and insurance companies operating in the state.