Now that JPMorgan Chase has revealed that a cyberattack it sustained impacts the accounts of 76 million households and seven million businesses, a New York bank regulator has taken action to make sure the heads of financial institutions are aware of their responsibility in thwarting future attacks within the sector.
On Monday, Benjamin Lawsky, superintendent of New York's Department of Financial Services (NYDFS), told the Financial Times he planned to meet with the chief executives of regulated firms.
“The cyber threat has become urgent, one of the most important issues facing financial sector chief executives,” Lawksy told the Financial Times. “It's got to be at the chief executive level. It is not an IT problem. It is a bank problem,” he said.
In an SEC filing last Thursday, JPMorgan divulged that the previously reported breach exposed customer contact information, such as names, addresses, phone numbers and email addresses, linked to 76 million households and seven million small businesses. While initial reports said that at least four other financial firms had been targeted by the perpetrators, believed to be Russian state-sponsored attackers, The New York Times said Friday that the number of infiltrated institutions actually entailed nine other firms, citing sources close to the matter.
NYDFS head Lawsky reportedly said that the meeting with bank execs would not focus on just the JPMorgan hack, as the incident is just “one of many.”
“This is a chance to re-emphasize and remind everyone that this isn't just an issue that should be on a list of problems and things to worry about and work on,” Lawsky told FT, later explaining that the department was briefed on the JPMorgan breach last week.
In a Monday interview with SCMagazine.com, Richard Martinez, a partner at law firm Robins, Kaplan, Miller & Ciresi, who chairs the firm's cyber security and data privacy practice, spoke on the growing incidence of massive breaches and how it heightens expectations around enterprise security.
JPMorgan reassured customers last week that there was no evidence that customer account information was compromised in the breach – meaning data like account numbers, passwords and Social Security numbers did not appear to be accessed. The company also said that it had not seen “any unusual customer fraud related to this incident.”
“I think it remains to be seen in the JPMorgan incident if actual fraud or the selling of information has occurred [and] JPMorgan is saying there is no evidence of that,” Martinez noted.
Moving forward, however, Martinez expects to see plaintiffs' lawyers in breach lawsuits argue that businesses failed to adequately prepare for cyberattacks, despite continued breaches that indicated a rising threat, such as the one at JPMorgan, he said.
“One would expect to see arguments from plaintiffs' lawyers that the warning bells were going off – iceberg ahead of the Titantic – and [cybersecurity] steps weren't taken. I'm not saying that happened here, but you can definitely expect to see that. And it certainly strengthens the hand of plaintiffs' cases once they are brought,” Martinez said.