Net Net: Promoting innovation and managing change
Net Net: Promoting innovation and managing change

NY regulator warns against looming cyber 9/11

Benjamin Lawsky, superintendent of the New York State Department of Financial Services, is shown in New York.
Jin Lee | Bloomberg | Getty Images

A top regulator in New York believes it's only a matter of time before terrorists strike a major cyber blow against the American financial system.

"I'm worried what we are going to have some major event in the cybersystem that is going to cause us all to shudder," Benjamin M. Lawsky, the superintendent of the New York State Department of Financial Services, said Monday at the Bloomberg Markets Most Influential Summit.

Asked if it would resemble, in computer system terms, a 9/11-like event, he said the damages would be along those lines.

What concerns US intelligence?

"We like to say that to some extent the failures to detect the 9/11 plot were a failure of imagination and communication," he said. "I'm worried about the same thing here—that an event will happen and we'll look back and say, 'How did we not do more?'"

Read MoreEnemy within: The danger of 'insider hacking'

While Lawsky said he and other regulators are "spending a lot of time ... trying to come up with concrete action to take," he said the costs to prevent such an attack are high and will have to be borne across the board—by companies, investors and taxpayers.

For instance, he said insurers should offer coverage against cybercrime on the condition that companies take strong security steps.

President Barack Obama made cybersecurity a top priority in his 2014 State of the Union speech and pinned total costs due to computer attacks at $1 trillion globally. A report the Center for Strategic and International Studies released over the summer put the cost at less than half that—$445 billion—but said the problem is huge and needs attention.

Read MoreRussia, Iraq tensions stoke cyber attack threat

Lawsky said experts in the field who talk to company executives find two types: "People who have been hacked and don't know it, and people who've been hacked and know it."

"It only feels like a matter of time before we have something more problematic, more system and coordinated," he said.