"We like to say that to some extent the failures to detect the 9/11 plot were a failure of imagination and communication," he said. "I'm worried about the same thing here—that an event will happen and we'll look back and say, 'How did we not do more?'"
Read MoreEnemy within: The danger of 'insider hacking'
While Lawsky said he and other regulators are "spending a lot of time ... trying to come up with concrete action to take," he said the costs to prevent such an attack are high and will have to be borne across the board—by companies, investors and taxpayers.
For instance, he said insurers should offer coverage against cybercrime on the condition that companies take strong security steps.
President Barack Obama made cybersecurity a top priority in his 2014 State of the Union speech and pinned total costs due to computer attacks at $1 trillion globally. A report the Center for Strategic and International Studies released over the summer put the cost at less than half that—$445 billion—but said the problem is huge and needs attention.
Read MoreRussia, Iraq tensions stoke cyber attack threat
Lawsky said experts in the field who talk to company executives find two types: "People who have been hacked and don't know it, and people who've been hacked and know it."
"It only feels like a matter of time before we have something more problematic, more system and coordinated," he said.