New York Department of Financial Services issued new guidance to assist in addressing cybersecurity risks arising from AI
On October 16, 2024, the New York State Department of Financial Services (NYDFS) issued new guidance to NYDFS regulated entities (Covered Entities) on cyber security risks arising from AI.
This new guidance did not create any new compliance requirements – rather, it explains how covered entities should use the framework set forth in NYDFS’s Cybersecurity Regulation 23 NYCRR Part 500 to address risks arising from AI. The new guidance highlights some of the more concerning threats identified by cybersecurity experts, specifically risks caused by threat actors’ use of AI and risks caused by a Covered Entity’s use or reliance on AI.
In terms of risks caused by threat actors’ use of AI, the guidance highlights social engineering and cyber-attacks. NYDFS notes that threat actors are increasingly using AI to create highly personalized and sophisticated content that is more convincing than historical social engineering attempts. The threat actors’ improvements of using deepfakes, such as realistic and interactive audio, video, and text allows them to target specific individuals within organizations. This often results in wiring substantial amounts of funds to fraudulent accounts, and convincing individuals to divulge sensitive information and sharing credentials, causing unauthorized access to Information Systems containing Nonpublic Information. Threat actors also can use AI to scan and analyze vast amounts of information quickly and efficiently to identify and exploit security vulnerabilities, often allowing threat actors to access more Information Systems at a faster rate and to deploy malware.
Further, the new guidance discusses how a Covered Entity’s use of AI often requires vast amounts of data, including sensitive Nonpublic Information and biometric data. This makes entities using AI more attractive targets for threat actors who seek to exploit the data-rich environments created by organizations that are using AI. Consequently, the process of gathering that data frequently involves working with vendors and Third-Party Service Providers (TPSPs), increasing the risk of supply-chain attacks. The new guidance highlights that any TPSP, vendor, or supplier, if compromised by a cybersecurity incident, could expose a Covered Entity’s Nonpublic Information and become a gateway for broader attacks on that entity’s network, as well as all other entities in the supply chain.
The guidance provides that Covered Entities have obligations under cybersecurity regulations to assess and address their cybersecurity risks, including those arising from AI, and deploy multiple layers of security controls with overlapping protections so that if one control fails, others are in place to counter a cybersecurity attack.
While risks are significant, the NYDFS guidance also offers strategies to help Covered Entities manage them effectively within the existing framework set forth in 23 NYCRR Part 500. Below are some key measures the NYDFS guidance indicated to consider:
- Regular cybersecurity risk assessments are mandatory under Part 500. These assessments should include specific consideration of AI related risks, Covered Entities use of AI, and due diligence on Third-Party Service Providers and their use of AI, ensuring potential vulnerabilities are addressed.
- Enforcing multifactor authentication for all authorized users accessing sensitive systems and prioritizing MFA solutions that cannot easily be manipulated by AI.
- Regular and comprehensive training and proper data management practices.
- Identify all Information Systems that use or rely on AI, including, if applicable, the Information Systems that maintain, or rely on, AI-enabled products and services.
- Maintain an inventory of systems that preserve, or rely on, AI-enabled products and services and prioritize implementing mitigations for those systems that are critical for ongoing business operations.
If you have any questions about your company’s compliance with cyber regulations, concerns about vulnerability to attacks or other breaches, or if you want to learn more about proactive cybersecurity defense, contact a member of McDonald Hopkins’ national data privacy and cybersecurity team.