NYDFS Publishes Guidance on AI-Related Cyber Risk

October 29, 2024

What happened?  

On October 16, 2024, the New York State Department of Financial Services (“NYDFS”) published an industry letter (the “Guidance”) discussing the increasing reliance on artificial intelligence (“AI”) and its associated cyber risks. This is one of the most detailed state laws regarding cybersecurity.  

Within the Guidance, the NYDFS lists multiple risks related to legitimate and malicious uses of AI. Recommended controls and ways to mitigate these risks are also included in the Guidance. 

Risks Related to Malicious and Legitimate Uses of AI 

• AI-Enabled Social Engineering 
  • AI has given threat actors the opportunity to craft personalized and more sophisticated items that are potentially more convincing than past social engineering attempts.  
  • For example, threat actors continue to use AI to create convincing audio, video, and text (“deepfakes”) that have the ability to target certain individuals.  

• AI-Enhanced Cybersecurity Attacks 
  • AI has also given threat actors the ability to increase the potency, scale, and speed of current types of cyberattacks. 
  • AI can be used to quickly and efficiently identify and exploit vulnerabilities. 

• Exposure or Theft of Large Amounts of NPI 
  • AI platforms typically use and process large amounts of data, including NPI.  
  • This provides a greater incentive for threat actors, causing organizations to develop additional ways to safeguard information.  

• More Vulnerabilities Due to Third-Party, Vendor, and Other Supply Chain Dependencies 
  • AI platforms may also work with vendors and Third-Party Service Providers when gathering, processing, and maintaining large amounts of data.  
  • Each additional link in the supply chain adds another security vulnerability that may be exploited by threat actors.  

Controls & Measures to Help Combat AI-Related Risks 

• Risk Assessments and Risk-Based Programs, Policies, Procedures, & Plans 
• Third-Party Service Provider & Vendor Management 
• Access Controls 
• Cybersecurity Training  
• Monitoring  
• Data Management 

What does this mean for me?  

The Guidance highlights the interrelationship between cybersecurity and AI. The increased use of AI can provide substantial cybersecurity benefits, however, it also presents risks that require organizations to take action to mitigate.  

Additionally, entities regulated by the NYDFS should review NYDFS’s cybersecurity regulation that was codified at 23 NYCRR Part 500 (the “Cybersecurity Regulation”) to ensure their cybersecurity programs and controls account for AI-related cybersecurity risks. A covered entity is defined in 23 NYCRR Part 500.1(f) as “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law, or the Financial Services Law, regardless of whether the covered entity is also regulated by other government agencies.” Specifically, covered entities should also ensure they have a plan to meet deadlines under the Cybersecurity Regulation (implementing MFA broadly and having a comprehensive data inventory are required by November 1, 2025).  

While New York’s law is very detailed regarding cybersecurity, it is not the only state to implement specific cybersecurity-related regulations. Illinois passed a law to address AI in the workplace on September 17, 2024. Be sure to remain up to date regarding all applicable regulations, even state regulations, as these may be more intricate than federal regulations and laws, and may require compliance with varying requirements. Firms should be proactive to ensure they remain up to date with regulatory expectations, best practices, and quickly evolving technology. If you have any questions about AI or related issues, let us know, and one of our regulatory experts will contact you soon.