Our Take: financial services regulatory update – October 18, 2024

• What happened? On October 16th, the New York Department of Financial Services (NYDFS) issued an industry letter outlining guidance to assist regulated entities in addressing and combating cybersecurity risks related to artificial intelligence (AI).
• What does the guidance say? The guidance describes how AI can heighten cybersecurity risks, including by automating attacks and increasing their sophistication, increasing their severity and making them harder to detect and mitigate. Specifically it highlights the use of AI in social engineering attacks, such as deepfakes, to convincingly deceive employees into divulging sensitive information. It also describes risks arising from institutions’ use of AI, such as the reliance on third-party service providers for AI tools introducing supply chain vulnerabilities and the vast amounts of data required for AI systems increasing the risk of breaches. The guidance then outlines several controls and measures institutions can take to mitigate AI-related cybersecurity risks:
  • Risk assessments and risk-based programs, policies, procedures, and plans: It describes how AI-related risks should be incorporated into actions that are required by existing NYDFS regulations, such as maintaining cybersecurity programs; conducting risk assessments at least annually and in response to material changes; developing and maintaining incident response, business continuity, and disaster recovery plans; and having sufficient understanding and oversight of cybersecurity risk management by the senior governing body.
  • Third-party service provider and vendor management: The guidance recommends that institutions require third parties to provide timely notification of any cybersecurity event impacting information systems or nonpublic information (NPI) and that contractual agreements incorporate additional representations and warranties related to the secure use of NPI by third parties using AI.
  • Access controls: It notes existing requirements for institutions to implement multi-factor authentication (MFA) for all authorized users accessing information systems or NPI by November 2025. It suggests that they implement authentication factors that can withstand deepfakes and AI-enhanced social engineering attacks, such as digital-based certificates, physical security keys, and liveness detection or texture analysis for biometric authentication.
  • Cybersecurity training: Regarding existing requirements to provide at least annual cybersecurity training including social engineering, the guidance notes that personnel using AI or working with third parties that use AI should be trained on how to secure and defend AI systems from attacks.
  • Monitoring: The guidance recommends that entities consider monitoring for unusual AI queries that might indicate attempts to extract NPI and block employee AI queries that could expose NPI.
  • Data management: It notes the requirement for institutions to maintain and update data inventories by November 2025, further recommending that they identify all information systems that use or rely on AI.
  • AI-enabled cybersecurity: The guidance concludes by recommending that institutions consider the benefits of integrating AI into cybersecurity programs, including to review security logs and alerts, detect anomalies and vulnerabilities, predict threats, and expedite responses and recovery plans.

Our take

Considering cybersecurity implications of AI is easier said than done. By largely highlighting existing requirements, the guidance indicates that responding to AI-enhanced threats or securing AI systems does not mean reinventing the wheel - it is a matter of ensuring that a comprehensive cybersecurity program evolves alongside changing technologies. However, NYDFS does not provide much detail on how financial institutions should incorporate AI considerations into their cybersecurity programs. For example, while the guidance provides high level examples of AI-enhanced cyber attacks, financial institutions will need to research and review the latest capabilities of malicious actors to determine how they can detect, assess and respond to increasingly sophisticated threats. Cybersecurity teams and senior governing bodies will also need to thoroughly understand their own institutions’ use of AI, whether it is internally developed, provided by a third party, or leveraged by employees using publicly available tools. The NYDFS guidance is a useful starting point for identifying aspects of cybersecurity programs that should be updated to account for AI, but actually planning and implementing those updates is easier said than done.