Skip to content

Menu

LexBlog, Inc. logo
NetworkSub-MenuBrowse by SubjectBrowse by PublisherJoin the NetworkGet StartedSubscribeSupport
Contact Us
Search
Close

NYDFS Issues Guidance to Mitigate AI Cybersecurity Risks  

By Erik Dullea & Matti Mortimore on November 1, 2024
Email this postTweet this postLike this postShare this post on LinkedIn

Keypoint: The New York Department of Financial Services (NYDFS) circulated an industry letter offering guidance to NYDFS “Covered Entities” for assessing and managing AI-related cybersecurity risks, including threats malicious actors using AI and the risks associated with a Covered Entity’s own AI systems.

The NYDFS industry letter (“Letter”) recognizes that Covered Entities can leverage AI to enhance their cybersecurity posture. The department contends that doing so would bolster entities’ compliance with NYDFS cybersecurity regulation 23 NYCRR Part 500 (“Part 500”).

The Letter does not revise Part 500, but notes that integrating AI into cybersecurity frameworks can improve Covered Entities’ risk assessments, incident response strategies, and overall security action plans. However, the Letter warns that the deployment of AI systems requires careful evaluation of the risks to the business, and evaluation of the security controls used to manage those risks.

As a reminder to our readers, portions of the NYDFS amendments to Part 500 published in November 2023 take effect on November 1, 2024. These amendments introduce enhanced reporting requirements for Chief Information Security Officers, new responsibilities for senior governing bodies, mandatory encryption of all nonpublic information in transit, and updated incident response and disaster recovery plans. The amendments also introduce new exemption categories targeting small businesses. Covered Entities should review the guidance in the Letter while aligning their cybersecurity frameworks to the amended requirements. The Letter describes the following risks and mitigation strategies:

Cybersecurity Risks of AI

  1. AI-Enabled Social Engineering: AI has significantly improved the ability of threat actors to create personalized and convincing social engineering attacks. These include deepfakes—realistic audio, video, and text content that can deceive individuals into divulging sensitive information or taking unauthorized actions. These sophisticated attacks can lead to significant financial losses and damage to an organization’s reputation.
  2. AI-Enhanced Cybersecurity Attacks: AI enables threat actors to amplify the potency and speed of cyberattacks. By scanning and analyzing vast amounts of information quickly, AI can identify and exploit vulnerabilities, and/or find sensitive data in less time. This increased efficiency lowers the barrier of entry for less-skilled cybercriminals, potentially leading to a surge in cyberattacks. This is particularly dangerous to the financial services sector, where sensitive nonpublic information (“NPI”) is a prime target.
  3. Exposure or Theft of NPI: AI systems often require substantial data, including NPI, increasing the risk of data breaches. Additionally, the storage of biometric data poses further risks, as stolen biometric data can be used to bypass security measures.
  4. Supply Chain Vulnerabilities: AI-powered tools depend on vast amounts of data, often involving third-party service providers. Each link in this supply chain introduces potential vulnerabilities that can be exploited.

Strategies for Mitigating Cybersecurity Risks of AI

The Letter provides Covered Entities with guidance to understand and manage AI-enabled cybersecurity risks. This guidance emphasizes the importance of conducting thorough risk assessments and implementing robust cybersecurity programs, policies, and procedures based on these assessments. The guidance states that Part 500 requires Covered Entities implement:

  1. Risk Assessments and Risk-Based Programs: Covered Entities must conduct regular risk assessments to identify and mitigate AI-related threats. These assessments should address the use of AI within the organization and by third-party service providers. Additionally, organizations should develop comprehensive incident response best practices, business continuity, and disaster recovery plans that account for such threats. The guidance underscores that senior leadership must prioritize cybersecurity and ensure that the organization’s cybersecurity strategy aligns with overall business objectives.
  2. Third-Party Service Provider Management: Covered Entities should maintain robust policies for third-party service providers as AI systems frequently depend on such external vendors and service providers. Covered Entities should conduct due diligence on these third parties to ensure their adherence to security standards and ensure they can protect against AI-related threats.
  3. Access Controls: Covered Entities need to implement multi-factor authentication and other access controls that can prevent unauthorized access to information systems. Given the risks posed by AI-manipulated deepfakes, organizations should additionally consider using authentication methods that are resilient to such attacks.
  4. Cybersecurity Training: Covered Entities must employ regular training for all personnel, including senior executives, to raise awareness of AI-related risks and prepare for potential attacks. Training should include simulated exercises to prepare employees for potential AI-driven social engineering attacks.
  5. Monitoring and Data Management: Covered Entities should integrate effective data management best practices such as data minimization and maintaining accurate data inventories, which can limit the impact of data breaches. Organizations must ensure the protection of AI systems any data used for AI purposes.

Takeaway

While the mitigation strategies are guidance and aspirational, the Letter highlights the importance of proactive measures in AI cybersecurity. NYDFS has historically been at the forefront of cybersecurity regulations for the financial sector. In the absence of federal regulations (comprehensive or sector specific) it is reasonable to assume that proactive state legislatures and agencies will fill that void.

Tags: AI
Photo of Erik Dullea Erik Dullea

As head of Husch Blackwell’s Cybersecurity practice group, Erik assists clients in all aspects of cybersecurity and information security compliance and data breach response. Erik previously served as the acting deputy associate general counsel for the National Security Agency’s cybersecurity practice group before…

As head of Husch Blackwell’s Cybersecurity practice group, Erik assists clients in all aspects of cybersecurity and information security compliance and data breach response. Erik previously served as the acting deputy associate general counsel for the National Security Agency’s cybersecurity practice group before returning to the firm in 2023.

Read more about Erik DulleaEmailErik's Linkedin Profile
Show more Show less
Photo of Matti Mortimore Matti Mortimore

Matti offers practical solutions to corporate matters. He practices from Fergus Falls, Minnesota as a member of our virtual office, The Link.

Read more about Matti MortimoreEmailMatti's Linkedin Profile
  • Posted in:
    Technology and AI
  • Blog:
    Byte Back
  • Organization:
    Husch Blackwell LLP
  • Article: View Original Source

Call us at 1-800-913-0988 or email sales@lexblog.com.

Facebook LinkedIn Twitter RSS
  • About LexBlog
  • The Field We Built
  • Our Beliefs
  • Our Team
  • Contact LexBlog
  • Disclaimer
  • Editorial Policy
  • Terms of Service
  • Get Started
  • Publishing Solutions
  • Compass
  • Submit a Request
  • Support Center
  • System Status
Copyright © 2026, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo