State Regulatory Developments

NY DFS Issues Guidance on Strategies to Combat AI Risks

The New York Department of Financial Services (DFS) recently issued guidance on cybersecurity risks arising from artificial intelligence (AI) and provided strategies to combat related risks. In addition to describing cybersecurity risks related to the use of AI—including in the areas of AI-enabled social engineering, cybersecurity attacks, collection and processing of nonpublic information, and third parties and vendors—the guidance provided a number of practices in which covered entities should engage.

Specifically, the guidance stated that covered entities’ risk assessment must consider cybersecurity risks faced by the covered entity, including deepfakes and other threats posed by AI, to determine which defensive measures they should implement.  The guidance also provided that incident response, business continuity, and disaster recovery plans should be reasonably designed to address all types of cybersecurity events and other disruptions, including those relating to AI.

In addition, the guidance stated that covered entities should consider using authentication factors that (i) can withstand AI-manipulated deepfakes and other AI-enhanced attacks by avoiding authentication via SMS text, voice, or video, and using forms of authentication that AI deepfakes cannot impersonate, such as digital-based certificates and physical security keys; and (ii) employ technology with liveness detection or texture analysis to verify that a print or other biometric factor comes from a live person.

As for training, the guidance provided that training should ensure all personnel are aware of the risks posed by AI, procedures adopted by the organization to mitigate risks related to AI, and how to respond to AI-enhanced social engineering attacks and cover procedures for what to do when personnel receive unusual requests such as a request for credentials, an urgent money transfer, or access to NPI.  Moreover, according to the guidance, the training required specifically designed for cybersecurity personnel should include how threat actors are using AI in social engineering attacks, how AI is being used to facilitate and enhance existing types of cyberattacks, and how AI can be used to improve cybersecurity.