The New York Department of Financial Services (“NYDFS”) recently published guidance on managing cyber risks related to AI for the financial services and insurance industry. Though the circular letter does not introduce any per se “new” obligations, the guidance speaks to the Agency’s expectations for addressing AI within its existing cybersecurity regulations.
The letter identifies specific AI-related cybersecurity threats, such as AI-enabled social engineering. AI may also enhance typical cybersecurity attacks by amplifying the potency, scale, and speed of an attack. The letter also notes that AI modules may leverage large volumes of non-public information and become a target of an attack. Additionally, reliance on third party providers and vendors for AI-tools introduces supply chain vulnerabilities.
To mitigate these risks, NYDFS advises regulated companies to consider the specific risks related to AI when conducting comprehensive risk assessments. These assessments should consider not only the organization’s own use of AI, but also any AI technologies used by a third party service provider. Based on findings of the risk assessments, policies, procedures, and incident response plans may need to be updated to sufficiently address these AI-related risks. NYDFS also highlights the need for cybersecurity training for all personnel (including senior executives) that includes awareness around AI-related threats and response strategies.
Putting it into practice: This latest thinking from NYDFS adds to the growing patchwork of regulatory guidance about specific considerations related to AI (here, the cybersecurity risks). Other guidance has largely focused on other types of harm from AI such as bias and discrimination. It also serves as a reminder for companies that might not use AI themselves to be aware of the potential risks of engaging third parties who do and implement proper mitigating measures.
