New York Department of Financial Services Guidance on Cybersecurity Risks Associated with Artificial Intelligence | Saul Ewing LLP

On October 16, 2024, the New York Department of Financial Services (“NYDFS”) published guidance and strategies (“Guidance”) regarding cybersecurity risks that arise in response to advances in artificial intelligence (“AI”). While AI technology has had a positive impact on businesses in many ways, it has also opened up many opportunities for cybercriminals to penetrate secure information systems containing non-public information (“NPI”). Although the Guidance does not impose any new requirements beyond those contained in the NYDFS Cybersecurity Rules codified at 23 NYCRR Part 500 (the “Cybersecurity Rules”); The purpose of the Guide is to explain how Covered Entities⁽¹⁾ must use the framework set out in the Cybersecurity Regulation to assess and mitigate cyber risks associated with AI.

What you need to know:

• The New York Department of Financial Services recently released guidance regarding cybersecurity risks posed by the use of artificial intelligence.
• While the Guidance does not impose any new requirements, it focuses on four risks associated with AI, including the use of AI to manipulate people or gain unauthorized access to proprietary data.
• Companies developing and using AI must pay particular attention to potential cybersecurity vulnerabilities arising from the use of AI systems within their organization by external attackers and contractors with access to their data.

The Guide focuses on four main risks associated with the use of AI:

1. Social engineering with artificial intelligence support is one of the most serious threats to Covered Organizations as AI can be used to target individuals in an attempt to lure or persuade them to disclose information about the NPO or take actions they are otherwise not authorized to take, such as bank transfers to fraudulent accounts ;
2. Cybersecurity attacks using artificial intelligence allow attackers to accelerate and carry out cyberattacks on a much larger scale, given the ability of AI to quickly scan and analyze large volumes of information and identify security vulnerabilities. These artificial intelligence technologies give inexperienced attackers a tool to launch calculated attacks, increasing the frequency and severity;
3. Exposure or theft of a huge amount of NFI addresses the large collection and storage of NPI, including biometric data (i.e. facial and fingerprint recognition), resulting in greater emphasis on data collection systems. Attackers are able to use biometrics to impersonate authorized users to bypass multi-factor authentication (“MFA”), gain access to NPIs, and create artificial intelligence-enabled social engineering to attack others; And
4. Increased vulnerability due to third parties, suppliers or other dependencies in the supply chain present challenges that extend beyond the internal cybersecurity measures of Affected Entities, as security vulnerabilities can be exploited in the supply chain, potentially compromising the Affected Entity’s NPI and opening the door to larger cyberattacks through the organization’s network and commercial chain.

It goes without saying that Affected Entities must consider the risks associated with AI in their own design, development and use of AI, the AI ​​technologies used by third-party service providers and vendors with access to their data, and the vulnerabilities created in AI applications. , especially public platforms such as ChatGPT. As part of the cybersecurity program required by the Cybersecurity Regulations, as part of any required risk assessment, Covered Entities must evaluate whether the cyber risks associated with AI require updates to cybersecurity, privacy, and data management policies, including incident response and business continuity. plans. Additionally, it is important to maintain strong contracts with third-party service providers and vendors that address the issue of unauthorized access to NPI, including cooperation obligations and broad indemnification provisions.

In accordance with the Cybersecurity Regulation, the Covered Organization’s cybersecurity policy must require access controls, such as encryption technologies and MFA, so that authorized users must properly authenticate their identity. Additionally, internal training and awareness remain key parts of a robust cybersecurity program, and employee training should include guidelines for monitoring new security vulnerabilities that may arise from authorized user activity, as well as effective data management practices. From 1 November 2025, under the Cyber ​​Security Regulations, covered organizations will be required to maintain and update data registers as they are critical to assessing potential risks and ensuring compliance with data protection regulations.

Artificial intelligence technologies continue to be adopted within organizations and by threat actors. The availability and development of artificial intelligence tools that can be used to exploit cybersecurity vulnerabilities makes it difficult to solve the problems associated with this technology. Affected Organizations should be proactive in assessing the risks associated with the use of AI, both internally and externally, and develop the policies, procedures, and mitigation strategies set forth in the Guidelines to protect the Affected Organization’s information systems and NPI, and mitigate serious disruptions in her business. .

For more information about 23 NYCRR Part 500 and AI-related services, please see our previous alerts at: Proposed Amendments to New York State Cybersecurity Rules And What Non-IT Lawyers Need to Know About IT and AI Services Contracts.

(1) A covered entity is defined in 23 NYCRR § 500.1(e) as “any person acting or required to act under a license, registration, charter, certificate, permit, accreditation, or similar authorization under the Banking Act, the Insurance Act, or about financial services”. Law, regardless of whether the organization in question is regulated by other government agencies.”