On Oct. 16, NYDFS issued industry letter on cyber risks from AI use.
NYDFS issued new guidance to address cybersecurity risks from artificial intelligence.
Help identify cybersecurity risks associated with use of AI, controls to mitigate risks.
Guidance takes risk-based approach to help better understand, assess, mitigate AI-specific cybersecurity risks, including social engineering, nonpublic information theft.
Specific Cyber-Related AI Threats
AI-enabled social engineering as one of most significant threats to financial sector.
AI improved ability of threat actors to create highly personalized and more sophisticated content more convincing than historical social engineering attempts.
Use AI to create realistic and interactive audio, video, text (deepfakes) that allow them to target specific individuals via email (phishing), telephone (vishing), text (SMiShing).
Often attempt convince employees to divulge sensitive information about themselves, employers; gain access to information systems with nonpublic information (NPI).
Led to employees taking unauthorized actions, e.g. wiring funds to fraudulent account.
Another major risk with AI is ability of threat actors to amplify potency, scale, speed of existing cyberattacks; AI can scan, analyze vast amounts of information much faster.
AI can accelerate the development of new malware variants and change ransomware to enable it to bypass defensive security controls, thereby evading detection.
Maintaining NPI in large quantities poses additional risks for those that develop, deploy AI as need protect substantially more data; threat actors target entities to extract NPI.
Some AI requires storage of biometric data; use stolen biometric data to imitate authorized users, bypass multi-factor authentication (MFA), gain access to systems.
Supply chain vulnerabilities another critical area for those using AI or product uses AI; gathering data involves working with vendors third-party service providers (TPSPs).
Each link in supply chain introduces potential security vulnerabilities to be exploited.
TPSP, vendor, supplier, if compromised by cybersecurity incident, could expose entity’s NPI, gateway for broader attacks on network, and all other entities in the supply chain.
Controls and Measures that Mitigate AI-related Threats
Cybersecurity Regulation requires covered entities to maintain cybersecurity programs, policies, and procedures that are based on cybersecurity Risk Assessments.
Take into account cybersecurity risks, including deepfakes, other threats posed by AI.
When design, address AI-related risks in use of AI, AI technologies by TPSPs, vendors.
As well as potential vulnerabilities stemming from AI applications that pose risk to the confidentiality, integrity, and availability of covered entity’s information systems, NPI.
Risk Assessments must be updated at least annually and if any material change occurs to ensure new risks, including by AI, are assessed, identified risks warrant updates.
Must have test plans with proactive measures to investigate, mitigate cyber events, operational resilience, including incident response, BCS, disaster recovery plans (DRP).
Senior leadership crucial role in prioritizing cybersecurity, integrates into overall business strategy; sufficient understanding of cyber-related matters (including AI).
Maintain TPSP policies and procedures that include guidelines for conducting due diligence before uses a TPSP that will access its information systems and/or NPI.
Require TPSPs provide timely notification of any cybersecurity event that directly impacts covered entity’s information systems or NPI held by TPSP, including from AI.
Implement robust access controls to combat threat of deepfakes, AI-enhanced social engineering, prevent unauthorized access to info systems, NPI; most effective is MFA.
Provide training for all personnel, including senior executives, senior governing body.
Must have process identify new security vulnerabilities promptly so remediate quickly.
Effective data management limit NPI at risk of exposure if access information systems.