New York warns on AI cybersecurity risks for financial firms
- In 2017, New York's Department of Financial Services established mandatory cybersecurity regulations for financial institutions, addressing evolving digital threats.
- Recent guidelines issued in October 2024 provide strategies for tackling cybersecurity risks brought on by artificial intelligence, highlighting four primary areas of concern.
- The guidelines emphasize the need for companies to employ multiple layers of security measures to safeguard against increasingly sophisticated cyberattacks.
In an effort to combat the growing cybersecurity threats driven by artificial intelligence, the New York Department of Financial Services released a set of guidelines in October 2024. Following its pioneering role in 2017, when it mandated cybersecurity regulations for financial institutions, the department has taken further steps to address contemporary issues related to AI. These guidelines are designed to help banks, insurance companies, and financial service entities understand and navigate their existing regulatory obligations while accommodating the challenges posed by AI technologies. The guidelines identify four key areas where AI enhances cybersecurity risks. Firstly, social engineering tactics have evolved, making it easier for cybercriminals to craft convincing phishing communications. Secondly, AI has enabled the development of sophisticated malware, expanding the capabilities of less skilled cybercriminals to execute complex attacks. Thirdly, the vulnerability of sensitive nonpublic information, including biometric data, poses a significant threat if exploited by criminals. Lastly, supply chain dependencies present additional risks, as attackers target software developers to infiltrate organizations indirectly. While the new guidelines do not impose specific requirements, they underscore the necessity for financial institutions to bolster their defenses by incorporating overlapping security controls. The department's recognition that AI could serve as both a weapon and a defense mechanism signifies a crucial shift in cybersecurity protocol, recognizing the dual-role technology plays in modern digital threats.