NY releases industry guidance on AI-related cybersecurity risks
The letter highlights some of the major cybersecurity threats discovered, including risks caused by bad actors using AI.
The New York Department of Financial Services (DFS) published an industry letter earlier this month directed toward regulated entities, including insurers. The letter provides information and guidance on the increased risk of AI-related cybersecurity risks and how to mitigate those risks.
The letter highlights some of the major cybersecurity threats discovered, including risks caused by bad actors using AI and dangers caused by an organization’s use of AI.
The first is AI-enabled social engineering, where the bad actors use AI to create personalized social engineering attacks, including realistic and interactive audio, video, and deepfakes, to target specific individuals. Another is AI-enhanced cyberattacks, which allow cybercriminals to amplify the scale and speed of existing cyberattack techniques. In addition, with the increased availability of AI products, even people who were not skilled enough before may be able to use AI to launch their own cyberattacks.
Risks caused by an organization’s use of AI include exposure or theft of nonpublic information (NPI). AI products typically require the use of a large amount of data, which can include NPI and even biometric data. This presents an additional risk for organizations using AI. Another risk is supply chain vulnerability, where if a vendor, supplier, or third-party service provider (TPSP) is compromised by a cybersecurity attack, the organization could be compromised as well.
DFS’s Cybersecurity Regulation requires Covered Entities to implement minimum cybersecurity standards to mitigate AI-related risks. Organizations should conduct risk assessments at least annually and update their cybersecurity policies accordingly. Organizations should ensure TPSPs follow certain procedures, especially if the TPSP has access to its Information Systems or nonpublic information.
Access controls are an important control measure. The Cybersecurity Regulation requires Covered Entities to implement multi-factor authentication (MFA). MFA requires users to confirm their identity using at least two mechanisms, including a password, biometric characteristics, or a token.
Another control measure is to provide cybersecurity training to all employees. Covered entities are required to provide cybersecurity training that includes social engineering at least annually. Organizations should also have a monitoring process in place that tracks users and identifies new security vulnerabilities. Finally, organizations should implement data minimization practices that dispose of data they no longer need to limit the impact of a potential data breach.
The Industry Guidance letter can be found here.