New York Updates Financial Services Cybersecurity Regulation to Address AI Risks

The New York Department of Financial Services (DFS) has issued new guidance to assist the more than 3,000 financial firms including insurers it regulates in addressing cybersecurity risks arising from artificial intelligence (AI).

In a letter to companies, DFS Superintendent Adrienne A. Harris noted that increased reliance on AI has introduced “significant new opportunities for cybercriminals to commit crimes at greater scale and speed,” while at the same time also improving the ability of firms to “prevent cyberattacks, enhance threat detection, and improve incident response strategies.”

This new guidance does not impose any new requirements beyond obligations that are in DFS’s current cybersecurity regulation (Part 500); rather, the new guidance explains how financial services firms should use the framework set forth in Part 500 to address risks arising from AI. These risks include social engineering, cyberattacks, exposure of non-public information, and risks associated with the use of third parties, vendors and supply chains.

The guidance also offers examples of measures that entities can implement to combat AI-related risks.

In terms of AI-enabled social engineering, DFS notes that threat actors are increasingly using AI to create realistic and interactive audio, video, and text (deepfakes) that allow them to target specific individuals via email (phishing), telephone (vishing), text (SMiShing), videoconferencing, and online postings.

Maintaining non-public information (NPI) in large quantities, including in some cases biometric data, poses additional risks for firms using AI because they need to protect substantially more data and “threat actors have a greater incentive to target these entities in an attempt to extract NPI for financial gain or other malicious purposes.”

The memo also cites risks around the process of gathering the large amounts of data needed for AI, a process that frequently involves working with vendors and third-party service providers. “Each link in this supply chain introduces potential security vulnerabilities that can be exploited by threat actors,” according to the guidance, which warns that a link that becomes compromised could expose an entity’s NPI and invite broader attacks on all entities in the supply chain.

DFS’s Part 500 cybersecurity regulation already requires that financial services firms maintain cybersecurity programs, policies, and procedures that are based on cybersecurity risk assessments, which DFS says should now be updated to address AI-related risks. Among the areas to be addressed are the organization’s own use of AI, the AI technologies utilized by third parties and vendors, and any potential vulnerabilities stemming from AI applications that could pose a risk to the confidentiality, integrity, and availability of an organization’s information systems or NPI.

Security Layers

The cybersecurity measures are intended to provide multiple layers of protections “so that if one control fails, other controls are there to prevent or mitigate the impact of an attack.”

In addition, firms must establish, maintain, and test plans that contain proactive measures to investigate and mitigate cybersecurity events.

The guidance calls for enhanced training around AI cyber issues, including for senior leadership, along with enhanced monitoring and effective data management.

Other recommended security measures include minimum requirements related to access controls, encryption, and guidelines by third parties for due diligence and contractual protections; requiring third parties to provide timely notification of any cybersecurity event; and, if third parties are using AI, incorporating additional representations and warranties related to the secure use of any NPI.

DFS also recommends — and DFS regulations will require as of November 2025— Implementing robust access controls such as multifactor authentication (MFA) for all authorized users including customers, employees, contractors, and third parties. MFA requires users to authenticate their identities using at least two of three authentication factors: knowledge factors, such as a password; inherence factors, such as biometric characteristics; and possession factors, such as a token.

Benefits of AI

In addition to addressing the risks of AI, the guidance encourages firms to explore the “substantial cybersecurity benefits” that can be gained by integrating AI into cybersecurity tools, controls, and strategies.

“AI’s ability to analyze vast amounts of data quickly and accurately is tremendously valuable for: automating routine repetitive tasks, such as reviewing security logs and alerts, analyzing behavior, detecting anomalies, and predicting potential security threats; efficiently identifying assets, vulnerabilities, and threats; responding quickly once a threat is detected; and expediting recovery of normal operations,” the guidance concludes.

Making Waves: How New York Became a Leader in State Cyber Regulation

New York’s Part 500 cybersecurity regulation was the first of its kind in the U.S. when it was promulgated in 2017. The regulation requires each company to assess its specific cybersecurity risk profile and implement a program that addresses those risks.

Insurers, banks and other financial services entities regulated in the state had until March 2019 to comply. DFS took its first enforcement action under the regulation in July 2020 in the matter of a data breach at a title insurer.

In 2021, DFS issued guidance with best practices for New York-regulated property/casualty insurers that write cyber insurance. As part of the guidance, called the Cyber Insurance Risk Framework, DFS called upon insurers to establish a formal strategy, approved by the insurer’s board or other governing entity, for measuring cyber insurance risk based on the insurer’s size, resources and geographic distribution, among other factors.

In 2022, DFS amended the Part 500 regulation to tailor it to exempt more small financial services businesses and increase accountability of top executives.

DFS regulates more than 3,000 financial institutions with assets totaling more than $9.7 trillion. Among the firms it regulates are insurers, banks, credit unions, managed care organizations, virtual currency firms, and pharmacy benefit managers. DFS maintains a Cybersecurity Resource Center with its various regulations, letters, alerts and compliance dates.