On October 16, 2024, the NYDFS released a groundbreaking directive addressing AI-driven cybersecurity threats, leaving the financial sector on high alert.
At a Glance
- The NYDFS issued an Industry Letter warning about AI threats to multifactor authentication (MFA).
- The Guidance details the application of 23 NYCRR Part 500 to AI-related cybersecurity risks.
- The targeted sectors include banks, insurers, and money transmitters vulnerable to certain MFA tools.
- Starting in 2025, the use of MFA for nonpublic information (NPI) becomes mandatory.
- NYDFS suggests secure authentication techniques impervious to AI manipulation.
AI-Induced Security Risks in Finance
The New York Department of Financial Services (NYDFS) set alarm bells ringing with a new Industry Letter, emphasizing the urgent need for banks and insurers to update their AI security protocols. These entities are cautioned to shore up their defenses, especially concerning multi-factor authentication (MFA), due to vulnerabilities exposed by deepfakes and artificial intelligence-enhanced social engineering attacks. The directive is a clarion call to integrate advanced security measures to fortify defenses.
Threat actors have discovered innovative ways to use AI to bypass existing security measures, employing deepfakes to deceive and manipulate data access. The NYDFS’s guidance calls for regulated entities, including banks and insurers, to prioritize correcting these vulnerabilities. The impact on nonpublic information (NPI) and biometrics necessitates stringent security measures, elevating the urgency for comprehensive risk evaluations and bolstered third-party oversight to avoid breaches in financial information integrity.
.@WSJ: The New York State Department of Financial Services offers guidance for financial firms on monitoring new cybersecurity threats from AI
More via @_MengqiSun: https://t.co/PTRzR37CpH
— NYDFS (@NYDFS) October 16, 2024
Strengthening Cybersecurity Protocols
In alignment with 23 NYCRR Part 500, the NYDFS delineates enhanced cybersecurity frameworks, stressing the importance of integrating robust multi-factor authentication systems immune to AI replication. It warns of the increased frequency and scale of AI-powered cyber assaults, a sobering reminder that constant vigilance is paramount. On October 16, 2024, the New York Department of Financial Services issued an Industry Letter (the “Guidance”) warning companies to update their AI security procedures around multifactor authentication (“MFA”), which are potentially vulnerable to deepfakes and AI-supplemented social engineering attacks.
The directive underscores employing authentication processes safe from AI duplicity, such as digital certificates and tangible security keys. By 2025, implementing MFA for NPI becomes compulsory, reinforcing the urgency of transitioning to more secure systems. Companies are encouraged to apply “liveness” detection, perform texture analysis, and engage in multi-biometric modalities to ensure heightened security in financial operations and personal data protection.
Ensuring Protection Amidst Evolving Threats
The financial sector faces an evolving threat landscape as AI technologies advance, challenging existing cybersecurity protocols. NYDFS’s latest guidance highlights ongoing risk assessments and cultivating vendor relationships as key strategies to navigate the emerging risks. The use of MFA for NPI will be mandatory in 2025, and NYDFS recommends that companies use authentication methods that can’t be faked using AI, including digital-based certificates and physical security keys. Financial institutions must recalibrate their cybersecurity strategies to confront these AI-induced challenges, underpinning the importance of adapting to a technologically dynamic environment.
The directive indicates a sharpening focus on controlling third-party interactions, aiming to minimize vulnerabilities originating from external partnerships. A risk-aware culture is paramount, requiring entities to reassess and enhance their cybersecurity frameworks continually. The NYDFS reaffirms its commitment to safeguarding the financial sector, urging companies to increase accountability as they face AI-related threats.
