Publications
Article

New York Department of Financial Services Provides AI Cybersecurity Guidance: What You Need to Know

Westlaw Today

On Oct. 16, 2024, the New York State Department of Financial Services ("DFS") issued an industry letter (the "Guidance") to Covered Entities, as defined in 23 NYCRR Part 500 ("Cybersecurity Regulation"), including financial services companies, regarding cybersecurity risks arising from artificial intelligence ("AI") and strategies to mitigate related risks in light of AI advancements and increased reliance on AI.

The Guidance was released in response to inquiries from financial institutions regarding how they can mitigate risks associated with artificial intelligence to comply with DFS's Cybersecurity Regulation.

DFS's Cybersecurity Regulation, which was codified in 2017, requires that Covered Entities implement minimum cybersecurity standards to mitigate threats, including those posed by AI. In particular, the Guidance recommends the framework summarized below to incorporate AI-related cybersecurity risk assessment.

The Cybersecurity Regulation defines a "Covered Entity" as "[a]ny person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the New York Banking Law, the Insurance Law or the Financial Services Law, regardless of whether the covered entity is also regulated by other government agencies."

While DFS indicated that the Guidance does not impose any new requirements beyond the Cybersecurity Regulation, DFS will likely rely on the Guidance in connection with imposing penalties and bringing enforcement actions against non-compliant entities. The Cybersecurity Regulation defines the capitalized terms that are not otherwise defined herein.

To read the full article, please click here.

"New York Department of Financial Services Provides AI Cybersecurity Guidance: What You Need to Know," by Diana M. Eng and Susan Kuruvilla was published in Westlaw Today on November 15, 2024.