On October 16, 2024, the New York State Department of Financial Services (DFS) issued an industry letter, Cybersecurity Risks Arising from Artificial Intelligence and Strategies to Combat Related Risks, providing guidance on the cybersecurity risks associated with the use of artificial intelligence (AI) and strategies for entities regulated by DFS (“Covered Entities”) to mitigate these risks.
The guidance reviews the AI-cybersecurity risk landscape and provides a broad overview of controls to mitigate that risk. Although NYDFS states that this guidance does not impose new requirements, companies would be wise to pay attention. The letter does not impose any new rules, instead addressing how Covered Entities should use the framework in 23 NYCRR Part 500 (“Cybersecurity Regulation”) to assess and mitigate AI-related cybersecurity risks. But, as a practical matter, the guidance will certainly shape how NYDFS evaluates companies’ cybersecurity programs. And as with other early NYDFS cybersecurity initiatives, this guidance will likely influence how other regulators approach AI-cybersecurity risk.
We provide a summary of the guidance in our Legal Update.