This letter highlights some of the key cybersecurity threats discovered, including the risks posed by malicious actors using AI and the dangers posed by organizations’ use of AI.
The first is AI-powered social engineering. This is where bad actors use AI to create personalized social engineering attacks, including realistic and interactive audio, video, and deepfakes, that target specific individuals. The other type is cyberattacks that utilize AI. This allows cybercriminals to amplify the scale and speed of existing cyberattack techniques. Additionally, the increased availability of AI products may enable previously unskilled individuals to use AI to launch their own cyberattacks.
Risks posed by an organization’s use of AI include leakage or theft of non-public information (NPI). AI products typically require the use of large amounts of data, which may also include NPI and biometric data. This poses additional risks for organizations using AI. Another risk is supply chain vulnerabilities. If your vendor, supplier, or third-party service provider (TPSP) is compromised by a cybersecurity attack, your organization may also be compromised.
DFS cybersecurity regulations require covered entities to implement minimum cybersecurity standards to mitigate AI-related risks. Organizations should conduct a risk assessment at least once a year and update their cybersecurity policies accordingly. Organizations must ensure that TPSPs follow certain procedures, especially when TPSPs have access to information systems or non-public information.
Access control is an important control measure. Cybersecurity regulations require covered entities to implement multi-factor authentication (MFA). MFA requires users to verify their identity using at least two mechanisms, such as a password, biometric characteristic, or token.
Another control is to provide cybersecurity training to all employees. Eligible companies must provide cybersecurity training, including social engineering, at least once a year. Organizations should also implement monitoring processes to track users and identify new security vulnerabilities. Finally, organizations should implement data minimization practices to discard data that is no longer needed to limit the impact of a potential data breach.
The industry guidance letter can be found here.
