Adrienne Harris, the Superintendent of the New York State Department of Financial Services (DFS), recently spoke at the DC FinTech Week event in Washington, DC, focusing on the evolving landscape of financial technology (fintech) and the increasing importance of cybersecurity regulations. The DFS has been at the forefront of regulating cybersecurity for financial institutions since it was the first state regulator to implement mandatory cybersecurity regulations back in 2017. These regulations primarily focused on protecting banks, insurance companies, and other financial service providers from cyber threats. Harris emphasized the need for an adaptive regulatory framework to address emerging risks posed by technological advancements, notably artificial intelligence (AI), signaling the department’s proactive approach to safeguarding the financial ecosystem.
In response to the growing influence of AI, the DFS issued new guidelines on October 16, 2024, aimed at defining the cybersecurity risks posed by this technology and urging financial institutions to integrate these risks into their existing cybersecurity frameworks. While these guidelines do not establish new requirements beyond the existing cybersecurity regulations outlined in 23 NYCRR Part 500, they detail ways institutions can leverage current regulations to assess and mitigate the cybersecurity risks introduced by AI. Harris’s initiative reflects a broader understanding of the complex relationship between technological advancement and cybersecurity, urging institutions to remain vigilant against evolving threats while also recognizing the opportunities presented by AI.
The guidelines identified four critical areas where AI has increased the threat of cyberattacks. The first area is social engineering, which is noted as a significant threat to the financial sector. Cybercriminals have increasingly employed AI to produce convincing spear phishing emails and vishing phone calls, making it harder for targets to discern legitimate communications from fraudulent ones. With advanced AI tools, these attackers can create highly credible impersonations of trusted figures, thereby enhancing the effectiveness of their schemes. This shift has catastrophic implications for identity security, with data from identity verification company Onfido indicating a staggering 3,000% increase in deepfake-related attacks over the past year, thus highlighting the urgent need for enhanced defensive measures.
The second area of concern is AI-enhanced cybersecurity attacks. Cybercriminals are now using AI-driven malware, including more sophisticated forms of ransomware, capable of evading detection by security systems. This evolution means even less experienced attackers can leverage AI to deploy complex malware quickly and efficiently. The DFS guidelines indicated that this lowered barrier to entry for threat actors, combined with the rapid deployment of AI, could amplify both the frequency and severity of cyberattacks on financial institutions. As cyber threats become increasingly sophisticated, financial services must adapt their cybersecurity protocols accordingly.
The third identified risk area concerns the vast amounts of sensitive nonpublic information held by financial institutions, including biometric data like facial and fingerprint recognition. If compromised, cybercriminals could exploit this data to bypass traditional security measures and create credible deepfakes. This increasing threat creates substantial risks for financial companies that rely on such information for two-factor or multi-factor authentication. The implications of this vulnerability stress the paramount importance of securing personal and sensitive data within financial systems to prevent unauthorized access and fraud.
Finally, the guidelines draw attention to vulnerabilities arising from supply chain dependencies. Even organizations with robust cybersecurity measures can be undermined by targeted attacks on software developers and vendors in their supply chains. Past incidents, such as the SolarWinds attack affecting thousands of companies, underscore the severity of these vulnerabilities. Cybercriminals might introduce malware through trusted software updates, trickling down to companies that utilize these software solutions for their operations. Thus, the DFS cautions financial institutions to remain vigilant against potential supply chain threats that could compromise their security.
While the DFS guidelines outline potential risks associated with AI in cybersecurity, they also offer strategic advice for complying with existing regulations. Institutions are encouraged to implement overlapping security controls in a layered approach so that if one measure fails, others can mitigate the impact of an attack. Additionally, the guidelines advocate for the integration of AI into cybersecurity strategies, emphasizing its potential to enhance threat detection, anomaly identification, and automated response efforts. By harnessing AI’s analytical capabilities, financial services can not only defend against cyberattacks but also streamline their recovery processes. Harris’s insights reflect a comprehensive acknowledgment of AI’s dual role in the financial sector—as both a facilitator of risk and a powerful ally in combating cyber threats.
