• |

  • Published
    • October 29, 2024

Cybersecurity Awareness Month

AI Can't Roll Up Your Sleeves for You

With Cybersecurity Awareness Month 2024 well underway, it is fitting that the New York Department of Financial Services (NYDFS) issued on October 16 an Industry Letter with guidance about cybersecurity risks associated with AI use. The guidance applies to entities covered under 23 NYCRR Part 500 (Part 500) but offers valuable direction to all companies managing such risks.

AI-Related Cybersecurity Risks

The NYDFS guidance emphasizes several AI-enabled cybersecurity risks and ways to mitigate them. Its highlights include:

  • AI-Enabled Social Engineering: Threat actors can exploit AI to craft highly personalized attacks using phishing, vishing and deepfakes that are difficult to detect. Our article on applying AI in information security explains many of these significant risks to businesses.
  • Vulnerabilities in the Supply Chain: Vendors play a big role in collecting and maintaining data to train AI systems and, as links in the supply chain, introduce potential security vulnerabilities. Our article on managing AI procurement can help guide third-party risk mitigation.
  • Ways to Assess and Address Risk: NYDFS stresses that AI use requires risk assessments, training and MFA that adhere to Part 500. Our articles on AI governance and navigating the National Institute of Standards and Technology’s AI Risk Management Framework supply practical insights on applying these measures.

Do Not Ignore the Full Landscape

AI is all the rage, but cybersecurity remains fundamental across all organizational operations. Our 2024 cybersecurity resolutions highlight priority tasks for addressing the dynamic landscape of cyber threats, including cloud-based attacks, which can be mitigated by tailoring cybersecurity efforts and selecting the best tools. This year’s SolarWinds decision underscored the importance of managing internal and external corporate communications about cybersecurity, while the SEC’s settlement with R.R. Donnelley & Sons contained lessons on disclosure controls and escalation protocols.

Standards are growing more granular. The Cybersecurity Maturity Model Certification 2.0 and the European Union’s NIS2 Directive are new regulations with limited scopes but are liable to broadly influence other regulations.

We remain committed to providing expert analysis and actionable recommendations for managing the complexities of cybersecurity. Your feedback and suggestions are invaluable to us, so please keep them coming.

Happy Cybersecurity Awareness Month!

Jill Abitbol, Editor-in-Chief