News & Blogs

New York DFS Issues Critical Guidance on Cybersecurity and AI Risks for Financial Firms

North America · · radicalcompliance.com

The New York Department of Financial Services (DFS) has released two open letters providing crucial guidance on managing cybersecurity risks, particularly in a "heightened threat environment" and concerning advanced AI models. While not formal rule changes, these recommendations are essential for internal auditors and assurance professionals across all industries to understand, as they highlight evolving regulatory expectations and best practices for robust risk management and resilience against sophisticated cyber threats.


New York DFS Urges Enhanced Cybersecurity in Heightened Threat Environment

The New York Department of Financial Services (DFS) has issued significant guidance through two open letters, emphasizing the need for financial firms to bolster their cybersecurity defenses. Although these letters do not introduce new regulations, they serve as a strong indicator of DFS's expectations. Internal audit and assurance professionals should view these recommendations as critical benchmarks for evaluating their organizations' cybersecurity posture. Ignoring this guidance could lead to regulatory scrutiny and enforcement actions, as DFS has a history of penalizing firms that fail to act on explicit warnings.

The first letter outlines 20 measures to strengthen cybersecurity risk management, categorized into three key areas:

  • Reducing the Attack Surface: This includes promptly identifying and patching vulnerabilities, especially in internet-facing systems; validating cloud system configurations against risk tolerance; ensuring secure programming practices; and conducting regular privileged-access reviews. These are fundamental controls that internal audit teams should continuously assess.
  • Improving Threat Detection and Readiness: Recommendations here involve consistent logging and security event alerts, prompt identification of suspicious activities (e.g., unusual login locations), and proactive engagement with third-party service providers to clarify cybersecurity responsibilities. Monitoring third-party code and systems for expected behavior is also crucial.
  • Enhancing Resilience and Response: Firms are advised to regularly test data backup integrity and restorability to meet recovery time objectives, and to review disaster recovery and business continuity plans to ensure they are adequate for an elevated threat landscape.

These measures collectively underscore the importance of a comprehensive and adaptive cybersecurity program capable of addressing evolving threats. Internal auditors should integrate these points into their audit plans, focusing on the organization's capacity to manage heightened cybersecurity risks across various capabilities.

Addressing the Cybersecurity Risks of Advanced AI Models

The second DFS letter specifically addresses the cybersecurity risks posed by advanced artificial intelligence (AI) models. It emphasizes that a robust existing cybersecurity program is the best preparation for managing these emerging AI-related threats. This perspective highlights DFS's view of AI primarily as a potential weapon for adversaries rather than solely a beneficial operational tool. This concern is amplified by the development of powerful AI models like Mythos and Daybreak, which are exceptionally adept at discovering system vulnerabilities, raising fears that malicious actors could soon leverage such tools to exploit corporate systems.

The guidance connects directly to the recommendations in the first letter, urging firms to apply enhanced cybersecurity practices to their AI initiatives. For instance, the DFS advises reassessing procedures for evaluating vulnerability criticality and management timelines, recognizing that frontier AI models elevate the threat environment. Furthermore, it stresses the importance of developing "dependency maps" for third-party software systems to understand and mitigate risks stemming from vulnerabilities in external components. When it comes to AI-generated code, the DFS recommends new or additional testing, specifically advocating for human review before deploying such code into live production environments, citing past incidents where AI-driven actions led to significant system disruptions. Ultimately, the DFS guidance on AI underscores the need for senior management to cultivate a strong corporate culture of information protection and governance, ensuring that proactive investments are made to prevent future incidents in an increasingly AI-driven threat landscape.


Read more
Comments

No comments yet. Be the first.


Sign in to join the discussion.

Sign in or Create account
Subscribe

By email

Get audit & assurance news in your inbox.


By feed reader

We publish RSS, Atom, and JSON feeds sliced by category and region.

View all feeds →

Have a tip? Submit a story or job →

Subscribe by email

Get audit & assurance news in your inbox. Or use a feed reader — view all feeds →