NYDFS Tells Companies to Address AI Security Threats
Time 2 Minute Read
Categories: Cybersecurity, U.S. State Law, Information Security, Financial Privacy

On October 16, 2024, the New York Department of Financial Services (“NYDFS”) issued an Industry Letter (the “Guidance”) warning companies to update their AI security procedures around multifactor authentication (“MFA”), which are potentially vulnerable to deepfakes and AI-supplemented social engineering attacks. The Guidance is intended to explain the application of the NYDFS Cybersecurity Regulation at 23 NYCRR Part 500 to cybersecurity risks arising from AI.

The Guidance, aimed at NYDFS-regulated entities such as banks, insurers and money transmitters, highlights risks associated with certain MFA tools. Risks include the use of AI by threat actors to increase the effectiveness, scale, and speed of cyberattacks, and to create deepfakes to trick employees and customers into disclosing passwords, sensitive data, and funds. NYDFS also highlights risks related to covered entities’ own use of AI and MFA products, such as exposing substantial amounts of nonpublic information (“NPI”) or biometrics, or increased vulnerability due to third party, vendor, and other supply chain issues.  

The use of MFA for NPI will be mandatory in 2025, and NYDFS recommends that companies use authentication methods that can’t be faked using AI, including digital-based certificates and physical security keys. Companies should also consider using an authentication factor that employs “liveness” detection or texture analysis to verify that a biometric factor comes from a live person, or using multiple biometric modalities at the same time, such as a fingerprint in combination with iris recognition, or fingerprint in combination with user keystrokes and navigational patterns. NYDFS also expects companies to increase cybersecurity protocols and third-party oversight, all of which is based on entities’ required cybersecurity risk assessments and detailed further in the Guidance.

The Guidance highlights the importance of ongoing risk assessments and vendor diligence in the rapidly evolving AI-related threat environment.

Tags: Artificial Intelligence, Biometric Data, Compliance, New York
Print Email Twitter/X Linkedin Facebook

You May Also Be Interested In

Time 5 Minute Read
How Insurance Fundamentals Drove a Coverage Win for Uber
By and

A recent summary judgment order is a reminder that, in insurance coverage disputes, straightforward arguments can still win the day. In a coverage action arising from dozens of underlying personal injury suits, the court adopted a clear, text-based approach to the duty to defend—and ordered the insurer to provide a defense.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 3 Minute Read
Washington State Enacts Law Regulating AI Companion Chatbots with Private Right of Action

On March 24, 2026, Washington Governor Bob Ferguson signed House Bill 2225, an Act regulating artificial intelligence companion chatbots.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 2 Minute Read
Illinois’ Damages Limitation for Biometric Privacy Violations Applies Retroactively  

On April 1, 2026, the U.S. Court of Appeals for the Seventh Circuit held that the 2024 amendment to Illinois’ Biometric Information Privacy Act, limiting damages, applies retroactively to pending cases.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 3 Minute Read
Connecticut AG Clarifies AI Compliance Obligations Under CTDPA

The Connecticut Attorney General recently issued a legal memorandum regarding the application of existing Connecticut laws, such as the Connecticut Data Privacy Act, to the use of artificial intelligence.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook

Search

Subscribe Arrow

Recent Posts

Categories

Tags

Archives

Jump to Page