New York State Issues Guidance on AI-Related Cybersecurity Risks

The State of New York has issued new guidance addressing the impact of artificial intelligence (AI) on cybersecurity, aimed at entities regulated by the Department of Financial Services, referred to as “Covered Entities.” As AI continues to evolve, it brings both enhanced cybersecurity capabilities and new vulnerabilities, which HR professionals should understand to protect sensitive company and employee data.

AI has proven valuable in bolstering cybersecurity measures, such as improving threat detection and enhancing incident response strategies. However, the state’s guidance highlights the risks associated with AI, focusing on areas that cybercriminals increasingly exploit.

AI-Related Cybersecurity Risks

The guidance outlines several AI-related threats, including:

1. AI-Enabled Social Engineering: Cybercriminals are using AI to craft highly personalized and sophisticated phishing attacks. With deepfakes, they can mimic voices or appearances, deceiving employees into divulging sensitive information or authorizing fraudulent transactions.
2. AI-Enhanced Cyberattacks: AI allows attackers to identify system vulnerabilities quickly and launch large-scale attacks more efficiently. The accessibility of AI tools has lowered the barrier for less skilled hackers, increasing the frequency and severity of cyberattacks, especially in sectors handling sensitive data, like finance.
3. Data Exposure Risks: AI applications often process large volumes of nonpublic information, including biometric data. This data is attractive to cybercriminals who can use stolen biometric details to bypass security systems, compromising employees’ and clients’ sensitive information.
4. Third-Party Dependencies: Many AI systems rely on data from third-party vendors. Each vendor in the supply chain can become a potential entry point for attackers, heightening the risk of a breach that could impact multiple organizations.

Recommended Cybersecurity Controls

The guidance advises Covered Entities to utilize already established cybersecurity frameworks including conducting thorough risk assessments, enhancing access controls, and ensuring third-party service providers comply with robust cybersecurity standards.

Risk Assessments: Entities should incorporate AI-specific risks into their cybersecurity risk assessments. This helps determine appropriate defensive measures, including periodic updates to ensure new AI-related threats are addressed.

Access Controls: Strengthening access controls, such as Multi-Factor Authentication, is essential to combat threats posed by AI-enhanced social engineering attacks. The guidance recommends avoiding easily compromised authentication methods and considering advanced biometrics with anti-spoofing technology.

Vendor Management: Organizations should conduct thorough due diligence on third-party vendors to assess how they handle AI and protect data. The guidance suggests including contractual clauses to require notification of AI-related security incidents.

Implications for HR Professionals

HR teams must recognize the evolving landscape of AI-related cybersecurity risks and work closely with IT to implement recommended controls. By understanding these risks, HR professionals can help safeguard sensitive employee data and reinforce company-wide cybersecurity protocols.