By: Charu A. Chandrasekhar, Luke Dembosky, Avi Gesser, Erez Liebermann, Johanna Skrzypczyk, Marshal Bozzo, Mengyi Xu & Ned Terrace (Debevoise & Plimpton Data Blog)

On October 16, 2024, the New York Department of Financial Services (NYDFS) released an Industry Letter offering guidance on how to assess cybersecurity risks linked to the use of artificial intelligence (AI) within the existing framework of 23 NYCRR Part 500 (referred to as the Cybersecurity Regulation or Part 500). Although the guidance specifically targets entities governed by Part 500—such as those licensed under New York’s Banking, Insurance, or Financial Services Laws—it also provides valuable insights for all businesses on managing AI-related cybersecurity risks.

Importantly, the NYDFS clarifies that the guidance does not introduce new requirements beyond what is already mandated under the Cybersecurity Regulation. Instead, it aims to help covered entities navigate how to address AI-related cybersecurity risks using the existing Part 500 framework and build appropriate controls to mitigate those risks. Additionally, the guidance encourages companies to explore AI’s potential to enhance cybersecurity measures, such as reviewing security logs, analyzing behaviors, detecting anomalies, and predicting possible threats. Organizations subject to Part 500—particularly those that have implemented AI extensively—are advised to carefully review the guidance and evaluate whether their current cybersecurity policies and controls may require updates.

In this post from Debevoise’s Data Strategy and Security blog, we highlight key takeaways from the guidance and offer practical considerations for companies assessing their cybersecurity protocols to address AI-related risks.

A. AI-Related Cybersecurity Risks

The NYDFS divides AI-related cybersecurity risks into two main categories: (1) risks posed by malicious actors leveraging AI, and (2) risks stemming from companies’ own use or reliance on AI…

