On October 16, NYDFS Superintendent Adrienne A. Harris issued an industry letter to assist regulated entities in meeting their existing obligations regarding cybersecurity risks arising from AI. The letter, directed at executives and information security personnel of entities regulated by NYDFS, stresses that while AI enhances threat detection and incident response, it also introduces significant new opportunities for cybercriminals.

The letter identifies key AI-related cybersecurity threats, including AI-enabled social engineering, which allows for highly personalized and sophisticated attacks, and AI-enhanced cyberattacks that amplify the scale and speed of existing threats. Additionally, the use of AI requires the collection and processing of substantial amounts of data, including nonpublic information and biometric data, increasing the risk of data exposure or theft. The reliance on third-party service providers and vendors for AI-powered tools also introduces supply chain vulnerabilities.

To combat these risks, NYDFS emphasizes the importance of adhering to New York’s cybersecurity regulation — 23 NYCRR Part 500. Covered entities are advised to conduct comprehensive risk assessments, implement robust access controls, and maintain effective data management practices by November 1, 2025. The letter also underscores the need for cybersecurity training for all personnel, including senior executives, to ensure awareness of AI-related threats and appropriate response strategies. It further states that monitoring processes should be in place to detect unauthorized access and unusual query behaviors, particularly for AI-enabled products and services.