|
The New York State Department of Financial Services (DFS) has cautioned the entities it regulates to be alert to cybersecurity risks resulting from using artificial intelligence (AI) technology. The department also described steps for reducing those risks. DFS responded in the October 16 industry letter to questions about the cyber risks from AI and what to do about them. The letter did not add new requirements to those in the department's cybersecurity regulation. Instead, it explained how entities should use the regulation's provisions to assess and address AI risks. THE RISKS: WHY YOU SHOULD BE AFRAID Among the risks the department highlighted were: Social Engineering: “Social engineering" is a cyber attack in which the attacker uses human interaction to obtain an organization's information or to compromise its information or computer systems. For example, a hacker may convincingly impersonate a manager within an organization. This person then convinces an employee to transfer funds to an illegitimate account. According to the letter, AI has made these attacks more effective. It said, “Threat actors are increasingly using AI to create realistic and interactive" so-called “deepfakes" (audio, video, and text communications that appear to be from an internal manager but are not.) Hackers deliver these communications by email, phone, text message, videoconferencing, and postings online. “For example," DFS said, “in February 2024, a Hong Kong finance worker was tricked into transferring $25 million to threat actors after they set up a video call in which every other person participating, including the Chief Finance Officer, was a video deepfake." Enhanced Cyber Attacks: AI can scan and analyze large volumes of data much faster than a human can. This enables hackers to use it to find and exploit security holes much more quickly. Once inside, they can use it to figure out how to best deploy malware in a network and steal information. They can also use it to quickly develop new versions of malware and ransomware that can elude security controls. Lastly, AI tools enable hackers who lack coding chops to develop and launch their own attacks. “This lower barrier to entry for threat actors, in conjunction with AI-enabled deployment speed," the letter said, “has the potential to increase the number and severity of cyberattacks, especially in the financial services sector, where the maintenance of highly sensitive NPI (non-public information) creates a particularly attractive and lucrative target for threat actors." Entities' Use of AI Tools: Products that use AI rely on collecting and processing large amounts of data. Some of this data will be NPI. A summary of the New York cybersecurity regulation is, “What you collect, you have to protect." Therefore, entities using AI products may have to protect much more information than they might have otherwise. That information could include biometric information (facial characteristics, fingerprints, etc.) Multi-factor authentication (MFA) systems use this information to verify a network user's identity. Hackers who steal it can use it to log into a network by impersonating a trusted user. Third Parties: Third party service providers and vendors may either provide data to the entity or have access to the entity's NPI. If they suffer cyber incidents, the entity's NPI and systems may be vulnerable to attack. THE CONTROLS: WHAT YOU CAN DO ABOUT THE RISKS The letter listed several procedures the regulation already requires that an entity can use to reduce the risks. - Include the potential for deepfakes and other AI threats when performing the annual risk assessment.
- Design the risk assessment to address:
- The entity's use of AI.
- AI technologies its third-party service providers and vendors use.
- Any vulnerabilities that might result from AI technologies and that could threaten the computer network and NPI.
- Update the entity's cybersecurity policies and procedures to reflect the threats uncovered during the assessment.
- Larger entities who do not qualify for a limited exemption must create and implement plans for investigating and mitigating cyber incidents. They must also have plans for incident response, business continuity, and disaster recovery. Limited exempt entities might want to give some thought to these subjects even though the regulation does not require them to create formal plans. Planning ahead means less flailing if an incident occurs.
- Create a workplace culture that includes cybersecurity awareness.
- When performing due diligence on third-party service providers, consider their uses of AI; the threats that could pose to them; and how cyber incidents they experience could impact your entity.
- Implement strong controls for access to the entity's network, starting with MFA. The regulation requires all entities to implement MFA by November 1, 2024. They should also include annual reviews of which network users have access to NPI and whether they still need it.
- Annual cybersecurity awareness training for all employees, including training on the risks of social engineering attacks. The regulation requires all entities to start doing this by November 1, 2024.
- Larger entities must have formal system monitoring tools in place. Limited exempt agencies should at least be alert to signs of unusual activity. They should also watch for employees using the system for purposes the agency has not approved.
- Place sensible limits on the amount of NPI the agency collects and retains. These will vary by the business needs of the agency. What you collect, you must protect, so do not retain more data than you want to protect.
AI technologies are here to stay, and their use will only grow with time. If your agency has not yet registered with technology consulting firm Catalyit, we urge you to do so now. They presented a series of webinars last spring that explain how using AI can benefit your business. There are plenty of benefits to using these technologies, but as with any other type of operation, there are risks. The DFS published this letter to make you aware of the risks and suggest ways to control them while you reap the benefits.
|
|
This week the Big I NY legislative team and a small group of agent members met with Counsel for Gov. Hochul to share perspective on the wide variety of windstorm deductible triggers used in New York insurance policies. Late in the legislative session, lawmakers passed A.2866/S.4199, which directs the superintendent of the New York State Department of Financial Services (DFS) to “establish standards for windstorm deductibles, which create, to the greatest extent possible, uniformity in the operation of such deductibles with respect to the triggering event." Call participants expressed support for the bill, citing it as an opportunity to bring stakeholders together to narrow the scope of windstorm triggers and support clarity and choice for consumers. There are currently more than 100 different windstorm definitions approved by the DFS, including many that are effectively the same but use different language. Governor Hochul will have ten business days to act on the bill once it is transmitted to her, which is not expected to happen until after Election Day.
|
|
Every year, we set aside three days in the fall for something we like to call "Fall Fest." This isn't just another set of meetings or routine check-ins. Fall Fest is a dedicated time for our entire staff to come together in person and focus on growth, connection, and fun. It’s a tradition that not only refreshes and energizes our team, but also strengthens the foundation for our future success.
Why We Do It At the heart of Fall Fest is the belief that investing in staff development and team building is essential to running a successful organization. We understand that it’s not enough to focus solely on the business aspect of our work. By fostering a culture of learning, camaraderie, and mutual respect, we equip our team with the tools and motivation to thrive. Staff development is a critical part of this. During Fall Fest, we provide beneficial training opportunities that help our staff stay up-to-date with technology, services our association offers, and industry news. We also welcomed speakers from the Rescue Mission, who shared about the pressing needs in our community, reminding us of the importance of giving back. Our staff donated items and filled 100 care packages for the speakers to distribute to those experiencing homelessness in our community.
But learning isn't all we do. Fall Fest is also about strengthening bonds within our team. We know that collaboration and trust are key to running a successful association. So, we balance professional development with team-building activities and outings. This year, for example, we visited Beak & Skiff apple orchard, where we worked in teams on a scavenger hunt, had the chance to relax, catch-up with each other, and just enjoy being together in a beautiful setting. Events like these help us see each other not just as colleagues but as friends, which makes a difference when we’re back in the office.
The Benefits of Staff Development & Team BuildingThere’s no question that investing in staff development and team-building pays off in the long run. For one, regular training ensures that our team is equipped with the knowledge and skills they need to be effective in their roles. As we continue to navigate a hard market, the confidence and expertise gained during Fall Fest can make all the difference in how we serve our members. Team-building activities improve communication, trust, and collaboration. When people have the chance to connect in a relaxed setting, they build relationships that lead to better teamwork in the office. This sense of unity allows us to handle challenges more efficiently and creatively. It also improves morale and job satisfaction, which are key drivers of long-term retention and performance.
Long-Term Impact on Team Performance The benefits of Fall Fest extend well beyond these three days. In the long run, the skills gained and relationships strengthened during this time result in a more cohesive, motivated, and effective team. Staff development ensures that everyone is growing and adapting as professionals, while team-building fosters an environment of collaboration and support. Together, these elements create a workplace culture that values continuous improvement and teamwork... cornerstones of our success as an association. Fall Fest reminds us that when we invest in our people, we invest in our future. This annual tradition has become a cornerstone of our approach, helping us stay connected, inspired, and ready to tackle whatever comes next.
Thank you for your patience as our staff participated in these sessions. Our members are the heart of our association, and we are committed to continuous improvement to serve you even better.
|
| The New York State Attorney General's office is offering a new Business Guide to Website Privacy Controls to help businesses better protect consumers who visit their websites.
Attorney General Letitia James said in a news release that businesses do not always accurately describe to website visitors how their information is tracked and the privacy controls they employ. The new guide:
- Identifies common mistatkes businesses make.
- Describes steps they can take to identify and prevent issues.
- Provides information to help businesses comply with relevant state laws, including ensuring that the express or implied representations they make about tracking are truthful and not misleading.
- Describes areas where businesses have had trouble and offers tips for avoiding issues.
The guide is available on the Attorney General's website.
|
| Big I NY and a coalition of 34 other business organizations urged Gov. Kathy Hochul this week to veto legislation that would lead to skyrocketing wrongful death lawsuit awards and increased insurance costs for all New Yorkers.
In a letter to the Governor, the coalition pointed to the severe economic implications that would result from the passage of A.9232B/S.8485B (aka Wrongful Death/Grieving Families Act) and the impact that it would have on New York families and businesses. The coalition letter notes that, if enacted into law, personal auto and small business insurance premiums are expected to increase by 6% and 10.9%, respectively. Gov. Hochul has twice vetoed the wrongful death expansion where she cited the impact it would have on the cost of insurance of all types, especially the healthcare sector. The bill expands the types of compensation available to family members in a wrongful death claim to include subjective and difficult to define elements like grief, emotional anguish, and loss of companionship. It would also apply retroactively to January 1, 2021. These and other components of the bill inject extreme uncertainty into the insurance environment and will drive costs for all consumers. The legislation is not expected to be acted upon until after the November 5 election. The letter and a news article reporting on the effort can be viewed HERE.
|
| The New York State Department of Financial Services (DFS) last week warned all financial services companies of a new cybersecurity threat targeting information technology (IT) help desks and service centers. A letter dated September 27, 2024 stated, "DFS has seen evidence that threat actors are targeting IT help desks and call centers using, among other tactics, voice-altering technology in conjunction with information obtained on the internet about the identities of personnel to convince help desks to reset passwords and divert multi-factor authentication (MFA) to new devices." DFS urged all entities it regulates to alert help desk and service center staff to be diligent in authenticating the identities of anyone who requests changes to authentication factors. While most Big I New York members do not have help desks, many do use insurance carrier call centers. You may find that the call centers' staff will take more steps to verify your identity when you contact them than they did before. This will likely be because of this new DFS alert. You should anticipate this when contacting them.
|
|
We want to remind all Big I New York members of the upcoming deadline for complying with new cybersecurity requirements. The New York State Department of Financial Services (DFS) last November 1 amended its Cybersecurity Requirements for Financial Services Companies regulation. That amendment included several changes. Some of the changes took effect immediately. The deadlines for others were this past spring, with the deadlines for the rest next month and next year. Many of the regulation's 24 sections do not apply to businesses that qualify for the “limited exemption." A business qualifies for the limited exemption if any one of the following three things are true about that business:
- The business and its affiliates have fewer than 20 employees and independent contractors.
- The business and its affiliates generated less than $7.5 million in gross annual revenue in each of the last three fiscal years from all operations (count only the New York State operations of affiliates.)
- The business and its affiliates have less than $15 million in year-end total assets.
Most Big I New York members qualify for the limited exemption. DFS sent an email to all New York licensed insurance professionals earlier this week reminding them of these deadlines. However, only two apply to all “covered entities" (the regulation's term for anyone with a New York banking, financial services, or insurance charter or license.) The other three apply only to businesses that do not qualify for the limited exemption and so-called “Class A companies" (very large companies with revenues in the tens of millions and more than 2,000 employees.)
The two November 1 deadlines that apply to all covered entities are: 1. Use multi-factor authentication (MFA) for any individual accessing the entity's information systems. However, agencies that qualify for the limited exemption must use it only for: - Remote access to the agency's computer systems.
- Remote access to third-party applications from which individuals can access non-public information.
- All “privileged accounts" (essentially system administrator accounts) other than service accounts that prohibit interactive login.
If your agency has not already implemented MFA and you need help, agency technology consulting firm Catalyit offers these resources:
Membership in Catalyit is free for Big I New York members, so we encourage all members to register. 2. Provide, at least annually, cybersecurity awareness training that includes social engineering for all personnel. The training should be updated as needed to reflect the risks the agency has identified during its annual cybersecurity risk assessment. The Compliance Resources page in the Cybersecurity section of our website lists these potential providers of cybersecurity awareness training. All covered entities, including agencies that qualify for the limited exemption, must comply with these requirements by November 1, 2024. The deadlines that apply only to larger organizations involve cybersecurity reports to an entity's senior governing body, changes to encryption requirements, and changes to incident response and business continuity management requirements. These requirements do not apply to agencies that qualify for the limited exemption. For more information: |
Follow javascript: SP.SOD.executeFunc('followingcommon.js', 'FollowDoc', function() { FollowDoc('{ListId}', {ItemId}); }); 0x0 0x0 ContentType 0x01 1100 Item Audit Detail /_layouts/15/images/GORTL.GIF /newsfeed/_layouts/15/AuditingLog/ItemAudit.aspx?ItemId={ItemId}&ListId={ListId} 0x0 0x40000000 ContentType 0x01 300 Compliance Details javascript:if (typeof CalloutManager !== 'undefined' && Boolean(CalloutManager) && Boolean(CalloutManager.closeAll)) CalloutManager.closeAll(); commonShowModalDialog('{SiteUrl}'+
'/_layouts/15/itemexpiration.aspx'
+'?ID={ItemId}&List={ListId}', 'center:1;dialogHeight:500px;dialogWidth:500px;resizable:yes;status:no;location:no;menubar:no;help:no', function GotoPageAfterClose(pageid){if(pageid == 'hold') {STSNavigate(unescape(decodeURI('{SiteUrl}'))+
'/_layouts/15/hold.aspx'
+'?ID={ItemId}&List={ListId}'); return false;} if(pageid == 'audit') {STSNavigate(unescape(decodeURI('{SiteUrl}'))+
'/_layouts/15/Reporting.aspx'
+'?Category=Auditing&backtype=item&ID={ItemId}&List={ListId}'); return false;} if(pageid == 'config') {STSNavigate(unescape(decodeURI('{SiteUrl}'))+
'/_layouts/15/expirationconfig.aspx'
+'?ID={ItemId}&List={ListId}'); return false;}}, null); 0x0 0x1 ContentType 0x01 898
|
|
|