The Federal Reserve listed the proliferation of generative artificial intelligence (AI) tools among areas of emerging cybersecurity threats for banks to monitor as part of its annual resilience report.
The report, published Tuesday, outlines measures the Fed has taken to improve its own cybersecurity controls, how the agency is supervising the activities of covered institutions in the space, and what global developments and technologies pose increased risk of presenting cyber threats.
This year, the Fed noted generative AI “may … provide threat actors with improved methods for performing social engineering, email phishing, and text messaging smishing attacks compromising access into firms’ systems, emails, databases, and technology services.”
The agency also noted quantum computing and increased reliance on partnerships with financial technology (fintech) firms as emerging risks.
“Of particular potential risk is the rapid adoption by financial institutions of application programming interfaces, which provide accessible gateways into firms’ information (often relied on by fintech platforms for information sharing) and may increase the risk of data breaches, especially of customers’ personal or sensitive information, if not effectively secured and permissioned,” the agency said.
Other risk areas cited included geopolitical tensions regarding the Russia-Ukraine war, increased collaboration among cybercriminals, cyberattacks against software vendors in the supply chain, and insider threats exacerbated by employees working remotely.
The Fed conducts examinations and monitoring of cybersecurity risk management, governance, and controls at supervised institutions, with examiners focused on business line controls, risk management practices, assurance functions, and governance activities performed by firms’ senior management and board of directors. Global systemically important banks are subjected to additional scrutiny.
The Fed itself is in the process of adopting a zero-trust security model, in line with President Joe Biden’s executive order on improving the nation’s cybersecurity released in May 2021.