New York DFS Issues Alert on Heightened Cybersecurity Threat Environment
On May 21, 2026, the New York Department of Financial Services (NYDFS) issued “Guidance on Measures Regulated Entities Should Consider in a Heightened Cybersecurity Threat Environment.” This industry letter delivered formal guidance on risk management under a heightened cybersecurity threat environment, pointing explicitly to the rapid development of frontier AI models and geopolitical tensions.
Enhanced Cybersecurity Recommendations from NYDFS
According to the letter, covered entities must explicitly evaluate how frontier AI tools are integrated within their systems and vendor risk profiles. They must also globally evaluate their risk management and cybersecurity practices to account for geopolitical instability that can lead to increased incidents of cyberattacks.
The guidance applies to all entities in NYDFS-supervised industries, including banks, insurance companies, financial services firms, mortgage servicers, money transmitters, and health benefit programs, among others. NYDFS outlines recommendations for risk management and compliance efforts, including:
- Reduce the Attack Surface
- Identify and remediate vulnerabilities in current software, hardware and firmware
- Employ stronger MFA methods, including more restrictive enrollment
- Review who has access to Information Systems
- Restrict and validate inputs prior to generating outputs across applications, including third-party platforms
- Improve Threat Detection and Readiness
- Confirm threat detection tools are being used and deployed appropriately
- Ensure all personnel are prepared for potential threats and how to prevent, detect and respond to them
- Improve Resilience and Response
- Test backup systems
- Prepare operational resilience procedures (such as incident response and business continuity plans)
While the letter does not create new legal requirements, it serves as a clear signal that NYDFS expects strict corporate vigilance under 23 NYCRR Part 500 and may use this guidance as a benchmark in future examinations and enforcement actions. Part 500 is the New York State regulation that first established the NYDFS Cybersecurity Regulation, which was promulgated in 2017. Its final provisions took effect November 1, 2025.
Bleakley Platt Can Help Regulated Entities Navigate Cybersecurity Risks
Our Information Technology and Cybersecurity Practice Group helps regulated entities conduct internal cybersecurity audits and develop policies to secure organizations against risks. Our attorneys can also help compliance teams review third-party vendor oversight programs to ensure they match the regulatory expectations of NYDFS Part 500.
Schedule a consultation today by calling 914-949-2700.