On May 21, NYDFS issued two industry letters addressing cybersecurity risks in a “heightened threat environment.” The first advisory warns regulated entities about heightened cybersecurity risks associated with advanced “frontier AI” models, which the department said “amplify the potency, scale, and speed of identifying vulnerabilities and exploits in information systems.” NYDFS urged regulated entities to improve their security posture in preparation for the potential broader availability of these models. The advisory recommends that regulated entities review and update risk assessments, consider replacing outdated or legacy information systems, and ensure full compliance with NYDFS’ Cybersecurity Regulation: 23 NYCRR Part 500 (Part 500). The advisory builds on AI-related cybersecurity guidance the department issued in October 2024 (previously covered by InfoBytes here). NYDFS specifically recommended that regulated entities consider: (i) expedited vulnerability management; (ii) coordinating with third-party service providers to secure “material” downstream dependencies; (iii) strengthening the security of programming practices, including human oversight for AI-generated code prior to deployment; and (iv) heightening monitoring to promptly identify and report suspicious activity.

In conjunction, NYDFS issued separate guidance on various measures beyond the minimum controls required under Part 500 that regulated entities should consider in a heightened cybersecurity threat environment, which the department defined as existing when “cybersecurity risks are significantly elevated and therefore have a high likelihood of impacting” information systems, nonpublic information, or operations. The guidance identifies best practices across three areas: (i) reducing the attack surface, including promptly remediating known exploited vulnerabilities, employing phishing-resistant multifactor authentication, and confirming secure programming practices; (ii) improving threat detection and readiness, including confirming that intrusion prevention and detection controls are up to date and engaging with critical third-party service providers on heightened cybersecurity risks; and (iii) strengthening resilience and response, including testing backup integrity and restorability and reviewing and testing operational resilience procedures against relevant threats.

The guidance also recommends monitoring financial transactions, including virtual currency activity, for sanctions and anti-money laundering compliance. NYDFS noted that geopolitical events or technological developments, such as the release of frontier AI models, may warrant stronger defenses and increased vigilance, and that neither advisory imposes any new legal requirements.