NYDFS Issues Two Industry Letters on Responding to a Heightened Cybersecurity Threat Environment, Including “Frontier AI Models”

On May 21, 2026, the New York State Department of Financial Services (“NYDFS” or the “Department”) published two industry letters urging regulated entities to review their cyber programs in response to a heightened cybersecurity threat environment. These issuances are the latest guidance from the Department to the financial services industry related to cybersecurity and the changing threat environment. These letters serve as further confirmation that regulators are focused on the risks posed by new AI models with groundbreaking ability to find and exploit vulnerabilities.

The first industry letter, Guidance on Measures Regulated Entities Should Consider in a Heightened Cybersecurity Threat Environment (the “Heightened Cyber Threat Guidance”), sets forth best practices for regulated companies when there is a “heightened threat environment.” Heightened threat environments can come from “geopolitical events” or “technological developments.” Examples of geopolitical events presumably include conflicts such as the Ukraine-Russia war or the current conflict with Iran—subjects of past cybersecurity alerts from NYDFS and other regulators.

The second, Heightened Cybersecurity Risks Associated with Frontier AI Models (the “Frontier AI Model Guidance”), is an illustration of a technology development that creates a heightened threat environment. The guidance focuses on risk from AI tools “that amplify the potency, scale, and speed of identifying vulnerabilities and exploits in information systems.” The Frontier AI Model Guidance cross-references recommendations from the Heightened Cyber Threat Guidance.

While both industry letters state that they do not create new legal requirements, regulated companies should expect that these recommendations will inform the Department’s expectations in supervision and enforcement. Regulated companies should therefore assess whether their current cybersecurity programs adequately address the risks posed by frontier AI models and consider implementing the specific measures recommended in the Heightened Cyber Threat Guidance.

Heightened Cyber Threat Guidance

The Heightened Cyber Threat Guidance identifies a non-exhaustive list of best practices for regulated entities to consider to address heightened threat environments. The Department recommends considering these measures alongside each organization’s unique circumstances, including its threat environment, defenses, operations, supply chain dependencies and sector-specific risks.

NYDFS defines a heightened threat environment as one in which cybersecurity risks are significantly elevated and have a high likelihood of impacting Information Systems, Nonpublic Information, or operations.¹ Potential triggers include geopolitical events that increase the risk of cyberattacks and technological developments that materially change the cybersecurity landscape. Whether to adopt specific practices will depend on each organization's unique circumstances, but NYDFS urges regulated entities to assess the current threat environment and evaluate the measures described below.
The Heightened Cyber Threat Guidance organizes its recommendations into three categories of best practices:

1. Reduce Attack Surface. The Department recommends nine measures for regulated entities to reduce their attack surface, through network, cloud and secure software development practices, including (i) disabling inactive or unnecessary ports and protocols; (ii) establishing network access protections and segmentation; (iii) reviewing cloud application configurations to ensure alignment with risk tolerance; (iv) restricting and validating inputs prior to generating outputs, running scripts or processes, or otherwise executing commands; and (v) confirming secure programming practices including validating user inputs; restricting unsafe execution of commands, scripts, processes, or generated outputs; and preventing unauthorized exposure of sensitive data, credentials, and encryption keys.
   
   Identity and access management recommendations to further reduce the attack surface: (vi) employing phishing-resistant MFA methods (e.g., authenticator applications with number matching or hardware tokens); (vii) conducting privilege access reviews (especially for threat-relevant users, systems and devices); and (viii) restricting MFA enrollment and changes through processes with strong identity verification. Finally, the Department highlights the need to (ix) expeditiously identify and remediate known exploited vulnerabilities in firmware, hardware, and software, with a focus on Information Systems exposed to the Internet.
   
   
2. Improve Threat Detection and Readiness. Regulated entities should confirm that (i) intrusion prevention, detection, and response controls are in use, up-to-date, and appropriately deployed, and (ii) log and security event alerting data is captured on Information Systems, and that anomalous or suspicious activity is promptly identified and appropriately actioned (e.g., unexpected logins from certain geographic regions). Additionally, regulated entities should enhance monitoring and validation of expected behavior(s) of third-party code, applications, permissions, and practices.
   
   The Heightened Cyber Threat Guidance also recommends personnel and vendor practices, including (i) ensuring appropriate personnel review and action relevant threat intelligence and remediate known indicators of compromise; (ii) alerting all personnel to steps they can take to prevent, detect and respond to ongoing cyber-threat campaigns (e.g., social engineering techniques); and (iii) engaging with critical service providers to confirm awareness of heightened cyber risks and readiness to respond to potential disruptions.
   
   
3. Improve Resilience and Response. These recommendations focus on business continuity, disaster recovery and incident response, including testing the integrity, immutability, and restorability of backups, including validation of recovery time objectives. The Department also recommends (i) preparing for the specific heightened-threat environment by reviewing and testing threat-relevant operational resilience procedures (e.g., incident response and business continuity plans) to protect and restore critical functions, Information Systems, and Nonpublic Information, (ii) reviewing or developing threat-relevant personnel, customer, and third-party communication strategies to confirm they are sufficient to address prolonged system and service disruptions, and (iii) for Regulated Entities that operate operational technologies, confirming that critical system functions can operate if other
   
   Information Systems are unavailable or otherwise compromised
   The Department also recommends monitoring financial transactions, including virtual currency activity, to ensure compliance with applicable sanctions and anti-money laundering orders and guidance.

Frontier AI Model Guidance

The Frontier AI Model Guidance urges regulated entities to prepare for the broader release of frontier artificial intelligence models that amplify the potency, scale, and speed of identifying vulnerabilities and exploits in information systems (“Frontier AI Models”). While these models are “not yet broadly available,” the Department anticipates they “may become more available soon.” The Frontier AI Model Guidance does not identify specific Frontier AI Models.

The Department urges regulated entities to review and update their cybersecurity programs and risk assessments to account for risks specific to Frontier AI Models. The Frontier AI Model Guidance focuses on four key areas of preparation and cross-references sections from the Heightened Cyber Threat Guidance throughout.

1. Vulnerability Management: In addition to identifying and remediating vulnerabilities as provided in Section 1 of the Heightened Cyber Threat Guidance, regulated entities should reassess their procedures for evaluating the criticality of vulnerabilities and should review vulnerability management timelines to determine whether accelerated detection and remediation processes are necessary based on updated Risk Assessments.
2. Third Party Management: Regulated entities should develop and maintain dependency maps, and coordinate with critical third-party service providers and material downstream providers to address significant vulnerabilities and operational risks. The Department recommends applying certain steps in Section 2 of the Heightened Cyber Threat Guidance, including  assessing critical third-party dependencies, identifying vulnerabilities and plans for remediation, and detecting suspicious behavior.
3. Secure Programming Practices: Citing Section 1 of the Heightened Cyber Threat Guidance, the Department recommends that organizations restrict and validate inputs prior to running scripts or processes and confirm that secure programming practices are used, which may include additional testing and validation procedures—including human oversight—for AI-generated code prior to deployment in production environments. Regulated entities using AI to identify and remediate vulnerabilities should also employ secure programming practices to prevent unknown changes in code or configurations, or the inadvertent destruction or material degradation of necessary code.
4. Heightened Monitoring and Prompt Reporting: Citing Section 2 of the Heightened Cyber Threat Guidance, regulated entities should consider evaluating whether existing logging and security event alerting capabilities are sufficient to address heightened threats. The Department also recommends reviewing and testing threat-relevant operational resilience procedures, as described in Section 3 of the Heightened Cyber Threat Guidance.
   
   

---

¹ N.Y. Comp. Codes R. & Regs. tit. 23, § 500.1(i). Capitalized terms used herein are defined in Part 500.