From the journal

NYDFS Issues Dual Industry Letters on Frontier AI Cybersecurity Risks, 21 May 2026

On 21 May 2026, the New York Department of Financial Services issued two coordinated Industry Letters under Acting Superintendent Kaitlin Asrow. The first identifies heightened cybersecurity risks from frontier AI models that amplify the speed, scale, and potency of attacks against regulated entities. The second provides prescriptive guidance on additional measures in a heightened threat environment, covering attack-surface reduction, threat detection, and resilience planning.

3 min read

On 21 May 2026, the New York Department of Financial Services issued two coordinated Industry Letters under Acting Superintendent Kaitlin Asrow. The first letter identifies heightened cybersecurity risks from frontier AI models that can identify and exploit vulnerabilities at speed and scale beyond human practitioners. The second provides supplementary guidance on additional measures regulated entities should consider when operating in a heightened cybersecurity threat environment. Both letters are guidance instruments, not final regulations, but carry supervisory weight for all entities holding a NYDFS license or charter.

Both letters operate under New York's cybersecurity regulation, 23 NYCRR Part 500, as amended with enhanced provisions effective November 2024. Part 500 requires covered entities to maintain a cybersecurity program, conduct regular risk assessments, implement multi-factor authentication, conduct penetration testing, and maintain an incident response plan. The frontier AI Industry Letter identifies full Part 500 compliance as the baseline for preparedness against frontier AI-enabled attacks. NYDFS issued earlier AI cybersecurity guidance in October 2024; the May 2026 dual letters represent an escalation in response to advancing model capabilities.

Banks, insurance companies, money transmitters, mortgage companies, and other NYDFS-licensed entities must update their cybersecurity risk assessments to account for frontier AI attack scenarios. Regulated entities must evaluate whether to replace end-of-life or legacy information systems that frontier AI models could more readily exploit. Entities with Class A designation under the amended Part 500 must treat frontier AI as a priority for board-level cybersecurity reporting. All covered entities should document their frontier AI risk assessment and any program updates made in response to the two letters.

The guidance sets no formal compliance deadline for frontier-AI-specific measures, implying regulated entities should treat it as a current operational risk rather than a future-oriented concern. The accompanying guidance letter lists specific measures across three categories: reducing attack surface, improving threat detection and readiness, and strengthening resilience and response. Entities should assess which measures are material given their specific risk profile, rather than applying them uniformly.

Licentium advises financial institutions subject to NYDFS regulation and other US state financial regulators on cybersecurity program compliance and AI risk governance. We can assist with 23 NYCRR Part 500 gap assessments, board cybersecurity reporting, and regulatory correspondence with state financial services departments. Work we undertake includes: Part 500 compliance review, AI risk assessment program design, incident response plan development, and state financial regulator supervisory engagement.

Source: NYDFS, Industry Letter: Heightened Cybersecurity Risks Associated with Frontier AI Models, 21 May 2026

AI Regulatory

More from the journal

See all

Illinois signs Artificial Intelligence Safety Measures Act into law, effective January 2027

Governor JB Pritzker signed the Illinois Artificial Intelligence Safety Measures Act on 6 July 2026, making Illinois the first US state to require mandatory annual third-party audits of frontier AI model developers. The Act applies to large frontier developers operating or deploying models in Illinois, requires transparency reports before each new or substantially modified frontier model deployment, and establishes civil penalties. Core obligations take effect 1 January 2027.

UK consults on modernising payment services regulation covering stablecoins and AI agents, 2026

HM Treasury launched a consultation on modernising the UK payment services regulatory regime, with responses due by 6 October 2026. The consultation addresses how to adapt regulation for tokenised payments including qualifying stablecoins, Open Banking expansion, and agentic AI systems authorised to conduct payments. It follows the February 2026 Payments Forward Plan and the government's decision to transfer Payment Systems Regulator functions to the Financial Conduct Authority.

Hong Kong SFC mandates phishing-resistant authentication for internet brokers and VATPs, July 2026

The Hong Kong Securities and Futures Commission issued a circular on 9 July 2026 requiring licensed corporations engaged in electronic trading and SFC-licensed virtual asset trading platform operators to replace one-time passwords with phishing-resistant authentication methods. Covered firms must implement passkeys or bound-device recognition for client login and device binding. Large internet brokers must act immediately. All other in-scope firms have up to 12 months to comply.