On 21 May 2026, the New York Department of Financial Services issued two coordinated Industry Letters under Acting Superintendent Kaitlin Asrow. The first letter identifies heightened cybersecurity risks from frontier AI models that can identify and exploit vulnerabilities at speed and scale beyond human practitioners. The second provides supplementary guidance on additional measures regulated entities should consider when operating in a heightened cybersecurity threat environment. Both letters are guidance instruments, not final regulations, but carry supervisory weight for all entities holding a NYDFS license or charter.
Both letters operate under New York's cybersecurity regulation, 23 NYCRR Part 500, as amended with enhanced provisions effective November 2024. Part 500 requires covered entities to maintain a cybersecurity program, conduct regular risk assessments, implement multi-factor authentication, conduct penetration testing, and maintain an incident response plan. The frontier AI Industry Letter identifies full Part 500 compliance as the baseline for preparedness against frontier AI-enabled attacks. NYDFS issued earlier AI cybersecurity guidance in October 2024; the May 2026 dual letters represent an escalation in response to advancing model capabilities.
Banks, insurance companies, money transmitters, mortgage companies, and other NYDFS-licensed entities must update their cybersecurity risk assessments to account for frontier AI attack scenarios. Regulated entities must evaluate whether to replace end-of-life or legacy information systems that frontier AI models could more readily exploit. Entities with Class A designation under the amended Part 500 must treat frontier AI as a priority for board-level cybersecurity reporting. All covered entities should document their frontier AI risk assessment and any program updates made in response to the two letters.
The guidance sets no formal compliance deadline for frontier-AI-specific measures, implying regulated entities should treat it as a current operational risk rather than a future-oriented concern. The accompanying guidance letter lists specific measures across three categories: reducing attack surface, improving threat detection and readiness, and strengthening resilience and response. Entities should assess which measures are material given their specific risk profile, rather than applying them uniformly.
Licentium advises financial institutions subject to NYDFS regulation and other US state financial regulators on cybersecurity program compliance and AI risk governance. We can assist with 23 NYCRR Part 500 gap assessments, board cybersecurity reporting, and regulatory correspondence with state financial services departments. Work we undertake includes: Part 500 compliance review, AI risk assessment program design, incident response plan development, and state financial regulator supervisory engagement.