From the journal

NYDFS Issues Two Industry Letters on Frontier AI Cybersecurity Risks, 21 May 2026

On 21 May 2026, the New York Department of Financial Services issued two Industry Letters directed at entities regulated under 23 NYCRR Part 500. The first addresses heightened cybersecurity risks posed by frontier AI models. The second provides guidance on protective measures in an elevated threat environment. Neither letter imposes new legal requirements, but both signal NYDFS examination expectations for covered entities.

3 min read

On 21 May 2026, the New York Department of Financial Services issued two coordinated Industry Letters to entities subject to its cybersecurity regulation, 23 NYCRR Part 500. The first letter, titled Heightened Cybersecurity Risks Associated with Frontier AI Models, defines frontier AI models and explains how they expand the threat level for regulated entities. The second, titled Guidance on Measures Regulated Entities Should Consider in a Heightened Cybersecurity Threat Environment, describes specific operational steps DFS expects covered entities to evaluate. Neither letter constitutes a formal rulemaking or imposes binding obligations beyond those already in 23 NYCRR Part 500.

The Advisory defines frontier AI models as AI systems that amplify the potency, scale, and speed of identifying vulnerabilities and exploits in information systems. DFS grounds its guidance in the existing requirements of 23 NYCRR Part 500, particularly the obligations under Section 500.5 (penetration testing), Section 500.6 (audit trail), Section 500.7 (access privileges and management), and Section 500.9 (risk assessment). Covered entities must maintain a cybersecurity risk assessment and DFS expects those assessments to be updated to reflect the threat environment created by widespread access to frontier AI tools.

Banks, insurance companies, licensed money transmitters, and other DFS-regulated financial entities must review their vulnerability management timelines to accelerate detection and remediation, given how quickly frontier AI tools can identify and exploit system weaknesses. DFS expects covered entities to maintain dependency maps documenting connections between internal systems and critical third-party service providers. Firms running end-of-life or legacy information systems should evaluate whether to replace those systems given increased exposure to AI-assisted attacks.

The Guidance does not specify mandatory timelines for implementing the recommended measures, but DFS has historically used Industry Letters to signal examination priorities. Entities that fail to address the concerns raised in these letters risk adverse findings in the next examination cycle under 23 NYCRR Part 500. DFS has not opened a public comment period for either letter.

Licentium advises crypto asset service providers, digital asset platforms, and financial institutions on cybersecurity regulatory compliance, including obligations under 23 NYCRR Part 500 and equivalent regimes in other jurisdictions. We assist clients with DFS examination preparation and cybersecurity risk assessment updates that address AI-related threats. Work we undertake includes cybersecurity regulatory gap analysis, AI risk integration into existing compliance programs, third-party vendor risk management, and DFS examination support.

Source: New York Department of Financial Services, Industry Letter: Heightened Cybersecurity Risks Associated with Frontier AI Models, 21 May 2026

AI Regulatory

More from the journal

See all

Illinois signs Artificial Intelligence Safety Measures Act into law, effective January 2027

Governor JB Pritzker signed the Illinois Artificial Intelligence Safety Measures Act on 6 July 2026, making Illinois the first US state to require mandatory annual third-party audits of frontier AI model developers. The Act applies to large frontier developers operating or deploying models in Illinois, requires transparency reports before each new or substantially modified frontier model deployment, and establishes civil penalties. Core obligations take effect 1 January 2027.

UK consults on modernising payment services regulation covering stablecoins and AI agents, 2026

HM Treasury launched a consultation on modernising the UK payment services regulatory regime, with responses due by 6 October 2026. The consultation addresses how to adapt regulation for tokenised payments including qualifying stablecoins, Open Banking expansion, and agentic AI systems authorised to conduct payments. It follows the February 2026 Payments Forward Plan and the government's decision to transfer Payment Systems Regulator functions to the Financial Conduct Authority.

Hong Kong SFC mandates phishing-resistant authentication for internet brokers and VATPs, July 2026

The Hong Kong Securities and Futures Commission issued a circular on 9 July 2026 requiring licensed corporations engaged in electronic trading and SFC-licensed virtual asset trading platform operators to replace one-time passwords with phishing-resistant authentication methods. Covered firms must implement passkeys or bound-device recognition for client login and device binding. Large internet brokers must act immediately. All other in-scope firms have up to 12 months to comply.