On 21 May 2026, the New York Department of Financial Services issued two coordinated Industry Letters to entities subject to its cybersecurity regulation, 23 NYCRR Part 500. The first letter, titled Heightened Cybersecurity Risks Associated with Frontier AI Models, defines frontier AI models and explains how they expand the threat level for regulated entities. The second, titled Guidance on Measures Regulated Entities Should Consider in a Heightened Cybersecurity Threat Environment, describes specific operational steps DFS expects covered entities to evaluate. Neither letter constitutes a formal rulemaking or imposes binding obligations beyond those already in 23 NYCRR Part 500.
The Advisory defines frontier AI models as AI systems that amplify the potency, scale, and speed of identifying vulnerabilities and exploits in information systems. DFS grounds its guidance in the existing requirements of 23 NYCRR Part 500, particularly the obligations under Section 500.5 (penetration testing), Section 500.6 (audit trail), Section 500.7 (access privileges and management), and Section 500.9 (risk assessment). Covered entities must maintain a cybersecurity risk assessment and DFS expects those assessments to be updated to reflect the threat environment created by widespread access to frontier AI tools.
Banks, insurance companies, licensed money transmitters, and other DFS-regulated financial entities must review their vulnerability management timelines to accelerate detection and remediation, given how quickly frontier AI tools can identify and exploit system weaknesses. DFS expects covered entities to maintain dependency maps documenting connections between internal systems and critical third-party service providers. Firms running end-of-life or legacy information systems should evaluate whether to replace those systems given increased exposure to AI-assisted attacks.
The Guidance does not specify mandatory timelines for implementing the recommended measures, but DFS has historically used Industry Letters to signal examination priorities. Entities that fail to address the concerns raised in these letters risk adverse findings in the next examination cycle under 23 NYCRR Part 500. DFS has not opened a public comment period for either letter.
Licentium advises crypto asset service providers, digital asset platforms, and financial institutions on cybersecurity regulatory compliance, including obligations under 23 NYCRR Part 500 and equivalent regimes in other jurisdictions. We assist clients with DFS examination preparation and cybersecurity risk assessment updates that address AI-related threats. Work we undertake includes cybersecurity regulatory gap analysis, AI risk integration into existing compliance programs, third-party vendor risk management, and DFS examination support.