New York’s financial services regulator has issued new cybersecurity guidance for banks, insurers, and other financial firms. The Department of Financial Services said the sector needs to prepare for periods of elevated cyber risk.
DFS defines a heightened threat environment as a period when cybersecurity risks are significantly elevated and likely to affect information systems, nonpublic information, or operations.
The Department’s cybersecurity regulation, 23 NYCRR Part 500 (“Part 500”), provides a framework for Regulated Entities to assess and address cybersecurity risks. Regulated Entities are required to identify and assess internal and external cybersecurity risks that may threaten the security or integrity of Nonpublic Information stored on their Information Systems.
Regulated Entities should consider taking additional steps that may go beyond these minimum requirements when they become aware of a heightened threat environment.
For example, geopolitical events that have the potential to increase the risk of cyberattacks, or technological developments that materially change cybersecurity risks, such as the release of frontier AI models,2 may result in a heightened threat environment and warrant stronger defensive measures and increased vigilance.
This Guidance identifies a non-exhaustive list of best practices Regulated Entities should consider incorporating into their existing cybersecurity program, to the extent not already required and implemented.
Whether to adopt such practices depends on the unique circumstances and operations of an organization. To determine when and which additional security controls to employ to address specific threat environments, Regulated Entities should assess the specific cybersecurity threat, their Information Systems, supply chain dependencies and usage, as well as sector-specific risks.
The guidance covers risk management and compliance steps regulated entities should consider during those periods.
The agency said the guidance does not create new legal requirements. Instead, it identifies practices firms can use when threats increase, including measures already connected to New York’s cybersecurity regulation.
Acting Superintendent Kaitlin Asrow said the guidance gives regulated entities practical steps to take when the threat environment intensifies. She said each organization should assess its own operations and decide which actions are warranted.
DFS grouped the recommendations around reducing attack surfaces, improving threat detection, strengthening readiness, and improving resilience. The agency said firms should disable inactive or unnecessary ports and protocols where possible.
The guidance also recommends tighter controls around multi-factor authentication enrollment and changes. DFS said firms can require IT approval before adding new MFA authenticator devices, applications, or accounts.
DFS also urged companies to alert personnel about current cyber threat campaigns. That includes warning staff about social engineering techniques and steps they can take to prevent, detect, and respond to attacks.
The regulator said firms should engage critical third-party service providers during heightened threat periods. Companies should confirm those providers understand the risks and are ready to respond to disruptions.
DFS also advised monitoring financial transactions, including virtual currency activity. The goal is to maintain compliance with sanctions and anti-money laundering rules during elevated risk periods.
The agency cited geopolitical events as one example of conditions that can increase cyberattack risk. It also pointed to technological developments that materially change cyber risk, including the release of frontier AI models.
Geopolitical volatility ranked among the top 10 business risks in Aon’s 2025 Global Risk Management Survey. Cyber risk remained the leading concern globally.
AI is also becoming a larger cybersecurity concern. U.S. cybersecurity officials are considering shorter deadlines for fixing critical flaws in government IT systems because hackers could use AI tools to exploit them faster.
Reuters has also reported that Europe’s top financial regulator has contacted supervised financial entities to assess cyber defenses. The review followed rising geopolitical tensions and recent AI developments.
DFS said its latest guidance is available on its website, along with other materials in its Cybersecurity Resource Center. The new guidance follows earlier DFS warnings on third-party service provider risk.
Last fall, DFS warned that reliance on third-party service providers can increase cyber exposure. The agency cited cloud computing, file transfer systems, AI, and fintech tools as areas where managed technology risk continues to grow.
DFS regulates more than 3,900 banking and financial institutions and thousands of insurance entities. Together, those organizations manage more than $5.7 tn in combined assets.
