Privacy & Cybersecurity Law Blog

On May 21, 2026, the New York Department of Financial Services (“NYDFS”) issued an industry letter warning regulated entities that emerging “frontier AI models” may significantly increase cyber risk by enabling threat actors to identify and exploit vulnerabilities with greater speed, scale, and sophistication. Although NYDFS notes that these models are not yet broadly available, it urges regulated entities to strengthen their security posture now in anticipation of wider deployment. The letter does not create new legal requirements; rather it is intended to inform regulated entities’ existing risk management and compliance efforts under 23 NYCRR Part 500.

NYDFS emphasizes that the best preparation against these emerging risks is a mature cybersecurity program centered on timely vulnerability identification and remediation. Regulated entities are encouraged to revisit their risk assessments, evaluate whether legacy or end-of-life systems should be replaced, and confirm that their cybersecurity programs fully comply with Part 500. In parallel, NYDFS released accompanying guidance on measures organizations should consider in a heightened cybersecurity threat environment, noting that the appropriate response will depend on each entity’s particular operations and risk profile.

The letter highlights several steps entities should consider in light of frontier AI-related threats. These include accelerating vulnerability management timelines, mapping and securing critical third-party and downstream dependencies, strengthening secure programming practices, and increasing monitoring, alerting, and operational resilience testing. NYDFS also specifically notes the importance of validating AI-generated code before deployment and coordinating with service providers to identify and remediate significant vulnerabilities.

The letter reflects NYDFS’s continued focus on AI as a cybersecurity risk multiplier and signals that regulated entities should treat frontier AI as an important factor in current resilience and incident preparedness efforts. NYDFS also points entities to its October 2024 guidance on AI-related cybersecurity risks for additional background.