In prior posts, we discussed the amendments to 23 NYCRR Part 500 (Part 500) ahead of the April 15 deadline to certify compliance with Part 500 and the increasing focus on multifactor authentication (MFA) as a key cybersecurity control. While Part 500 sets out formal cybersecurity requirements, the New York State Department of Financial Services (NYDFS) regularly uses industry letters and guidance to signal how it interprets those requirements in light of evolving threats. For financial institutions subject to the requirements (covered entities), these signals are especially important when evaluating whether they can confidently certify compliance.
In recent years, NYDFS has focused attention on novel and accelerating risks, including AI-enabled attacks, sophisticated vishing schemes and cyber threats linked to global instability.
Artificial intelligence
On October 16, 2024, NYDFS published a letter to covered entities (letter) detailing cybersecurity risks related to AI and NYDFS’ guidance on risk mitigation strategies. NYDFS indicated that AI-related cybersecurity risk is a material change for businesses, triggering requirements for a refreshed risk assessment.
The letter describes examples of AI risks specifically related to cybersecurity, stemming from either a threat actor’s use of AI to enhance their attacks or from a covered financial institution’s own use of AI.
Threat actors increasingly use AI to enhance attacks and obfuscate their actions. NYDFS highlights that threat actors may use AI in social engineering attacks in particular (for example, in phishing or vishing attacks, or by using deepfake videos or AI-enhanced or -created photos). The FBI has similarly flagged threat actor use of AI in social engineering attacks as an increased risk for companies. The NYDFS letter also reminds regulated entities that threat actors often use AI in the course of technical attacks. For example, threat actors can use AI to augment their ability to “scan and analyze vast amounts of information,” “quickly and efficiently … identify and exploit security vulnerabilities,” “conduct reconnaissance” once inside a system, and “bypass defensive security controls, thereby evading detection.”
NYDFS also warns that introducing new third parties and vendors, such as AI providers, into a covered financial institution’s supply chain introduces new opportunities for vulnerabilities and potential compromise of the covered entity’s nonpublic information.
According to the letter, covered entities should consider AI-related cybersecurity risks in risk assessments. Risk assessments required by Part 500.2 must be updated annually, as well as “whenever a change in the business or technology causes a material change” to the covered entity’s cybersecurity risk profile. NYDFS indicates that it considers risks posed by AI to be a material change. The overall takeaway is not that covered entities must deploy AI-specific controls, but that their risk assessments, training, access controls and governance structures should reflect the reality of AI-driven threats within the context of the institution’s risk profile.
‘Vishing’ and advanced social engineering
In line with the focus on MFA, NYDFS has repeatedly emphasized the growing sophistication of social engineering attacks, including voice-based schemes targeting employees, executives and customer service functions. “Vishing” attacks are a type of attack where threat actors use voice-based phishing to bypass traditional technical controls by exploiting human trust. An advisory issued to covered entities on February 6, 2026, warns that vishing is an increasingly common tactic. NYDFS specifically warned about threat actors posing as IT or help desk workers and tricking employees into providing credentials, including MFA, over phone calls.
NYDFS clearly expects covered entities to review their cybersecurity programs in light of this risk and advises that appropriate risk mitigation steps include:
- Implementing procedures to help employees verify the identity of a caller.
- Tailored training for employees in frequently targeted roles regarding the risk of vishing.
- Reviewing access controls and permissions regularly to ensure that if employees are compromised, they do not have more access than necessary, thereby mitigating some of the potential impact of a successful vishing attack.
- Reviewing MFA and evaluating the process for enrolling new methods of MFA.
- Deploying continuous monitoring and detection capabilities.
NYDFS’ overall message is clear: Covered entities should consider whether their controls – such as authentication, employee awareness and incident response – are calibrated to address the risk of vishing and other increasingly sophisticated social engineering tactics, not just traditional malware or network intrusions.
Global conflicts and geopolitical cyber risk
On March 3, 2026, NYDFS issued a new industry letter reminding covered entities that ongoing global conflict has elevated cybersecurity risk across the financial sector. While NYDFS’ letter noted that it had not observed a specific, coordinated campaign targeting covered entities at the time of issuance, the US intelligence community warned law enforcement agencies and private companies that the US financial sector has historically been viewed as a priority target.
The advisory letter serves as a prompt for covered entities to audit their existing compliance with Part 500 – underscoring that the regulation’s requirements are intended to be dynamic, and covered entities are expected to take the current geopolitical situation into account when assessing and responding to risk. The advisory’s specific recommendations – including prompt vulnerability remediation, least privilege enforcement, enhanced monitoring and operational resilience testing – map closely to core requirements, reminding entities that NYDFS views geopolitical threat escalation as an examination-readiness moment, not merely a general warning. Previous guidance issued to covered entities in June 2025 remains responsive to current geopolitical-driven cyber threats. State-aligned actors, spillover attacks and opportunistic campaigns can all affect covered entities.
NYDFS recommends that institutions review their risk assessments to consider whether geopolitical events warrant updates to their cyber risk profile. Covered entities should also closely assess their third-party service providers to determine if they pose additional risks.
Guidance also highlights that reviewing, testing and updating both incident response plans and business continuity and disaster recovery plans are key in mitigating the potential impact of a geopolitical-related cyber event. The amendments to Part 500.16 mirror this guidance, requiring covered entities to have in place a business continuity and disaster recovery plan that is “reasonably designed to ensure the availability and functionality of the covered entity’s information systems and material services and protect the covered entity’s personnel, assets and nonpublic information in the event of a cybersecurity-related disruption to its normal business activities.” Business continuity and disaster recovery plans should be annually reviewed and tested, include procedures for timely recovering critical data and systems, address backup processes and offsite data storage, and be provided to employees with training.
The potential for geopolitical cyber events reinforces NYDFS’ emphasis on resilience: incident response planning, business continuity and the ability to respond quickly to evolving threats. While Part 500 does not require covered entities to predict specific geopolitical events, NYDFS expects them to recognize that global instability can increase cyber risk and adjust their cybersecurity programs accordingly.
Final thoughts
The annual cybersecurity certification process sits at the intersection of law, technology and risk management. As NYDFS’ enforcement of Part 500 evolves – and as the threat landscape grows more complex – financial institutions should view the certification process as an opportunity to assess whether their cybersecurity programs truly align with Part 500 and regulatory expectations. By understanding how NYDFS views key updates to Part 500 within the broader cybersecurity threat landscape, including its focus on MFA and emerging threats, institutions can approach certification with greater confidence and resilience.