On May 21, 2026, the New York Department of Financial Services (NYDFS) issued industry guidance to licensees regarding security measures they should consider taking “in a heightened cybersecurity threat environment.”  Even organizations not subject to NYDFS regulation may want to  consider these steps that the NYDFS characterizes as “best practices.”

Background

Many regulators, including NYDFS, emphasize the need for organizations to update their risk analyses in order to account for new threats in the environment.  According to NYDFS, a “heightened threat environment” exists “when cybersecurity risks are significantly elevated and therefore have a high likelihood of impacting Information Systems, Nonpublic Information or operations.” (footnote omitted). 

NYDFS offered two examples of a heightened cybersecurity environment: 

  • “geopolitical events that have the potential to increase the risk of cyberattacks,” and
  • “technological developments that materially change cybersecurity risks, such as the release of frontier AI models, may result in a heightened threat environment and warrant stronger defensive measures and increased vigilance.”  (footnote omitted) 

The reference to geopolitical events reflects a broader regulatory and government awareness of nation-state cyber threats, sanctions-related attack risk, and the targeting of financial sector infrastructure, all factors that have been particularly prominent in the current global environment.

We explained the cybersecurity risks relating to frontier AI models like Anthropic’s Claude Mythos in a recent post, and expect that this guidance from NYDFS is likely driven, at least in part,  by Anthropic’s  Mythos model and its purported ability to autonomously identify security vulnerabilities.  This guidance was released in conjunction with an Industry Letter specifically emphasizing the threat of certain frontier AI models that “that amplify the potency, scale, and speed of identifying vulnerabilities and exploits in information systems” and urges organizations to prepare for the release of such frontier AI models.  Of course, as new models get released, it will simply raise the overall threat level, and the “heightened cybersecurity environment” will become the new normal.

Cybersecurity Measures to Consider

NYDFS emphasized that the steps listed in the guidance are not new requirements under the cybersecurity regulation, 23 NYCRR Part 500, but instead are “a non-exhaustive list of best practices”  that may go “beyond the explicit minimum controls” required under Part 500.  Whether a licensee elects to incorporate them:

“depends on the unique circumstances and operations of an organization. To determine when and which additional security controls to employ to address specific threat environments, Regulated Entities should assess the specific cybersecurity threat, their Information Systems, supply chain dependencies and usage, as well as sector-specific risks.”

That being said, regulatory minimums are not the driving force in cybersecurity for many companies as the reputational, legal and intellectual property costs and risks of a cyber event outstrip the risk from regulatory scrutiny and push hard for greater protections than mandated by NYDFS or other regulators.  For insurers and health plans, the stakes are especially high. These entities hold among the most sensitive categories of Nonpublic Information regulated under Part 500: health data, financial data, and identity information are routinely co-mingled in a single customer record. This data cache makes insurers high-value targets for sophisticated threat actors, and it is the reason NYDFS insurance examiners pay close attention to cybersecurity controls during market conduct and financial examinations alike.

NYDFS aggregated its listed best practices into three groups:

1.         Measures to Reduce the Attack Surface.  If an organization can reduce the area the attacker can reach, it makes breaking in harder for the threat actor, which may move on to an easier target.  NYDFS listed nine items, including “expeditiously identify and remediate known exploited vulnerabilities” and “conduct privileged access reviews, especially for threat-relevant users, systems, and devices, to prevent unauthorized or unregistered access to Information Systems.”  Overall the measures appear designed to encourage identifying and patching vulnerabilities on faster timelines (given attackers armed with more advanced AI are expected to  identify and exploit vulnerabilities at greater speeds), enhanced coordination with third party service providers (who are yet another attack surface), and further hardening information systems.  The Department further advises specific measures designed to strengthen security practices around how organizations use AI in their own environment, including secure programming practices for AI-generated code and measures to restrict and validate inputs prior to running certain processes – these are likely intended to minimize the risk of prompt injection and code execution-based attacks.  

2.         Measures to Improve Threat Detection and Readiness.  An organization may not be able to keep all threat actors out of its systems, so it is important to detect them.  NYDFS listed six steps, including that logging and security event data should be captured and acted upon appropriately, as well as that organizations should “engage with critical Third-Party Service Providers to confirm awareness of and appropriate action on heightened cybersecurity risks and readiness to respond to potential disruptions.”  For insurers in particular, this engagement obligation extends to third-party administrators, managing general agents, prescription benefit managers, and claims administrators – counterparties that routinely hold or process large volumes of sensitive Nonpublic Information on the insurer’s behalf.

3.         Measures to Improve Resilience and Response.  Finally, if the threat actor does get in, in addition to notifying NYDFS promptly if required, the organization needs to be able to respond and recover.  NYDFS included five items for this group, including that the organization should review and test “threat-relevant operational resilience procedures (e.g., incident response and business continuity plans) to protect and restore critical functions, Information Systems, and Nonpublic Information.”

Our Take

Organizations that are subject to the NYDFS cybersecurity regulation should review all of the security measures listed and conduct a gap assessment promptly rather than at the next annual review cycle.   Given that NYDFS issued this guidance in response to an active, heightened threat environment, delay is itself a risk management decision.

Board-level accountability matters. Part 500 already imposes CISO reporting obligations and senior officer certifications. Boards of directors of licensed insurers are the appropriate governance body to receive briefing(s) on this guidance and steps implemented or being considered by management.

One heightened protection that NYDFS did not call out in this guidance, but has addressed in other settlements and guidance is improved information governance and internal IT organization.  No matter how much effort a company puts into protect their IT environment from intrusion, a cyber event is inevitable and companies need to minimize its impact once the unauthorized user has gained access.  Strong record retention programs minimize obsolete and redundant records, which in turn reduces the data available for extraction.  Strong data segmentation not only ensures that employees only have access to the data they need (minimizing inadvertent misuse), but makes it inherently minimizes cyber events by impeding unauthorized users ability to survey the IT environment.

Organizations should also document their decision-making about which best practices they decide to adopt and why. An undocumented decision not to implement a recommended control is far harder to defend than a reasoned, risk-based explanation.

Insurers that also write cyber liability insurance face an additional consideration: their own enterprise security posture should be consistent with the underwriting standards they apply to policyholders. An insurer that recommends robust third-party risk controls to its insureds but has not itself engaged its TPAs and MGAs on heightened cybersecurity readiness may face uncomfortable questions from both regulators and sophisticated policyholders. It may be advantageous to work with experienced counsel both to review the items listed and for implementation of such items as conduct