The New York Department of Financial Services (NYDFS) issued a May 2026 cybersecurity advisory warning regulated financial institutions that frontier AI models are accelerating and amplifying existing cyber threats. The advisory doesn't impose new requirements but signals that the legal 'reasonableness' standard under existing 23 N.Y.C.R.R. Part 500 must now be interpreted through an AI-aware lens. Key risks identified include AI-enabled social engineering (deepfakes, vishing, phishing), AI-enhanced cyberattacks with lower barriers to entry, concentration of nonpublic and biometric data, and third-party/supply-chain vulnerabilities. Recommended controls include updated risk assessments, stronger MFA (avoiding SMS/voice-based auth), board-level AI risk governance, specialized staff training including deepfake simulation exercises, and enhanced vendor oversight with contractual protections.
Table of contents
AI Social EngineeringAI-Powered/Enhanced CyberattacksAI Attacks on DatasetsSupply Chain and Vendor RisksApply the FrameworkAuthenticate, Authenticate, AuthenticateEducationData ManagementSort: