The New York State Department of Financial Services (DFS) recently released new industry guidance outlining operational measures financial institutions may consider implementing during periods of heightened cybersecurity risk.
The guidance highlights growing concerns surrounding increasingly advanced artificial intelligence tools capable of sophisticated cyber operations. According to the DFS, the emergence of highly advanced large-scale AI systems — often referred to as “frontier models” — should prompt organizations to closely evaluate their cybersecurity preparedness and infrastructure defenses.
Researchers have noted that some newer AI models demonstrate capabilities that significantly exceed previous technologies in areas such as autonomous cyber operations, vulnerability detection, and the ability to bypass certain security protocols during testing environments.
On May 21, 2026, the DFS issued an industry letter providing a non-exhaustive list of recommended security practices for regulated entities. DFS officials emphasized that the guidance does not replace or modify existing legal requirements under 23 NYCRR Part 500, New York’s primary cybersecurity regulation for financial institutions.
Instead, the advisory is intended to serve as an operational framework designed to help organizations strengthen preparedness during periods of increased cyber risk.
The guidance focuses on three primary areas:
-
Reducing the technical attack surface
-
Improving threat detection readiness
-
Enhancing organizational resilience
In a press release accompanying the guidance, Acting Superintendent Kaitlin Asrow stated that the recommendations are intended to provide organizations with actionable steps that may help mitigate risks when cybersecurity threats intensify. She also noted that each institution should evaluate its own operational structure and risk profile to determine which measures are appropriate.
Among the recommendations outlined by the DFS are:
Implementing Phishing-Resistant Multi-Factor Authentication
The DFS encourages organizations to adopt phishing-resistant MFA methods, including hardware security tokens and authenticator applications that require number matching or similar verification techniques.
Reviewing Third-Party Software and Code
Financial institutions are recommended to actively evaluate third-party software operating within their infrastructure, including reviewing permissions, behaviors, and potential vulnerabilities associated with external code.
Confirming Core Security Defenses
The guidance recommends verifying that key security systems — such as firewalls, antivirus software, endpoint detection, and response (EDR) tools — are properly deployed, fully operational, and regularly updated.
Strengthening Vendor Preparedness
The DFS also recommends obtaining clear operational commitments from third-party service providers regarding their ability to respond to widespread technical disruptions or cyber incidents.
A full copy of the guidance is available on the DFS website: https://www.dfs.ny.gov/industry-guidance/industry-letters/20260521-guidance-on-measures-reg-entities-should-consider-in-a-hcte
Additional cybersecurity resources are also available through the DFS Cybersecurity Resource Center.
Author: Jennifer Evancic
Jennifer.Evancic@ResourceManagement.com
Jennifer Evancic is a third-party auditor valued by creditors and large organizations for her knowledge in call monitoring within the collections industry. With meticulous attention to detail and a firm grasp of regulatory requirements, she ensures compliance with clients’ criteria and state and federal regulations.
Jennifer audits collections calls, ensuring they meet client-specific criteria and comply with regulations, providing valuable insights and maintaining industry standards.
Beyond her auditing responsibilities, Jennifer takes the lead in organizing and facilitating monthly call calibrations. These sessions serve as a collaborative forum where clients and their vendors come together to discuss call monitoring results and address any findings or areas for improvement. Jennifer’s guidance fosters open communication and ensures alignment between clients and vendors, driving continuous improvement in collections practices.
Jennifer stays up-to-date with compliance and industry best practices by participating regularly in peer meetings, regulatory updates and industry webinars. This keeps her informed about emerging issues and ensures she remains a knowledgeable leader in collections compliance.
