Cybersecurity Advisory - Heightened Cybersecurity Risks Associated with Frontier AI Models

Industry Letter

Date: May 21, 2026

To: CISOs of DFS Regulated Entities

Re: Heightened Cybersecurity Risks Associated with Frontier AI Models

The New York State Department of Financial Services (the “Department”) is issuing this Advisory about the heightened cybersecurity risks associated with certain frontier artificial intelligence models that amplify the potency, scale, and speed of identifying vulnerabilities and exploits in information systems (“Frontier AI Models”). The Department urges individuals and entities regulated by the Department (“Regulated Entities”) to improve their security posture in preparation for the release of these Frontier AI Models. Although certain Frontier AI Models are not yet broadly available, such capabilities may become more available soon. The Advisory does not impose any new requirements for Regulated Entities; rather, it is intended to inform Regulated Entities’ risk management and compliance efforts.

The best preparation for Frontier AI Models is a robust cybersecurity program that includes timely and comprehensive vulnerability identification and remediation. Regulated Entities should review and update risk assessments to reflect the evolving risks posed by this new technology. For example, entities should consider whether to strengthen operational resilience by replacing end-of-life or legacy information systems. Additionally, they should review their cybersecurity programs to ensure full compliance with the Department’s cybersecurity regulation, 23 NYCRR Part 500 (“Part 500”), and consider whether additional cybersecurity measures are warranted to address heightened risks associated with Frontier AI Models.

In conjunction with this Advisory, the Department is issuing new guidance on Measures Regulated Entities Should Consider in a Heightened Cybersecurity Threat Environment (“Guidance”). This Guidance is intended to help Regulated Entities identify potential additional steps that may be appropriate when addressing cybersecurity risks that are significantly higher than normal. Whether to adopt a heightened risk posture, and which measures to adopt, depend on the unique circumstances and operations of an organization.

With respect to Frontier AI Models, Regulated Entities should consider the measures outlined in Sections 1, 2, and 3.2 of the Guidance. Below are a few recommendations organizations should specifically consider as they prepare for the wider availability of Frontier AI Models:

• Expedited Vulnerability Management: Guidance Section 1.1 discusses expeditiously identifying and remediating vulnerabilities in firmware, hardware, and software – a measure to mitigate the risk that threat actors will be more capable of exploiting vulnerabilities identified by Frontier AI Models. Regulated Entities should reassess their procedures for evaluating the criticality and threat of known vulnerabilities and should review vulnerability management timelines to determine whether accelerated detection and remediation processes are necessary based on updated Risk Assessments.
• Coordinate with Third-Party Service Providers to Secure Material Downstream Dependencies: Regulated Entities should develop and maintain dependency maps, and coordinate with critical third-party service providers and material downstream providers to address significant vulnerabilities and operational risks. Section 2.3 of the Guidance recommends that appropriate personnel review relevant threat intelligence, including for known indicators of compromise and complete remediation steps. Sections 2.5 and 2.6 of the Guidance recommend that Regulated Entities monitor and validate third-party code and engage with critical third-party service providers, including to communicate the specific responsibilities of the Regulated Entity and the third party. These steps can help Regulated Entities in assessing their critical third-party dependencies, identifying vulnerabilities and plans for remediation, and detecting suspicious behavior.
• Strengthen Security of Programming Practices: Sections 1.8 and 1.9 of the Guidance recommend that organizations restrict and validate inputs prior to running scripts or processes and confirm that secure programming practices are used. This may include additional testing and validation procedures, including human oversight, for AI-generated code prior to deployment in production environments. Additionally, Regulated Entities using AI to identify and remediate vulnerabilities should employ secure programming practices to prevent unknown changes in code or configurations, or the inadvertent destruction or material degradation of necessary code.
• Heightened Monitoring and Prompt Reporting: Section 2.2 of the Guidance recommends that entities ensure that suspicious activity is promptly flagged and addressed. Regulated Entities should consider evaluating whether existing logging and security event alerting capabilities are sufficient to address heightened threats. Additionally, Section 3.2 of the Guidance recommends that Regulated Entities review and test threat-relevant operational resilience procedures, which may require more frequent use as AI-enabled cyber capabilities evolve.

This is not an exhaustive list of steps Regulated Entities may take to protect their information systems and nonpublic information. Entities should consider taking whatever steps are necessary to manage their unique cybersecurity risks and the risks to consumer nonpublic information. The Department’s October 2024 guidance on Cybersecurity Risks Arising from Artificial Intelligence and Strategies to Combat Related Risks contains additional information about cybersecurity threats and capabilities associated with Artificial Intelligence.