Industry Letter

March 3, 2026

To: CISOs of Entities Regulated by the New York State Department of Financial Services

Re: Reminder to Financial Sector of Heightened Cyber Threats Due to Global Conflict

The New York State Department of Financial Services (the “Department”) is issuing this alert to remind all individuals and entities regulated by the Department (“Regulated Entities”) of the increased risk of cyber attacks arising from ongoing conflicts. At this time, the Department has not observed indications of a specific, coordinated campaign targeting the financial services industry or its Regulated Entities. However, recent events warrant vigilance, and Regulated Entities should ensure that their cybersecurity risk management practices reflect the current heightened threat environment.

Regulated Entities should review their cybersecurity programs to ensure full compliance with the Department’s cybersecurity regulation, 23 NYCRR Part 500. Additionally, DFS highlights the following best practices entities should consider in light of the heightened risk environment. This alert does not impose any new requirements for Regulated Entities.

  • Promptly identify and remediate known vulnerabilities including through monitoring authoritative sources such as the Known Exploited Vulnerabilities Catalog.
  • Prepare for disruptive and destructive cybersecurity incidents by reviewing and testing operational resilience procedures to protect and restore critical functions, information systems, and nonpublic information.
  • Review personnel and customer communication strategies to confirm they are sufficient to address prolonged system and service disruptions.
  • Enhance monitoring for suspicious and unauthorized activity on information systems.
  • Ensure user and service account privileges for accessing and maintaining information systems, including webservers and databases, follow the principle of least privilege.
  • Protect against code injection attacks by restricting and validating user inputs prior to forwarding to databases.
  • Confirm information system, account, and authentication settings are securely configured.
  • Monitor financial transactions, including virtual currency business activity, to ensure compliance with applicable orders and guidance on sanctions and anti-money laundering.

This is not an exhaustive list of steps entities may take to protect their information systems and nonpublic information. Entities should consider taking additional steps to manage their unique cybersecurity risks.

Sincerely,

Kaitlin Asrow, Acting Superintendent
New York State Department of Financial Services