NYDFS Alerts Financial Sector to Heightened Cybersecurity Threats

The New York State Department of Financial Services (DFS) has issued an alert to all regulated entities, reminding them of the increased risk of cyberattacks stemming from ongoing global conflicts. While no specific, coordinated campaign targeting the financial services industry has been observed, the DFS urges vigilance and proactive cybersecurity measures.

Heightened Threat Environment

Recent global events necessitate a heightened state of cybersecurity awareness within the financial sector. The DFS advisory emphasizes the importance of aligning cybersecurity risk management practices with the current threat landscape. This alert does not introduce new requirements for Regulated Entities but serves as a critical reminder to reinforce existing safeguards.

Key Cybersecurity Best Practices

The DFS recommends that Regulated Entities review and enhance their cybersecurity programs, ensuring full compliance with the Department’s cybersecurity regulation, 23 NYCRR Part 500. Specific best practices highlighted in the advisory include:

• Vulnerability Management: Promptly identify and remediate known vulnerabilities by monitoring authoritative sources such as the Known Exploited Vulnerabilities Catalog.
• Operational Resilience: Prepare for disruptive and destructive cybersecurity incidents by reviewing and testing operational resilience procedures to protect and restore critical functions, information systems, and nonpublic information.
• Communication Strategies: Review personnel and customer communication strategies to ensure they are sufficient to address prolonged system and service disruptions.
• Enhanced Monitoring: Enhance monitoring for suspicious and unauthorized activity on information systems.
• Least Privilege Access: Ensure user and service account privileges for accessing and maintaining information systems, including webservers and databases, follow the principle of least privilege.
• Code Injection Protection: Protect against code injection attacks by restricting and validating user inputs prior to forwarding to databases.
• Secure Configuration: Confirm information system, account, and authentication settings are securely configured.
• Transaction Monitoring: Monitor financial transactions, including virtual currency business activity, to ensure compliance with applicable orders and guidance on sanctions and anti-money laundering.

Recent Advisory: Targeted Vishing Attacks

In a separate advisory issued on February 6, 2026, the DFS warned of ongoing cyberthreat campaigns involving vishing (voice phishing) attacks. Threat actors are posing as IT help desk staff to steal login credentials and gain unauthorized access to information systems. The DFS advises entities to review their cybersecurity program to confirm compliance with 23 NYCRR Part 500 and implement robust identity verification procedures and targeted awareness training for personnel.

CISO Coverage and Compliance

The DFS Cybersecurity Regulation (23 NYCRR Part 500) requires robust cybersecurity programs for regulated entities, often necessitating dedicated CISO coverage. Understanding the requirements for CISO coverage is crucial for maintaining compliance and mitigating cyber risks.

Looking Ahead

The DFS will continue to monitor the evolving threat landscape and provide updates and guidance to Regulated Entities. Proactive cybersecurity measures and ongoing vigilance are essential to protect the financial system from cyber threats.