Overview
On June 23, 2025, the New York State Department of Financial Services (“NYDFS”) issued an industry letter encouraging all regulated entities to review their cybersecurity and sanctions compliance programs in light of heightened geopolitical tensions. The letter, titled “Impact of Global Conflict on Cybersecurity and Sanctions Risk,” emphasizes the elevated risk environment and reaffirms the Department’s expectations that covered institutions maintain robust controls and remain vigilant in mitigating cyber and sanctions-related threats.
The Department specifically references entities subject to 23 NYCRR Part 500 and 23 NYCRR Part 200, encouraging proactive evaluation of cybersecurity and sanctions risk controls. While no new requirements are introduced, NYDFS provides targeted reminders on regulatory obligations, risk management practices, and incident reporting expectations.
Cybersecurity Controls and Reminders from NYDFS
NYDFS recommends that regulated entities evaluate and strengthen the following areas of their cybersecurity programs:
Access Controls
- Enforce multi-factor authentication (MFA) for remote and privileged access
- Disable or restrict remote desktop protocol (RDP) access
- Limit administrative privileges based on least-privilege principles
Risk and Response Readiness
- Update cybersecurity risk assessments to address risks associated with geopolitical instability
- Validate data backup and restoration processes
- Test incident response and business continuity plans under worst-case scenarios
Monitoring and Detection
- Maintain effective deployment of endpoint detection and response (EDR), SIEM, and logging tools
- Monitor for anomalous behavior across third-party vendors and internal networks
- Stay informed via alerts from CISA, FBI, and sector-specific ISACs
Employee Awareness
- Reinforce employee training programs with emphasis on phishing detection and incident escalation procedures
Sanctions Compliance Controls
NYDFS emphasizes the importance of staying current with U.S. economic sanctions and taking immediate action where risk is identified:
- Routinely screen counterparties and transactions against the OFAC SDN List
- Subscribe to OFAC email updates
- Immediately block and report transactions involving sanctioned parties
- Maintain written procedures and records of sanctions screening and escalation protocols
Virtual Currency Entities: Increased Exposure and Expectations
DFS reminds entities subject to 23 NYCRR Part 200 that virtual currency businesses are particularly susceptible to exploitation by malicious actors seeking to circumvent traditional financial controls. The Department encourages virtual currency entities to:
- Implement blockchain analytics, wallet address screening, and geofencing tools
- Proactively block transactions involving sanctioned jurisdictions or parties
- Report suspected sanctions violations to OFAC and notify DFS
- Align practices with guidance from OFAC, FinCEN, and federal cybersecurity advisories
