�鶹��Ƶ

On June 23, 2025, the New York State Department of Financial Services (“NYDFS” or the “Department”) issued an industry letter (the “Guidance”) to all entities and individuals it regulates, including banks, insurers, money transmitters, virtual currency businesses, and other financial institutions.[1] The Guidance, evidently in reaction to the developing situation in Iran, reiterates existing NYDFS requirements concerning cybersecurity and virtual currency as provided in 23 NYCRR Parts 200, 500 and 504. It highlights steps that regulated entities should take to prepare for an increased threat of cybersecurity attacks in light of ongoing global conflict, and underscores the Department’s expectations with respect to U.S. sanctions compliance—particularly in the virtual currency context.[2]

Although the Guidance does not create new rules, it signals the Department’s prioritization of regulated entities’ cybersecurity programs, sanctions-screening protocols, and digital-asset controls as a focus of forthcoming examinations and potential enforcement actions. Accordingly, firms subject to NYDFS oversight should promptly evaluate whether their current compliance infrastructure satisfies the detailed expectations set out in the Guidance and the underlying regulations.

Cybersecurity

NYDFS warns that escalating geopolitical conflict “significantly elevates cyber risk for the U.S. financial sector, including an increased risk of ransomware attacks and phishing campaigns.”[3] The Department directs regulated entities to take certain steps in relation to their technical and organizational data security measures, including:

• Re-examine enterprise-wide risk assessments “to account for recent changes in the cyber-risk landscape.”
• Re-affirm the effectiveness of core controls required under 23 NYCRR Part 500, including multi-factor authentication, privileged access management, vulnerability management and restrictions on remote desktop protocol access.
• Review, update and test incident response and business continuity plans to specifically address “destructive” cyberattacks like ransomware attacks.
• Implement and update “risk-based controls” (e.g., endpoint detection and response, security information and event management) to identify and interdict “unauthorized or anomalous” network activity.
• Conduct full restoration tests from backups.
• Deliver enhanced cybersecurity-awareness training across the workforce.[4]

The Guidance further reiterates the mandatory 72-hour notification window in 23 NYCRR § 500.17(a) and urges parallel reporting to law enforcement, including the FBI and the Cybersecurity and Infrastructure Security Agency.[5] The Guidance encourages entities to verify that internal escalation procedures facilitate rapid notification of NYDFS and law enforcement regarding cyber incidents, supported by tabletop exercises and tested response playbooks.

Sanctions Compliance

The Guidance reminds U.S. persons—including NYDFS-regulated institutions—that they are prohibited from engaging in transactions with individuals or entities on the Treasury Department’s Specially Designated Nationals (“SDN”) List absent Office of Foreign Assets Control (“OFAC”) authorization.[6] To that end, regulated entities should:

• Monitor communications from NYDFS, OFAC and other federal agencies in real time and integrate new sanctions promptly into policies, procedures and screening tools.
• Review transaction monitoring and filtering programs mandated by 3 NYCRR Part 504 to ensure they capture newly designated parties.
• Identify, block and report transactions subject to OFAC restrictions, including trade-finance instruments and funds transfers.
• Update compliance frameworks continuously to incorporate any additional sanctions that may arise as global conflict evolves.

NYDFS makes clear that it expects firms to evidence a “continuous” process of control enhancement rather than reactive, ad hoc measures.[7]

Virtual Currency

Citing the “significantly increased” risk that digital assets could facilitate sanctions evasion, the Guidance emphasizes that entities engaged in virtual-currency business activity—including BitLicensees, limited-purpose trust companies and others—must deploy tailored controls in line with both OFAC’s Sanctions Compliance Guidance for the Virtual Currency Industry and the NYDFS virtual currency requirements codified in 23 NYCR Part 200.

Specific expectations for covered entities under the include the following:

• Use of geolocation tools and IP-address blocking to prevent activity originating from comprehensively sanctioned jurisdictions.
• Employment of blockchain-analytics solutions capable of identifying virtual-currency wallet addresses or other identifiers linked to sanctioned parties.
• Integration of virtual-currency-specific screening protocols into broader programs concerning AML, sanctions and countering the financing of terrorism.
• Documentation of governance processes—risk assessments, testing, auditing and training—reflecting the firm’s unique risk profile.

The Guidance warns that failure to maintain such controls may constitute violations of both state and federal law.

Implications

The Guidance foreshadows rigorous Department scrutiny of cybersecurity, sanctions and virtual-currency programs, with entities unable to demonstrate full implementation of the requirements potentially facing increased enforcement exposure. Firms must demonstrate ongoing risk assessments, timely integration of threat intelligence, and swift adoption of technological solutions, beyond mere annual reviews. Firms should further bolster their threat intelligence through regular communication with state and federal regulators regarding both new threat typologies and appropriate mechanisms to counter them.[8] Moreover, Boards and senior management should receive briefings on the Guidance, confirm resource allocation for compliance enhancements, and document oversight actions, which may mitigate regulatory and civil liability.

* * *

[1] Industry Letter: Impact to Financial Sector of Ongoing Global Conflicts at 1, June 23, 2025, available .

[2] Id.

[3] Id.

[4] Id. at 1-2.

[5] Id. at 2.

[6] Id. at 3.

[7] Id. at 4.

[8] See Cassandre Coyer, Iran Cyber Threats Push US Companies to Shore Up Defenses, Bloomberg (June 24, 2025), available .