On June 23, the New York State Department of Financial Services (NYDFS) issued an industry letter to all regulated entities — banks, insurers, money transmitters, virtual currency companies, and others — cautioning that escalating global conflicts are intensifying threats to the U.S. financial system. The letter highlights increased risk from destructive cyberattacks, sanctions evasion, and illicit activity involving virtual assets. NYDFS urges institutions to take immediate, proactive steps to strengthen operational resilience, ensure compliance, and protect the financial sector from geopolitical spillover.
Cybersecurity: Strengthening Defenses Against Destructive Threats
In light of heightened international tensions, NYDFS warns that regulated entities are at greater risk of experiencing sophisticated cyberattacks, including ransomware, destructive malware, and coordinated state-sponsored activity. To mitigate these threats, NYDFS emphasizes compliance with its cybersecurity regulation (23 NYCRR Part 500) and expects entities to implement and test robust technical and operational safeguards. At a minimum, NYDFS expects entities to use multifactor authentication (MFA) for remote and privileged access, regularly patch vulnerabilities, apply strict controls over privileged and third-party access, and deploy advanced tools such as endpoint detection and response and security information and event management systems. Continuous risk-based monitoring for suspicious activity is also essential. In addition, regulated entities must maintain and actively test their incident response and business continuity plans through realistic tabletop exercises to ensure they can quickly contain cyber incidents, resume operations, and protect consumer trust.
Sanctions Compliance: Reinforcing Screening, Controls, and Monitoring
Another critical area of focus is compliance with U.S. sanctions administered and enforced by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC). NYDFS reminds all regulated entities that U.S. persons — including banks, insurers, virtual current businesses, producers, and third-party administrators — are strictly prohibited from engaging in transactions with sanctioned actors (e.g., those in embargoed jurisdictions or those on the OFAC List of Specially Designated Nationals (SDN) and Blocked Persons), unless otherwise authorized. The industry letter underscores the importance of maintaining a robust and continuously updated OFAC sanctions compliance program. This includes real-time monitoring of all transactions, reviewing and calibrating sanctions screening and filtering systems to ensure they are accurate, effective, and capable of identifying blocked parties and jurisdictions. Firms should also monitor relevant client communications and internal data indicators for potential sanctions evasion activity and ensure risks are escalated appropriately. Policies and procedures must be kept current, and staff should be regularly trained to recognize and respond to red flags and high-risk activity. A passive or outdated compliance posture is insufficient given today’s rapidly evolving global sanctions landscape.
Virtual Currency: Managing Emerging Compliance and Counterparty Risks
NYDFS emphasizes that virtual currency firms and financial institutions with crypto exposure must exercise elevated vigilance, as global adversaries and sanctioned entities increasingly attempt to exploit digital assets to circumvent traditional sanctions. To address these risks, institutions are expected to integrate tools and processes that enable traceability, risk scoring, and robust due diligence in the digital asset space. This includes implementing blockchain analytics capable of detecting connections to SDN-listed wallet addresses or transactions originating from sanctioned jurisdictions and monitoring virtual currency activity and counterparties with the same — or greater — scrutiny applied to fiat transactions. Virtual asset compliance programs must not operate in isolation but be fully aligned with broader sanctions and anti-money laundering frameworks. Firms engaged in crypto custody, trading, or platform services face heightened exposure due to the decentralized and peer-to-peer nature of the space, and should adopt enhanced onboarding, transaction vetting, and escalation procedures to effectively manage these risks.
Impact on the Insurance Industry: Heightened Exposure, Higher Expectations
Although the NYDFS letter applies broadly to all financial institutions, its implications for insurers are particularly significant, with increased exposure across cyber coverage, underwriting diligence, and regulatory obligations. As destructive cyberattacks grow more frequent, insurers offering cyber liability coverage may face rising claim volumes and financial losses. NYDFS’s focus on baseline cyber hygiene means carriers should consider making coverage contingent on policyholders implementing core controls such as MFA, vulnerability patching, and incident response planning. Underwriters may also need to conduct more thorough risk assessments before binding policies. In the underwriting process, insurers must avoid covering entities engaged in prohibited transactions, particularly within trade credit, political risk, and financial institution insurance lines. NYDFS expects carriers to require disclosures regarding sanctions compliance frameworks and transaction monitoring capabilities. For crypto-related coverage, insurers must assess whether policyholders in the virtual currency space are using sufficient blockchain monitoring tools and complying with OFAC sanctions — especially when covering wallets, platforms, or digital asset custodians, where compliance risks are especially acute. Additionally, insurers themselves are subject to both OFAC requirements and the cybersecurity mandates of 23 NYCRR Part 500. This includes not only insurance companies but also third-party administrators and producers, who are expected to understand and comply with applicable sanctions restrictions. NYDFS advises insurers to review internal controls and ensure consistent, enterprise-wide compliance across both operational functions and distribution channels.
Conclusion
NYDFS’s June 2025 industry letter sends a clear message: regulated entities must be prepared for the spillover effects of global instability. Institutions should immediately review and reinforce their cybersecurity posture, sanctions compliance frameworks, and oversight of virtual currency activities. Insurance carriers, in particular, should revisit underwriting standards, policyholder risk assessments, and internal compliance policies to reflect today’s evolving threat landscape. The geopolitical environment is volatile, and NYDFS expects regulated entities to stay ahead of emerging risks — not merely react to them. A proactive approach to cyber and financial integrity will protect institutions, customers, and the broader financial system.
Finally, it is clear from the letter that NYDFS views OFAC sanctions obligations as preempting state insurance laws. This has important implications for insurers: when U.S. sanctions laws require an insurer to withhold payment from a policyholder or claimant — such as when there is a risk of violating OFAC sanctions — the insurer is unlikely to face enforcement or penalties from state insurance regulators for failing to comply with otherwise applicable state insurance requirements. This recognition by NY DFS provides critical regulatory clarity and underscores the need for insurers to integrate federal sanctions compliance into their claims handling, underwriting, and enterprise risk management practices.
