The Cyber Risk Gap: What DFS Guidance Reduces — and What It Doesn't

Bridging the Cyber Risk Gap: What DFS Guidance Improves—and What It Misses

Cyber risk is entering a new phase—one where stronger controls alone are no longer enough to ensure meaningful risk reduction. In response to a heightened threat environment, the New York Department of Financial Services (DFS) has issued guidance encouraging organizations to strengthen foundational cybersecurity controls. While these recommendations improve consistency and discipline in control execution, they do not fully address a more pressing question: how much risk is actually being reduced.

Our latest special report, “The Cyber Risk Gap: What DFS Guidance Reduces—and What It Doesn’t,” explores this disconnect. The analysis shows that modern cyber risk is increasingly non-linear. In practical terms, this means that even as organizations improve control effectiveness—through measures such as multi-factor authentication, monitoring, and vulnerability management—risk does not decline in a predictable or proportional way. Instead, small variations in control performance, particularly under stress, can lead to disproportionately larger increases in attack impact.

This dynamic is driven by an evolving threat landscape shaped by AI-enabled attack techniques, expanding attack pathways, and changing geopolitical conditions. In such environments, attackers are better positioned to exploit gaps in execution, timing, and coordination. Controls that appear sufficient in isolation may be less effective when viewed across end-to-end attack scenarios. As a result, organizations may gain a false sense of security based on control maturity metrics that do not reflect real-world exposure.

The report highlights what we call the “scenario gap”—the difference between control-focused guidance and business-level decision-making. Executives need to understand not just whether controls are in place, but how those controls perform under real conditions, how threats are evolving, and what level of residual risk remains after defensive actions are taken. Without this perspective, security investments risk being misaligned with actual loss exposure.

To close this gap, organizations must move beyond static assessments and adopt scenario-based cyber risk measurement. This approach connects controls, threat conditions, and business operations into a unified view of exposure—enabling leaders to prioritize actions that will materially reduce risk.

In today’s environment, the question is no longer whether your controls exist or even whether they are improving. The question is whether they are improving fast enough—and in the right ways—to keep pace with how cyber risk is truly evolving.

Don't be left unprepared - download the special risk forecast and start protecting your business now.