NYDFS Requires COVID-19 Plans by April 9

On March 10, 2020, the New York Department of Financial Services (NYDFS) issued guidance to all of its regulated institutions engaged in virtual currency business activity, requiring them to have plans for preparedness to manage the possible operational and financial risks posed by the COVID-19 pandemic. NYDFS requires the plans to be submitted by Thursday, April 9, 2020.

NYDFS does not have a one-size-fits-all set of requirements, but instead requires that the plan be “sufficiently flexible to effectively address a range of possible effects that could result from an outbreak of COVID-19, and reflect the institution’s size, complexity and activities.” The regulated institution’s board of directors is responsible for ensuring that the plan is in effect, with sufficient resources allocated to its implementation. Senior management are the ones to ensure that specific policies, procedures and processes are in place and effectively communicated to employees.

While this guidance is aimed at those regulated entities engaged in virtual currency activity, other regulated entities also could use the guidance as part of their own pandemic preparedness planning.

The plan must cover nine subjects, as further described in the guidance:

1. Preventative measures to mitigate the risk of operational disruption, including identifying the impact on your customers, and counterparts;
2. Strategy to address the impact of the outbreak in stages, so that your efforts can be appropriately scaled, consistent with the effects of a particular stage of the outbreak;
3. Assessment of all of your facilities, systems, policies and procedures necessary to continue critical operations and services if your employees are unavailable for longer periods or are working off-site, including the effectiveness and security of remote access;
4. An assessment of potential increased risk of cyber-attacks and fraud due to an outbreak;
5. Employee protection strategies, including employee awareness and steps that employees can take to reduce the likelihood of contracting COVID-19;
6. Assessment of preparedness of your critical third-party service providers and suppliers;
7. Development of an effective communication plan to reach customers, counterparties and the public, as well as to communicate with employees, and provide a way for questions to be raised and answered;
8. Testing the plan to ensure your policies, processes and procedures are effective; and
9. Governance and oversight of the plan, including identifying the critical members of your response team, to ensure ongoing review and updates to the plan, including the tracking of relevant information from government sources and your own monitoring program.

The plan also must consider the financial risks to your business:

• Assessment of the valuation of your assets and investments that may be, or have been, impacted by COVID-19;
• Assessment of the overall impact of COVID-19 on your earnings, profits, capital, and liquidity of your institutions; and
• Assessment of reasonable and prudent steps to assist those adversely impacted by COVID-19.

As noted above, the NYDFS wants the plan to include an assessment of potential cyberattacks at the institution, noting it had special  concerns with respect to hacking risks, given how dependent virtual currency businesses are on software and electronic accounts. NYDFS pointed out that bad actors are seeking to take advantage of the disruptions caused by the current coronavirus emergency, thus requiring that the plan include increased security measures to detect possible fraudulent activity. For example, the NYDFS cybersecurity regulations require implementation of multi-factor authentication.

In addition, NYDFS expressed concerns about custody risks, “such as the possible need for special arrangements to move Virtual Currency from ‘cold’ to ‘hot’ wallets during times when employees may not all be working from their usual locations.” Because people likely will be working from alternate locations, employers may wish to remind their employees to be extra vigilant: many employees may have forgotten passwords or other user credentials. Consider using multi-factor authentication or other out-of- band communications to reset credentials for legitimate users, and not for hackers trying to steal cryptocurrency.

The same day, similar letters requiring the submission of preparedness plans also were issued to all NYDFS-regulated institutions covering operational and financial risks, and an additional letter was issued to NYDFS-regulated insurance entities.

The NYDFS has a special webpage devoted to the pandemic. In addition, Norton Rose Fulbright has established a webpage focused on the COVID-19 pandemic, offering a wide variety of information and training resources.