The New York State Department of Financial Services (the “Department”) has issued guidance (“Guidance”) to all individuals and entities regulated by the Department (“Regulated Entities”) to underscore the importance of adhering carefully to U.S. sanctions, as well as to New York State and Federal laws and regulations, including Department cybersecurity and virtual currency regulations set forth in 23 NYCRR Part 500 and 23 NYCRR Part 200, respectively. The Guidance highlights steps regulated entities should take to prepare for an increased threat of cybersecurity attacks, in light of ongoing global conflict, which include:
- Review their risk assessment(s) to account for recent changes in the cyber-risk landscape.
- Monitor and regularly assess risks presented by third-party service provider arrangements.
- Review, update, and test their incident response and business continuity plans, and ensure that the plans affirmatively address destructive cyberattacks such as ransomware.
- Re-evaluate plans to maintain essential services, protect critical data, and preserve customer confidence, considering the increased threat of extended outages and disruption.
- Implement and continuously update risk-based controls designed to detect unauthorized or anomalous activity, such as Endpoint Detection and Response and Security Information and Event Management tools.
- Conduct a full test of the ability to restore from backups.
- Provide additional cybersecurity awareness training and reminders for all personnel.
- Pay close attention to multi-factor authentication, privileged access management, vulnerability management, and disabling or securing remote desktop protocol access.
- Monitor all communications from the Department, the U.S. Department of the Treasury, OFAC, and other Federal agencies on a real-time basis, to stay abreast of the latest developments and to ensure that systems, programs, and processes remain in compliance with all the requirements and restrictions.
- Review Transaction Monitoring and Filtering Programs to make any modifications necessary to capture new sanctions and to ensure continued compliance with all applicable laws and regulations, including the Department’s transaction monitoring regulation (3 NYCRR Part 504).
- Monitor all transactions going through their institutions, particularly trade finance transactions and funds transfers, to identify and block transactions subject to OFAC sanctions and follow OFAC’s direction regarding any blocked funds.
- Ensure that their OFAC compliance policies and procedures are being updated on a continuous basis to incorporate any new sanctions that may be imposed on additional entities.
Regulated entities should also closely track guidance and alerts from the Cybersecurity and Infrastructure Security Agency (“CISA”) and relevant Information Sharing and Analysis Centers (“ISACs”)
Continuing global unrest also increases the risk that virtual currency transfers could be used to evade sanctions for listed individuals and entities. Therefore, Regulated Entities should pay special attention to the effectiveness of virtual currency-specific control measures including, but not limited to, sanctions lists, geographic screening, and any other measures relevant to each entity’s specific risk profile.
The Department’s full Guidance can be located on the Department’s website at: www.dfs.ny.gov.
Questions may be directed to Cynthia Borrelli who directs the Firm’s Insurance & Healthcare Regulatory and Transactional Practice.