By April 9, 2020, DFS requires that each regulated institution submit a response to DFS describing the institution’s plan of preparedness to manage the risk of disruption to its services and operations. Responses are to be submitted to the following designated email address: firstname.lastname@example.org.
As noted by Shirin Emami (Executive Deputy Superintendent – Banking), an institution’s preparedness plan “should be sufficiently flexible to effectively address a range of possible effects that could result from an outbreak of COVID-19, and reflect the institution’s size, complexity and activities.”The institution’s plan, at a minimum, should include the following:
- Preventative measures tailored to the institution’s specific profile and operations to mitigate the risk of operational disruption, which should include identifying the impact on customers, and counterparts;
- A documented strategy addressing the impact of the outbreak in stages, so that the institution’s efforts can be appropriately scaled, consistent with the effects of a particular stage of the outbreak, which includes an assessment of how quickly measures could be adopted and how long operations could be sustained under different stages of the outbreak;
- Assessment of all facilities (including alternative or back-up sites), systems, policies and procedures necessary to continue critical operations and services if members of the staff are unavailable for long periods or are working off-site, including an assessment and testing as to whether large scale off-site working arrangements can be activated and maintained to ensure operational continuity. This would also include an assessment and testing of the capacity of the existing information technology and systems in light of a potential increased remote usage;
- An assessment of potential increased cyber-attacks and fraud;
- Employee protection strategies, critical to sustaining an adequate workforce during the outbreak, including employee awareness and steps employees can take to reduce the likelihood of contracting COVID-19. See New York State Department of Health website, and CDC Interim Guidance for Businesses and Employers to Plan and Respond to Coronavirus Disease 2019;
- Assessment of the preparedness of critical outside-party service providers and suppliers;
- Development of a communication plan to effectively communicate with customers, counterparties and the public and to deliver important news and instructions to employees, along with establishing forums for questions to be asked and addressed;
- Testing the plan to ensure the plan policies, processes and procedures are effective; and
- Governance and oversight of the plan, including identifying the critical members of a response team, to ensure ongoing review and updates to the plan, including the tracking of relevant information from government sources and the institution’s own monitoring program.
2019 Compliance Certification Filing Deadline Extended
In addition, with respect to compliance with DFS’s cybersecurity regulation (23 NYCRR 500)(“Part 500”), DFS has extended the Compliance Certification Filing Deadline for Year 2019 from April 15, 2020 to June 1, 2020 due to the pandemic. All Covered Entities and licensed individuals who are not fully exempt from Part 500 now have until June 1, 2020 to submit the required Certificate of Compliance, certifying their compliance for the 2019 calendar year. Note that Covered Entities do not need to file new Notices of Exemption. If there have been any changes from previous filings, then the entity or individual should update their status accordingly.
Attorneys at Bressler, Amery & Ross, P.C. are available to discuss DFS’s requirements and to counsel your institution through the regulatory labyrinth created by the novel coronavirus. If you have questions or concerns, please do not hesitate to contact us.