Following on the heels of the New York Department of Financial Services February 25, 2022 letter to regulated entities regarding the “Escalating Situation in Ukraine and the Impact to Financial Sector,” on March 2, 2022, Governor Phil Murphy issued Exec. Order No. 291 (March 2, 2022) (“EO 291”) which directs the Department of Banking and Insurance (“Department”) to issue bulletins or directives to its appropriate regulated entities, requiring them to fully comply with United States sanctions on the Russian Federation and Belarus, as well as with New Jersey laws and regulations and federal laws and regulations.
To that end, on March 17th, the Department issued Bulletin No. 22-05 directing regulated entities to fully comply with U.S. sanctions, including those on Russia and Belarus, as well as with applicable law. The Bulletin identifies particular vulnerabilities for the banking and insurance industries, respectively, and it notes the risks throughout both industries which can be mitigated by “a comprehensive risk management process overseen by senior management and Boards of Directors of entities authorized to do business in New Jersey,” all as a part of the entities’ obligations to maintain strong corporate governance and which insurance companies and other Insurance Holding Company System regulated entities should report in the Annual Form F Enterprise Risk Report due on or before April 1 of each year. The Department fully expects that regulated entities have policies, procedures, and processes in place to implement necessary internal controls, with appropriate training, risk assessments, and testing and auditing against their risk profile.
The Bulletin also provides a non-exhaustive summary of steps that regulated entities should undertake to protect themselves, their data and the interests of their policyholders and business partners. As Cybersecurity Regulated entities, insurance regulated entities must evaluate their systems for cyber risk and take appropriate actions to mitigate cyber risk. The Russian invasion of Ukraine significantly elevates the cyber risk to the U.S. financial sector. Russia’s ongoing cyber-attacks against Ukraine have the potential to damage networks beyond Ukraine.
The Bulletin identifies critical steps which regulated entities should undertake to protect against cyber-attacks:
- Review their programs to ensure full compliance, with particular attention to core cybersecurity measures like multi-factor authentication (“MFA”), privileged access management, vulnerability management, and disabling or securing remote desktop protocol (“RDP”) access.
- Review, update, and test their incident response and business continuity planning, and ensure that those plans address destructive cyber-attacks such as ransomware.
- Re-evaluate their plans to maintain essential services, protect critical data and preserve customer confidence in consideration of the realistic threat of extended outages and disruption.
- Conduct a full test of their ability to restore their systems and data from backups. Regulated entities should not assume that they can restore such systems and data until a full test has been successfully completed.
- Provide additional cybersecurity awareness training and reminders for all employees.
Regulated entities that do business in the Ukraine and/or Russia are cautioned to employ increased measures to monitor, inspect and isolate traffic from Ukrainian or Russian offices and service providers, including virtual private networks as well as to review firewall rules, all active access controls, and should segregate networks for Ukrainian or Russian offices from the global network.
Report cybersecurity events immediately to law enforcement, including the FBI and CISA at https://www.cisa.gov/uscert. In New Jersey it is an important step in tracking and halting cyber-attacks. Reports should also be filed with the New Jersey Cybersecurity & Communications Integration Cell (“NJCCIC”) at www.cyber.nj.gov. NJCCIC also offers a free membership to receive alerts, advisories, bulletins, and training notifications.
The Department’s bulletin also addresses global economic sanctions against Russian individuals, banks, and other entities and confirms the obligation of regulated entities to comply with the Office of Foreign Asset Control (“OFAC”) orders and guidance on implementation of these sanctions.
Finally, highlighting the importance of cyber security, particularly in times of global unrest, the Department reminds industry of the actions, up to and including suspension and revocation of licenses, permits, registrations, and certifications of regulated entities owned or controlled by the government of Russia, Belarus, or their instrumentalities, and businesses that invest directly in such companies and cites specific legal authority to support such enforcement actions.
Questions regarding these matters and regulatory compliance can be directed to Cynthia Borrelli or Christopher Osnato.