In separate “Industry Letters” addressed to “The Chief Executive Officers or the Equivalents of New York State Regulated Institutions,” the New York Department of Financial Services (NYDFS) has mandated that regulated entities submit descriptions of their preparedness plans,[1] financial risk management plans and assessments,[2] in connection with COVID-19. The descriptions are due to the agency no later than April 9, 2020.

As organizations shift to remote and virtual operations, there is increased risk of cyberattacks and vulnerability of data privacy and integrity of information systems. Yet, NYDFS’s actions transcend data privacy and security concerns. Driven by the same motivations that had NYDFS promulgate its Cyber Regulation (the availability and integrity of critical infrastructure), NYDFS’s industry letters (and note its additional requirements to insurers, discussed here), echo responses to the financial crisis of 2008 by focusing attention on the financial capabilities of insurance companies and banks, among other regulated entities. Risks to supply chains, ongoing expansion of the global economy, and the ever-increasing sophistication and occurrence of cyberattacks only add to the scenarios of operational and financial exposure.

Seeking assurance that regulated institutions have “preparedness plans in place to address operational risk posed by” COVID-19, NYDFS requires a description of each such plan. NYDFS states:

The effects of this outbreak are uncertain at this time. However, given the potentially significant effects an outbreak of COVID-19 could have on your institutions, it is critical that institutions establish plans to address how they will manage the potential effects of the outbreak and assess potential disruptions and other risks to their services and operations.

To that end, DFS requires that each regulated institution submit a response to DFS describing the institution’s plan of preparedness to manage the risk of disruption to its services and operations. Responses are to be provided to DFS as soon as possible and in no event later than thirty (30) days from the date of this letter. Please submit your responses to the following designated email address: banking.covid19@dfs.ny.gov. [Emphasis in Original.]

NYDFS instructs that preparedness plans “should be sufficiently flexible to effectively address a range of possible effects that could result from an outbreak of COVID-19, and reflect the institution’s size, complexity and activities.” The letter outlines nine elements each plan should have, including risk mitigation for operational disruption and cyberattacks, and understanding the preparedness of critical third-party suppliers and service providers. The elements are:

1. Preventative measures tailored to the institution’s specific profile and operations to mitigate the risk of operational disruption, which should include identifying the impact on customers, and counterparts;
2. A documented strategy addressing the impact of the outbreak in stages, so that the institution’s efforts can be appropriately scaled, consistent with the effects of a particular stage of the outbreak, which includes an assessment of how quickly measures could be adopted and how long operations could be sustained under different stages of the outbreak;
3. Assessment of all facilities (including alternative or back-up sites), systems, policies and procedures necessary to continue critical operations and services if members of the staff are unavailable for long periods or are working off-site, including an assessment and testing as to whether large scale off-site working arrangements can be activated and maintained to ensure operational continuity. This would also include an assessment and testing of the capacity of the existing information technology and systems in light of a potential increased remote usage;
4. An assessment of potential increased cyber-attacks and fraud;
5. Employee protection strategies, critical to sustaining an adequate workforce during the outbreak, including employee awareness and steps employees can take to reduce the likelihood of contracting COVID-19. See New York State Department of Health website: https://health.ny.gov/diseases/communicable/coronavirus/ and CDC Interim Guidance for Businesses and Employers to Plan and Respond to Coronavirus Disease 2019: https://www.cdc.gov/coronavirus/2019-ncov/specific-groups/guidance-business-response.html;
6. Assessment of the preparedness of critical outside-party service providers and suppliers;
7. Development of a communication plan to effectively communicate with customers, counterparties and the public and to deliver important news and instructions to employees, along with establishing forums for questions to be asked and addressed;
8. Testing the plan to ensure the plan policies, processes and procedures are effective; and
9. Governance and oversight of the plan, including identifying the critical members of a response team, to ensure ongoing review and updates to the plan, including the tracking of relevant information from government sources and the institution’s own monitoring program.

Seeking assurance that regulated institutions “are identifying, monitoring, and managing the potential financial risk arising from” COVID-19, NYDFS has requested descriptions of each organization’s financial risk plans and assessments, which should be emailed to banking.covid19@dfs.ny.gov.

Recognizing the potential financial impact COVID-19 will have on an organization’s customers, counterparties, service providers, and supply chains, as well as materializing revenue decline, stock market volatility, and interest rate changes, NYDFS “requires that each regulated institution submit a response to DFS describing the institution’s plan regarding managing the potential financial risk arising from COVID-19.” An organization's financial risk plan should include the following six assessments:

1. Assessment of the credit risk ratings of the customers, counterparties and business sectors impacted by COVID-19;
2. Assessment of the credit exposure to customers, counterparties and business sectors impacted by COVID-19, arising from lending, trading, investing, hedging and other financial transactions, including any credit modifications, extensions and restructurings (including capitalizations of interest);
3. Assessment of the scope and the size of credits adversely impacted by COVID-19 that currently are in, or potentially may move to, non-performing/delinquent status, including consideration of stress testing and/or sensitivity analysis of loan portfolios and the adequacy of loan loss reserves;
4. Assessment of the valuation of assets and investments that may be, or have been, impacted by COVID-19;
5. Assessment of the over-all impact of COVID-19 on earnings, profits, capital, and liquidity (including impact on loan-to-deposit ratio) of your institutions; and
6. Assessment of reasonable and prudent steps to assist those adversely impacted by COVID-19.

In each letter, NYDFS reminds that an organization’s boards of directors or equivalent is responsible for ensuring appropriate plans are in place, and that sufficient resources are allocated to implement such plans. Senior management is responsible for ensuring the effective implementation of policies and procedures, including sufficient communication to the organization’s workforce.

NYDFS’s requests reflect an attempt to better anticipate and understand the potential effects of the COVID-19 outbreak on regulated organizations, individually, and on the financial services industry as a whole. It also may be a cue to some organizations to begin analyzing their operational and financial risk, however late to the game they may be. In particular, the operational risk arising from a shift to remote and virtual workplaces has not been tested to the same extent as financial risks following the financial crash of 2008.

The 30-day deadline mandated by NYDFS may be a heavy lift for some organizations in a time of significant operational and financial pressure. Governor Cuomo bemoaned a lack of federal coordination in the wake of the COVID-19 outbreak. Given the prominence of NYDFS (e.g., NYDFS’s Cyber Regulations) and recent coordination between New York and other states in attempts to stem the virus outbreak, it is likely that other state and federal agencies may follow NYDFS’s lead and request similar reports from members of the financial services, banking, and insurance industries. We will continue to monitor this development.

[1] https://www.dfs.ny.gov/industry_guidance/industry_letters/il20200310_risk_coronavirus

[2] https://www.dfs.ny.gov/industry_guidance/industry_letters/il20200310_financial_risk_coronavirus

[View source.]