The New York Department of Financial Services (“NYDFS”) has issued a series of Industry Letters requiring regulated institutions to submit information regarding plans to manage risks associated with the novel coronavirus (“COVID-19”).  The Letters request descriptions of the entities’ planned responses to a variety of threats posed by COVID-19, including heightened cybersecurity risks.

The four Industry Letters issued by the NYDFS are directed to various regulated entities and require responses regarding the entities’ prospective responses to COVID-19.  Among the required responses are those regarding the regulated entities’ strategies to address specific cybersecurity-related risks, including:

1. The security of personnel working off-site, including the effectiveness and security of remote access;
2. Potential increased risk of cyber-attacks and fraud due to the COVID-19 outbreak; and
3. Preparedness of critical third-party service providers and suppliers.

In particular, the NYDFS’ Letter to virtual currency businesses emphasized the possibility that COVID-19 will result in “increased instances of hacking, cybersecurity threats, and similar events, as bad actors attempt to take advantage of a COVID-19 outbreak, and the possible resulting need for heightened security measures, such as enhanced triggers for fraudulent trading or withdrawal behavior.”

Each of the requested responses must be submitted to the DFS “as soon as possible and in no event later than thirty (30) days” from the date the Letters were published on March 10, 2020.

When responding to the NYDFS, affected entities should consult their existing incident response plans, cybersecurity policies and programs, and any other relevant documentation developed in compliance with the NYDFS’ Cybersecurity Requirements for Financial Services Companies.  Lessons learned from this COVID-19 response should certainly be used by NYDFS-regulated entities to bolster their plans, policies, and safeguards in the future.

Even entities not within the jurisdiction of the NYDFS may wish to consult the Industry Letters and consider their level of preparedness for COVID-19, both generally and with regard to cybersecurity in particular.

To read the NYDFS’ COVID-19 Industry Letters, see below:

• Guidance to Department of Financial Services (“DFS”) Regulated Institutions Engaged in Virtual Currency Business Activity and Request for Assurance Relating to Operational and Financial Risk Arising from the Outbreak of the Novel Coronavirus (COVID-19)
• Guidance to New York State Regulated Banks, Credit Unions and Licensed Lenders Regarding Support for Businesses Impacted by the Novel Coronavirus
• Guidance to New York State Regulated Institutions and Request for Assurance Relating to Potential Financial Risk Arising from the Outbreak of the Novel Coronavirus
• Guidance to New York State Regulated Institutions and Request for Assurance of Operational Preparedness Relating to the Outbreak of the Novel Coronavirus

The NYDFS has also issued COVID-19-related guidance for insurers, available here.