The New York State Department of Financial Services (NYDFS) has taken several steps in response to the COVID-19 pandemic. On March 12, NYDFS released a compliance order and a series of guidance letters extending certain deadlines and requesting that organizations submit their plans for managing the risks resulting from COVID-19.
The announcements regarding the extension of deadlines and requests for information are outlined below:
The compliance order from Superintendent Linda A. Lacewell provides the following:
- DFS Regulated entities may conduct licensable activities from their personal residences so long as the organization can maintain appropriate safeguards and controls with respect to data protection and cybersecurity. However, entities may not conduct these same activities with members of the public from their personal residences.
- The deadline for filing certifications of compliance with the cybersecurity requirements mandated by 23 NYCRR 500 17(b), as well as under transaction monitoring and filtering programs (under 3 NYCRR 504.4), are extended 45 days from the original due date. Several other deadlines were extended as well, but missing from the list of reprieves is the requirement that the superintendent of the NYDFS is notified within 72 hours of a cybersecurity event covered by 23 NYCRR 500.17 (a).
Additionally, DFS issued five letters requesting information from regulated institutions about their COVID-19-related risks and plans for responding to those risks. These were requested “as soon as possible, but in no event later than 30 days from March 10, 2020.”
Further guidance is below. Item (4) encourages regulated entities to support business customers in offering accommodations by deferring payments, waiving overdraft fees, easing credit terms, and other similar actions.
The other letters are generally aimed at the NYDFS’s desire to assess organizations’ operational preparedness, and to gain an assurance that organizations are minimizing risk and developing resilience plans that address all points of operation. These points include physical operations, employee protections, the preparedness of third-party service providers and suppliers, communication, testing, and governance and oversight plans. Requests for assurance of operational preparedness also generally require an organization to outline its plan for combatting cyberattacks and fraud.
- Guidance to Department of Financial Services (“DFS”) Regulated Insurance Entities and Request for Assurance Relating to Operational and Financial Risk Arising from the Outbreak of the Novel Coronavirus (COVID-19)
- Guidance to New York State Regulated Institutions and Request for Assurance of Operational Preparedness Relating to the Outbreak of the Novel Coronavirus
- Guidance to New York State Regulated Institutions and Request for Assurance Relating to Potential Financial Risk Arising from the Outbreak of the Novel Coronavirus
- Guidance to New York State Regulated Banks, Credit Unions and Licensed Lenders Regarding Support for Businesses Impacted by the Novel Coronavirus
- Guidance to Department of Financial Services (“DFS”) Regulated Institutions Engaged in Virtual Currency Business Activity and Request for Assurance Relating to Operational and Financial Risk Arising from the Outbreak of the Novel Coronavirus (COVID-19)
The New York Department of Financial Services continues to issue announcements and guidance aimed at addressing issues that arise due to COVID-19 and the resulting unusual economic situation that the world is facing. Access all announcements here: https://www.dfs.ny.gov/industry/coronavirus