In the wake of the emerging coronavirus (COVID-19) pandemic, the New York Department of Financial Services (NYDFS) is asking regulated entities to provide the department with preparedness plans to ensure they’re equipped to address operational risk posed by threats like cyberattacks.

In two separate industry letters released earlier this month, NYDFS asked regulated institutions to submit how they're planning on managing the risk of disruption to its services and operations and how they're going to deal with managing any financial risk that may arise from COVID-19.

NYDFS is asking for entities to provide descriptions of their preparedness plans, financial risk management plans and assessments by April 9.

The demands come as many organizations, including those bound by NYDFS, have had the majority of its employees shift to working remotely via virtual workstations. With that increased flexibility comes an increased security risk.

Because working remotely often introduces new gaps in an organization's attack surface, increases the likeliness of employees using personal devices to access company data, and less stringent data protection mechanisms in place, NYDFS is looking for assurance that organizations have plans in place to mitigate that risk.

It should be assumed COVID-19 will continue to have a substantial impact on the country's supply chain, economy. Coupled with each organization's increased susceptibility to cyberattacks, it sounds like NYDFS is doing its due diligence by ensuring financial services companies under its umbrella can continue through this public health process unscathed.

“An institution’s preparedness plan should be sufficiently flexible to effectively address a range of possible effects that could result from an outbreak of COVID-19, and reflect the institution’s size, complexity and activities.” Shirin Emami, Executive Deputy Superintendent of NYDFS’ Banking division said earlier this month.

According to NYDFS, its looking for at least nine things to be addressed in an institution's plan:

1.  Preventative measures tailored to the institution’s specific profile and operations to mitigate the risk of operational disruption, which should include identifying the impact on customers, and counterparts;
2.  A documented strategy addressing the impact of the outbreak in stages, so that the institution’s efforts can be appropriately scaled, consistent with the effects of a particular stage of the outbreak, which includes an assessment of how quickly measures could be adopted and how long operations could be sustained under different stages of the outbreak.
3.  Assessment of all facilities (including alternative or back-up sites), systems, policies and procedures necessary to continue critical operations and services if members of the staff are unavailable for long periods or are working off-site, including an assessment and testing as to whether large scale off-site working arrangements can be activated and maintained to ensure operational continuity.  This would also include an assessment and testing of the capacity of the existing information technology and systems in light of a potential increased remote usage;
4.  An assessment of potential increased cyber-attacks and fraud;
5.  Employee protection strategies, critical to sustaining an adequate workforce during the outbreak, including employee awareness and steps employees can take to reduce the likelihood of contracting COVID-19.  See New York State Department of Health website: https://health.ny.gov/diseases/communicable/coronavirus/ and CDC Interim Guidance for Businesses and Employers to Plan and Respond to Coronavirus Disease 2019: https://www.cdc.gov/coronavirus/2019-ncov/specific-groups/guidance-business-response.html;
6.  Assessment of the preparedness of critical outside-party service providers and suppliers;
7.  Development of a communication plan to effectively communicate with customers, counterparties and the public and to deliver important news and instructions to employees, along with establishing forums for questions to be asked and addressed;
8.  Testing the plan to ensure the plan policies, processes and procedures are effective; and
9.  Governance and oversight of the plan, including identifying the critical members of a response team, to ensure ongoing review and updates to the plan, including the tracking of relevant information from government sources and the institution’s own monitoring program.

The request came on the same day the NYDFS asked organizations to provide the department assurance they had strategies in place to mitigate the financial risk associated with COVID-19.

In that letter, addressed to The Chief Executive Officers or the Equivalents of New York State Regulated Institutions, NYDFS asked orgs to submit their plans to assess and monitor COVID-19 risk, including assessments of the credit risk ratings of customers, counterparties and business sectors, valuation of assets and investments, the overall impact of the virus on earnings, profits, capital, and liquidity, and so on.

The full list of NYDFS' asks around financial risk can be found here.