In the wake of the emerging coronavirus (COVID-19) pandemic, the New York Department of Financial Services (NYDFS) is asking regulated entities to provide the department with preparedness plans.
Because working remotely often introduces new gaps in an organization’s attack surface, increases the likeliness of employees using personal devices to access company data, and less stringent data protection mechanisms in place, NYDFS is looking for assurance that organizations have plans in place to mitigate cybersecurity breaches and assess potential disruptions and other risks to their services and operations.
The DFS recommends organizations’ plans include the following:
- Preventative measures tailored to the institution’s specific profile and operations to mitigate the risk of operational disruption.
- A documented strategy addressing the impact of the outbreak in stages, so that the institution’s efforts can be appropriately scaled, consistent with the effects of a particular stage of the outbreak, which includes an assessment of how quickly measures could be adopted and how long operations could be sustained under different stages of the outbreak;
- Assessment of all facilities (including alternative or back-up sites), systems, policies and procedures necessary to continue critical operations and services if members of the staff are unavailable for long periods or are working off-site, including an assessment and testing as to whether large scale off-site working arrangements can be activated and maintained to ensure operational continuity. This would also include an assessment and testing of the capacity of the existing information technology and systems in light of a potential increased remote usage.
- An assessment of potential increased cyber-attacks and fraud.
- Employee protection strategies, critical to sustaining an adequate workforce during the outbreak, including employee awareness and steps employees can take to reduce the likelihood of contracting COVID-19.
- Assessment of the preparedness of critical outside-party service providers and suppliers.
- Development of a communication plan to effectively communicate with customers, counterparties and the public and to deliver important news and instructions to employees, along with establishing forums for questions to be asked and addressed.
- Testing the plan to ensure the plan policies, processes and procedures are effective; and
- Governance and oversight of the plan, including identifying the critical members of a response team, to ensure ongoing review and updates to the plan, including the tracking of relevant information from government sources and the institution’s own monitoring program.
NYDFS is aware that a number of regulated institutions may already have, or may be working on, such plans and is asking for entities to provide descriptions of their preparedness plans, financial risk management plans and assessments by April 9.
For more information: