copy of Industry Letter issued by the NYSDFS on May 10, 2020
To: The Chief Executive Officers or the Equivalents of New York State Regulated Institutions
The New York State Department of Financial Services (DFS) is issuing this guidance and request for assurance to ensure your institutions have preparedness plans in place to address operational risk posed by the outbreak of a novel coronavirus known as “COVID-19”.
The effects of this outbreak are uncertain at this time. However, given the potentially significant effects an outbreak of COVID-19 could have on your institutions, it is critical that institutions establish plans to address how they will manage the potential effects of the outbreak and assess potential disruptions and other risks to their services and operations.
To that end, DFS requires that each regulated institution submit a response to DFS describing the institution’s plan of preparedness to manage the risk of disruption to its services and operations. Responses are to be provided to DFS as soon as possible and in no event later than thirty (30) days from the date of this letter. Please submit your responses to the following designated email address:
An institution’s preparedness plan should be sufficiently flexible to effectively address a range of possible effects that could result from an outbreak of COVID-19, and reflect the institution’s size, complexity and activities. The institution’s plan, at a minimum, should include the following:
- Preventative measures tailored to the institution’s specific profile and operations to mitigate the risk of operational disruption, which should include identifying the impact on customers, and counterparts;
- A documented strategy addressing the impact of the outbreak in stages, so that the institution’s efforts can be appropriately scaled, consistent with the effects of a particular stage of the outbreak, which includes an assessment of how quickly measures could be adopted and how long operations could be sustained under different stages of the outbreak;
- Assessment of all facilities (including alternative or back-up sites), systems, policies and procedures necessary to continue critical operations and services if members of the staff are unavailable for long periods or are working off-site, including an assessment and testing as to whether large scale off-site working arrangements can be activated and maintained to ensure operational continuity. This would also include an assessment and testing of the capacity of the existing information technology and systems in light of a potential increased remote usage;
- An assessment of potential increased cyber-attacks and fraud;
- Employee protection strategies, critical to sustaining an adequate workforce during the outbreak, including employee awareness and steps employees can take to reduce the likelihood of contracting COVID-19. See New York State Department of Health website: https://health.ny.gov/diseases/communicable/coronavirus/ and CDC Interim Guidance for Businesses and Employers to Plan and Respond to Coronavirus Disease 2019: https://www.cdc.gov/coronavirus/2019-ncov/specific-groups/guidance-business-response.html;
- Assessment of the preparedness of critical outside-party service providers and suppliers;
- Development of a communication plan to effectively communicate with customers, counterparties and the public and to deliver important news and instructions to employees, along with establishing forums for questions to be asked and addressed;
- Testing the plan to ensure the plan policies, processes and procedures are effective; and
- Governance and oversight of the plan, including identifying the critical members of a response team, to ensure ongoing review and updates to the plan, including the tracking of relevant information from government sources and the institution’s own monitoring program.
The boards of directors or the equivalents of your institutions are responsible for ensuring appropriate plans are in place, and that sufficient resources are allocated to implement such plans. The senior management is responsible for ensuring that effective policies, processes and procedures are in place to execute the plan and for communicating the plan throughout the institution to ensure consistency in approach so that employees understand their roles and responsibilities.
If you have any questions, please contact your regular point of contact at DFS.