Skip to main content

New York Demands Coronavirus Emergency Plan from Crypto Firms by April 9th and Adds Requirements for Boards and CEOs

The New York Department of Financial Services (NYDFS) issued guidance to financial institutions engaged in virtual currency business activities, mandating that an emergency preparedness plan from each firm be submitted to NYDFS within 30 days from March 10, 2020.  The agency also outlined the respective responsibilities of the boards of directors, senior management, and CEOs (or their equivalents).  While the wording of the guidelines and the title “Industry Letter” may, at a first glance, seem permissive in nature, financial institutions doing business in New York must recognize that these are governmental mandates, and strict and timely compliance is imperative.

The NYDFS guidance letter, published online, addresses the firms’ executives and asks the New York regulated crypto firms to take immediate actions in response to the coronavirus outbreak.  According to the NYDFS, it is critical to ensure that “institutions have preparedness plans in place to address operational and financial risk posed by the outbreak of a novel coronavirus known as ‘COVID-19.’”  The NYDFS also reminded the crypto firms that COVID-19 exposure will occur in a variety of ways, including impact on consumers and vendors, low revenues, stock market drop, interest rate changes, supply chain and service disruptions, and decreases in the value of investments and assets.  

Board’s and Executives’ Responsibilities:

1.    CEOs (or their equivalents) must ensure that the emergency plan is prepared and submitted by April 9, 2020; and that all other steps and requirements outlined in the guidelines are implemented. 
2.    The Board of Directors (or its equivalent) at each firm is responsible for ensuring that an appropriate plan is promptly put in place, and that adequate resources are allocated to implement it.  
3.    The senior management must ensure that there are effective policies, processes, and procedures in place that allow the firm to both execute the plan and to communicate the plan; ensure consistency in approach; and ensure that all employees understand their roles and responsibilities at this time.

Emergency Plan Requirements:

The plan must assess and outline how each entity will manage the effects of the outbreak and disruptions to its services and operations.  As soon as possible and by no later than April 9, 2020, crypto firms must submit their plans to the NYDFS at [email protected] and must address the following plan categories:

1.    Preventative measures that will help mitigate the risk of operational disruption, identify the impact on customers, and be specifically tailored to the firm’s operations.
2.    Documented strategy that will address the impact of the outbreak stage-by-stage, with the responsive measures appropriately scaled for each stage.
3.    Policy assessment of all necessary facilities, systems, policies, and procedures that will allow the firm to continue critical operations and services if its employees are unavailable or working remotely.
4.    Cyber risk assessment of the increased threat of cyber-attacks and fraud due to the coronavirus outbreak.
5.    Employee-protection strategies, including how to sustain adequate workforce during the outbreak, employee awareness, and COVID-19 prevention steps.
6.    Vendor assessment of the preparedness of critical suppliers and service providers.
7.    Communication plan to help effectively communicate with customers and the public, to deliver important news, to instruct employees, and to provide a Q&A forum.
8.    Testing the plan to ensure that these policies, processes, and procedures are working and are effective.
9.    Governance and oversight of the plan, including listing the critical members of a response team, ensuring ongoing review and updates, and tracking relevant information from both the government and the institution’s own monitoring program.
10.    Financial risk assessment of the firm’s valuation of assets and investments that may be impacted by COVID-19; of the overall impact of the virus on the firm’s earnings, profits, capital, and liquidity; and of the steps needed to assist those adversely impacted by the virus.

Cyber Risk Preparedness:  

In addition to outlining the emergency plan requirements discussed above, the agency also stressed the importance of cyber awareness and emphasized that the crypto firms should be prepared for increased instances of hacking, cybersecurity threats, phishing, and other events.  See our earlier blog post addressing these risks in more detail.  

It is highly anticipated that cyber criminals will capitalize on the mass panic and the publicity surrounding COVID-19.  To that end, financial institutions should be prepared, impose heightened security measures, and potentially make “special arrangements to move Virtual Currency from ‘cold’ to ‘hot’ wallets during times when employees may not all be working from their usual locations.”  As a reminder, financial institutions remain legally responsible for notifying the NYDFS if their positive net worth falls below a certain level.  
 
If your firm needs assistance with compliance with this NYDFS requirement, please contact a member of the Mintz Privacy & Security Team.
 

Subscribe To Viewpoints

Authors

Natalie A. Prescott is a Mintz attorney and Certified Information Privacy Professional. She defends clients in high-stakes product liability matters, UCL § 17200 and false advertising cases, mass torts, and consumer class actions. Natalie also handles MDL proceedings and product liability litigation.

Cynthia J. Larose

Member / Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.