3 minute read | March.01.2022
The New York Department of Financial Services last week issued guidance on its cybersecurity and virtual currency regulations in response to the Russian military actions in Ukraine and recently imposed sanctions. NYDFS specifically raised the specter of elevated cyber risk due to ongoing cyberattacks against Ukraine, which could spill over to other networks, as well as potential direct attacks against U.S. critical infrastructure.
Updated cybersecurity regulation guidance
NYDFS suggested that regulated entities with programs pursuant to its cybersecurity regulation (23 NYCRR 500) have the potential to mitigate increased cyber threats and should take the following steps:
NYDFS also advised that regulated entities should keep track of known threat actors and take extra precautions when doing business in Russia and Ukraine, including segregating Russian and Ukrainian networks. Regulated entities must report cybersecurity events that meet the criteria of 23 NYCRR 500.17(a) as promptly as possible and within 72 hours, and should also report cybersecurity events immediately to law enforcement, including the FBI and the Cybersecurity and Infrastructure Security Agency.
Guidance in response to recent sanctions
In the last week, the Biden administration imposed significant new sanctions targeting Russian assets, the Russian financial market, and Russian business dealings in response to Russia’s invasion of Ukraine. (See InfoBytes coverage here.) NYDFS reiterated that regulated entities should fully comply with U.S. sanctions on Russia, as well as Part 504 of its regulations regarding transaction monitoring and filtering. In order to comply with the new sanctions, NYDFS recommended that regulated entities take the following steps immediately:
Updated virtual currency regulation guidance
NYDFS also cautioned that sanctioned entities may attempt to use virtual currency to evade sanctions. It said regulated entities must ensure they have “tailored policies, procedures, and processes to protect against the unique risks that virtual currency present” and are complying with the relevant state and federal laws, including the OFAC Sanctions Compliance Guidance for the Virtual Currency Industry and New York virtual currency regulation (23 NYCRR 200). Additionally, regulated entities should monitor the effectiveness of virtual currency-specific control measures, including sanctions lists, geographic screening, geolocation tools/IP address identification and blocking capabilities, and transaction monitoring and investigative tools, including blockchain analytics tools.
Orrick will continue to monitor the ongoing situation in Ukraine and provide updates in conjunction with significant developments.
If you have any questions regarding the NYDFS guidance or the recent Ukraine-related sanctions against Russia, please visit our Cyber, Privacy & Data Innovation or Anti Money Laundering and Bank Secrecy Act practice pages, or contact an Orrick attorney with whom you have worked in the past.