In an industry letter issued Friday, the New York State Department of Financial Services outlined key steps that it said financial institutions it oversees should be taking to batten down the hatches amid heightened risks stemming from the Russian assault on Ukraine.
Those risks include what DFS said is a "significantly" elevated threat to the U.S. financial sector from Russian cyber operations, which could inflict collateral damage on computer networks outside Ukraine or target U.S. infrastructure as payback for the Biden administration's response to the invasion.
Although DFS said it expects this cyber risk to be "mitigated" by the cybersecurity programs that it already requires banks, insurers and other financial companies to maintain, the agency advised firms to nevertheless thoroughly review these programs and tighten up their business continuity planning, data backup protocols and employee training as needed.
"Senior management, boards of directors, and other governing bodies of regulated entities should exercise oversight of all such planning and implementation," the agency said in the letter.
DFS also recommended that firms with Russian or Ukrainian offices take additional security precautions, saying they should, among other things, "segregate" those offices from the rest of their global corporate networks.
Friday's letter, which was signed by DFS Superintendent Adrienne A. Harris, came on the heels of a punishing round of economic sanctions announced by the U.S. Treasury Department in response to the Thursday launch of Russian military operations in Ukraine.
Those sanctions are aimed at cutting off much of Russia's banking sector from international markets and restricting access to capital for critical Russian enterprises. Other Western governments have also imposed sanctions, and additional measures have since been unveiled — including plans announced by the White House on Saturday for booting some Russian banks from SWIFT, the global payment system.
In its letter, DFS stressed the importance of staying on top of any changes in the U.S. sanctions regime, saying its regulated banks, insurers and other financial companies should be monitoring for new sanctions "on a real-time basis."
Firms should also be keeping their transaction monitoring and filtering systems updated accordingly to "capture the new sanctions as they are proposed," the letter said.
DFS has loomed large in sanctions compliance enforcement in recent years because of its oversight of numerous foreign bank branches based in New York. The state agency has also gained prominence as a digital assets regulator through its licensure of cryptocurrency exchanges and issuers.
In Friday's letter, DFS said the Russian invasion has "significantly" increased the risk that cryptocurrency could be used to facilitate sanctions evasion, acknowledging a concern that some observers have raised about a potential weakness in the U.S. sanctions response.
The agency stressed that all of its regulated institutions engaged in cryptocurrency activities "must have tailored policies, procedures and processes" to protect against this risk.
Firms should also "pay special attention to the effectiveness" of crypto-specific control measures, the agency said. Such measures could include the use of geolocation, blockchain analytics and other investigative tools for spotting and screening out potentially problematic activity associated with sanctioned entities, according to the letter.
"Regulated entities should have policies, procedures, and processes in place to implement necessary internal controls, with appropriate training, risk assessments, and testing and auditing against their risk profile," DFS said.
--Editing by Rich Mills.
Update: This story has been updated to reflect additional sanctions developments.
For a reprint of this article, please contact reprints@law360.com.