Industry Letter June 23 2025 Impact to Financial Sector of Ongoing Global Conflicts Department of Financial Services

pJune 23 2025ppTo All Individuals and Entities Regulated by the New York State Department of Financial ServicesppRe Impact to Financial Sector of Ongoing Global ConflictsppThe New York State Department of Financial Services the Department is issuing this guidance Guidance to all individuals and entities regulated by the Department regulated entities to reiterate the importance of adhering carefully to US sanctions as well as to New York State and Federal laws and regulations including Department cybersecurity and virtual currency regulations set forth in 23 NYCRR Part 500 and 23 NYCRR Part 200 respectively This Guidance highlights steps regulated entities should take to prepare for an increased threat of cybersecurity attacks in light of ongoing global conflict The Department understands that not every measure applies to every regulated entity however in the interest of transparency and as a means of helping to focus regulated entities attention on certain key controls the Department is sharing this vital information with all regulated entitiesppThe Department will provide further guidance to regulated entities as necessaryppCYBERSECURITYppEscalating global conflict significantly elevates cyber risk for the US financial sector including an increased risk of ransomware attacks and phishing campaignsppRegulated entities should review their cybersecurity programs to ensure full compliance with the Departments cybersecurity regulation 23 NYCRR Part 500 They are encouraged to pay particular attention to core cybersecurity hygiene measures like multifactor authentication privileged access management vulnerability management and disabling or securing remote desktop protocol access each of which helps to prevent cybersecurity threats and mitigate the impact of a cyber event In addition regulated entities shouldppRegulated entities should also closely track guidance and alerts from the Cybersecurity and Infrastructure Security Agency CISA and relevant Information Sharing and Analysis Centers ISACsppRegulated entities must report cybersecurity events that meet the criteria of 23 NYCRR  50017a as promptly as possible and within 72 hours in any event via the secure Department Portal which can be accessed from the Cybersecurity Resource Center Regulated entities should also immediately report cybersecurity events to law enforcement such as to the FBI including athttpswwwic3gov and to CISA at httpsmyservicescisagovirf or 844 SayCISA 8447292472ppSANCTIONSppAll orders and guidance on sanctions including financial entities on the Specially Designated Nationals SDN List are accessible on the US Treasury Departments website Regulated entities are urged to sign up for email updates directly from the US Treasury to ensure timely implementation of any further sanctionsppUS persons including without limitation banking organizations virtual currency businesses insurers and other financial institutions as well as insurance producers and thirdparty administrators are prohibited from engaging in any financial transactions with persons on the SDN List unless the US Treasury Departments Office of Foreign Assets Control OFAC has authorized otherwise through licenses listed on the OFAC website or by obtaining a separate license for a particular transactionppRegulated entities should undertake the following actions immediatelyppVIRTUAL CURRENCYppOngoing developments also significantly increase the risk that virtual currency transfers may be used to evade sanctions for listed individuals and entities including through transmission of virtual currency to or from users located in comprehensively sanctioned jurisdictions Accordingly all regulated entities engaging in virtual currency business activityincluding but not limited to BitLicensees and Limited Purpose Trust Companiesmust have tailored policies procedures and processes to protect against the unique risks that virtual currency presents including through implementation of existing Federal and Department guidance related to sanctions compliance These include but are not limited toppRegulated entities should pay special attention to the effectiveness of virtual currencyspecific control measures including but not limited to sanctions lists geographic screening and any other measures relevant to each entitys specific risk profileppExamples of virtualcurrencyspecific internal controls includeppRegulated entities should have policies procedures and processes in place to implement necessary internal controls with appropriate training risk assessments and testing and auditing against their risk profileppSincerelyppAdrienne A Harris SuperintendentppNew York State Department of Financial Servicesp