More

    Industry Letter – June 23, 2025: Impact to Financial Sector of Ongoing Global Conflicts

    Hotspots

    June 23, 2025

    To: All Individuals and Entities Regulated by the New York State Department of Financial Services

    Re: Impact to Financial Sector of Ongoing Global Conflicts

    The New York State Department of Financial Services (the “Department”) is issuing this guidance (“Guidance”) to all individuals and entities regulated by the Department (“regulated entities”) to reiterate the importance of adhering carefully to U.S. sanctions, as well as to New York State and Federal laws and regulations, including Department cybersecurity and virtual currency regulations set forth in 23 NYCRR Part 500 and 23 NYCRR Part 200, respectively. This Guidance highlights steps regulated entities should take to prepare for an increased threat of cybersecurity attacks, in light of ongoing global conflict. The Department understands that not every measure applies to every regulated entity, however in the interest of transparency and as a means of helping to focus regulated entities’ attention on certain key controls, the Department is sharing this vital information with all regulated entities.

    The Department will provide further guidance to regulated entities as necessary.

    CYBERSECURITY

    Escalating global conflict significantly elevates cyber risk for the U.S. financial sector, including an increased risk of ransomware attacks and phishing campaigns.

    Regulated entities should review their cybersecurity programs to ensure full compliance with the Department’s cybersecurity regulation (23 NYCRR Part 500). They are encouraged to pay particular attention to core cybersecurity hygiene measures like multi-factor authentication, privileged access management, vulnerability management, and disabling or securing remote desktop protocol access, each of which helps to prevent cybersecurity threats and mitigate the impact of a cyber event. In addition, regulated entities should:

    • Review their risk assessment(s) to account for recent changes in the cyber-risk landscape.
    • Monitor and regularly assess risks presented by third party service provider arrangements.
    • Review, update, and test their incident response and business continuity plans, and ensure that the plans affirmatively address destructive cyberattacks such as ransomware.
    • Re-evaluate plans to maintain essential services, protect critical data, and preserve customer confidence, considering the increased threat of extended outages and disruption.
    • Implement and continuously update risk-based controls designed to detect unauthorized or anomalous activity, such as Endpoint Detection and Response and Security Information and Event Management tools.
    • Conduct a full test of the ability to restore from backups.
    • Provide additional cybersecurity awareness training and reminders for all personnel.

    Regulated entities should also closely track guidance and alerts from the Cybersecurity and Infrastructure Security Agency (“CISA”) and relevant Information Sharing and Analysis Centers (“ISACs”).

    Regulated entities must report cybersecurity events that meet the criteria of 23 NYCRR § 500.17(a) as promptly as possible, and within 72 hours in any event, via the secure Department Portal, which can be accessed from the Cybersecurity Resource Center. Regulated entities should also immediately report cybersecurity events to law enforcement, such as to the FBI, including athttps://www.ic3.gov/, and to CISA at https://myservices.cisa.gov/irf or (844) Say-CISA (844-729-2472).

    SANCTIONS

    All orders and guidance on sanctions, including financial entities on the Specially Designated Nationals (“SDN”) List, are accessible on the U.S. Treasury Department’s website. Regulated entities are urged to sign up for email updates directly from the U.S. Treasury, to ensure timely implementation of any further sanctions.

    U.S. persons (including, without limitation, banking organizations, virtual currency businesses, insurers and other financial institutions, as well as insurance producers and third-party administrators) are prohibited from engaging in any financial transactions with persons on the SDN List, unless the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”) has authorized otherwise, through licenses listed on the OFAC website, or by obtaining a separate license for a particular transaction.

    Regulated entities should undertake the following actions immediately:

    • Monitor all communications from the Department, the U.S. Department of the Treasury, OFAC, and other Federal agencies on a real-time basis, to stay abreast of the latest developments and to ensure that systems, programs, and processes remain in compliance with all the requirements and restrictions.
    • Review Transaction Monitoring and Filtering Programs to make any modifications necessary to capture new sanctions and to ensure continued compliance with all applicable laws and regulations, including the Department’s transaction monitoring regulation (3 NYCRR Part 504).
    • Monitor all transactions going through their institutions, particularly trade finance transactions and funds transfers, to identify and block transactions subject to OFAC sanctions and follow OFAC’s direction regarding any blocked funds.
    • Ensure that their OFAC compliance policies and procedures are being updated on a continuous basis to incorporate any new sanctions that may be imposed on additional entities.

    VIRTUAL CURRENCY

    Ongoing developments also significantly increase the risk that virtual currency transfers may be used to evade sanctions for listed individuals and entities, including through transmission of virtual currency to or from users located in comprehensively sanctioned jurisdictions. Accordingly, all regulated entities engaging in virtual currency business activity—including but not limited to BitLicensees and Limited Purpose Trust Companies—must have tailored policies, procedures, and processes to protect against the unique risks that virtual currency presents, including through implementation of existing Federal and Department guidance related to sanctions compliance. These include but are not limited to:

    Regulated entitiesshould pay special attention to the effectiveness of virtual currency-specific control measures including, but not limited to, sanctions lists, geographic screening, and any other measures relevant to each entity’sspecific risk profile.

    Examples of virtual-currency-specific internal controls include:

    • Use of geolocation tools and IP address identification and blocking capabilities to detect and prevent potential sanctions exposure.
    • Transaction monitoring and investigative tools, including blockchain analytics tools, to identify transaction activity involving virtual currency addresses or other identifying information associated with sanctioned individuals and entities listed on the SDN List, or located in sanctioned jurisdictions.

    Regulated entitiesshould have policies, procedures, and processes in place to implement necessary internal controls, with appropriate training, risk assessments, and testing and auditing against their risk profile.

    Sincerely,

    Adrienne A. Harris, Superintendent

    New York State Department of Financial Services

     

    BladeOne
    BladeOne

    Latest articles

    Previous article
    Will global markets return to their initial balance?
    Next article
    Hackers use Weaponized Microsoft Teams Installer to Compromise Systems With Oyster Malware

    Related articles

    Popular articles

    Featured

    Newsletter

    Subscribe to get the latest news, offers and special announcements.

    By subscribing, you're accepting to receive promotions.

    Copyright © 2025 BladeOne. All Rights Reserved.