On March 1, 2017, the New York State Department of Financial Services (“NYDFS”) Cybersecurity Requirements for Financial Services Companies (the “Cybersecurity Regulation”) became effective.^[1] Fast forward four years, where NYDFS issued its first penalty under the Cybersecurity Regulation arising from a standard examination. On March 3, 2021, NYDFS entered into a Consent Order with Residential Mortgage Services, Inc. (“RMS”) that requires RMS to pay a penalty of $1.5 million after a standard examination uncovered an unreported email compromise impacting New York consumers and a lack of periodic risk assessments by RMS. Previously, the only NYDFS cybersecurity enforcement action was against a title insurance company that experienced a large, publicly-reported data breach. The fact that NYDFS penalized RMS in connection with a standard examination demonstrates the importance of covered entities’ compliance with the Cybersecurity Regulation.

Covered Entities

The Cybersecurity Regulation defines a covered entity as those “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law” of New York.^[2] Generally, this applies to many businesses directly and indirectly overseen by NYDFS, including businesses that are not located in New York. There are both notification and security requirements detailed under the Cybersecurity Regulation.

Covered Entities with a Limited Exemption

Limited exemptions under the Cybersecurity Regulation include businesses with any of the following: (1) fewer than ten employees, (2) less than $5 million in gross annual revenue in each of the last three fiscal years from New York business operations (including for its affiliates), or (3) less than $10 million in year-end total assets.^[3] Though not completely exempt from the Cybersecurity Regulation, such business does not need to comply with the following requirements:

• Chief Information Security Officer (23 NYCRR 500.4),
• Penetration Testing and Vulnerability Assessments (23 NYCRR 500.5),
• Audit Trail (23 NYCRR 500.6),
• Application Security (23 NYCRR 500.8),
• Cybersecurity Personnel and Intelligence (23 NYCRR 500.10),
• Multi-Factor Authentication (23 NYCRR 500.12),
• Training and Monitoring (23 NYCRR 500.14),
• Encryption of Nonpublic Information (23 NYCRR 500.15), and
• Incident Response Plan (23 NYCRR 500.16).^[4]

However, such businesses with a limited exemption are still required to comply with the following requirements:

• Cybersecurity Program (23 NYCRR 500.2),
• Cybersecurity Policy (23 NYCRR 500.3),
• Access Privileges (23 NYCRR 500.7),
• Risk Assessment (23 NYCRR 500.9),
• Third Party Service Provider Security Policy (23 NYCRR 500.11),
• Limitations on Data Retention (23 NYCRR 500.13),
• Notices to Superintendent (23 NYCRR 500.17),
• Confidentiality (23 NYCRR 500.18),
• Exemptions (23 NYCRR 500.19),
• Enforcement (23 NYCRR 500.20),
• Effective Date (23 NYCRR 500.21),
• Transitional Periods (23 NYCRR 500.22), and
• Severability (23 NYCRR 500.23).^[5]

Enforcement Action

On March 3, 2021, NYDFS entered into a consent order with RMS under the New York Banking Law. The NYDFS enforcement action commenced from a routine examination that started in March 2020, which uncovered the fact that RMS had experienced an email compromise in March 2019 where an RMS employee with a significant amount of individuals’ personal information stored in their email account was not investigated nor was notification to individuals or regulators provided. Further, NYDFS identified in its examination that RMS did not have a comprehensive Cybersecurity Risk Assessment.

For the settlement of the enforcement action, RMS agreed to pay the penalty of $1.5 million to NYDFS and to commence further improvements to its existing cybersecurity program, including certain cybersecurity controls in compliance with the Cybersecurity Regulation. Of importance, NYDFS observed RMS’s cooperation throughout the examination, which NYDFS noted has appeared to assist RMS in expeditious remediation efforts.

Takeaways

The NYDFS enforcement action and resulting penalty highlights two important components of the Cybersecurity Regulation – (1) the affirmative obligation to notify NYDFS of a Cybersecurity Event and (2) the security requirement of conducting a Cybersecurity Risk Assessment. These both go hand-in-hand in a cybersecurity event, such as an email compromise, where a business should conduct a timely investigation of the incident to determine whether any individuals’ personal information was potentially accessed and/or misused as a result of the event and, where confirmed, notify the involved individuals and required regulator(s). Further, a business should ensure that it periodically conducts a risk assessment of its systems, including its email environment, to address changes to its systems, nonpublic information, or business operations. In today’s world, businesses are well aware of the rise of cybersecurity events, such as business email compromises, and covered entities should take the RMS enforcement action seriously in terms of investigating cybersecurity events, notifying the involved individuals and regulators (including NYDFS) when required, and conducting regular risk assessments, among the other requirements under the Cybersecurity Regulation.

[1] 23 NYCRR 500. The regulation did not take full effect until March 2019. See Department of Financial Services Announces Cybersecurity Settlement with Mortgage Lender, NYDFS Press Release (March 3, 2021), available here.

[2] 23 NYCRR 500.1(c).

[3] 23 NYCRR 500.19(a).

[4] Id. See also, FAQs: 23 NYCRR Part 500 – Cybersecurity, NYDFS, available here (referring to FAQ No. 5, “If I have a limited exemption, what provisions of the regulation do I still need to comply with?”).

[5] Id.