New York Department of Financial Services Imposes Penalty and Consent Order for Cybersecurity Violations

Jones Day

Jones Day

The New York Department of Financial Services ("NYDFS") fined a mortgage bank $1.5 million for violations of New York's Cybersecurity Regulation, including failure to report a past cyber incident.

On March 3, 2021, the NYDFS announced it had entered into a consent order with a mortgage bank for violating New York's first-in-the-nation Cybersecurity Regulation, which became effective in March 2019. The settlement results from the agency's findings during a routine compliance examination that the mortgage bank had failed to investigate adequately a cyber incident that exposed private data, failed to report the incident under state data breach notification laws and the NYDFS Cybersecurity Regulation, and failed to conduct a comprehensive cybersecurity risk assessment—despite a certification of compliance with the Cybersecurity Regulation provided by the Chief Information Security Officer.

The examination revealed that the bank was aware of a successful phishing attack on an employee's email account that contained sensitive personal data of loan applicants. The NYDFS considered the bank's investigation into the incident to be inadequate because the bank did not review the contents of the email account to identify affected personal information and did not notify affected consumers and state agencies of the incident, as required under state data breach notification laws. The NYDFS also concluded that the bank had failed to comply with the NYDFS Cybersecurity Regulation, which required the bank to notify NYDFS within 72 hours of determining that the incident required notice to another government agency. As part of the settlement, the bank agreed to pay a $1.5 million penalty and to comply with all provisions of the Cybersecurity Regulation.

The settlement demonstrates that the NYDFS is devoting resources to examining financial institutions for compliance with the Cybersecurity Regulation. To diminish the risk of an enforcement action, financial institutions should review their policies and test their implementing practices governing cyber, information and data security, privacy, business continuity, operations and risk management, and technology. In particular, to facilitate timely reporting of cybersecurity incidents, financial institutions should assess the sufficiency of their cyber incident response plans and reporting protocols and remediate issues before NYDFS conducts an examination.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Jones Day | Attorney Advertising

Written by:

Jones Day

Jones Day on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.