On March 3, 2021, the New York State Department of Financial Services (NYDFS) announced a settlement with Residential Mortgage Services, Inc. (RMS) for $1.5 million in connection with its violation of the NYDFS Cybersecurity Regulation, 23 NYCRR Part 500 (Part 500). This is the second publicly-announced settlement of an enforcement action brought under NYDFS’s novel cybersecurity regulation (we wrote about the first action).
According to the consent order, in March 2020, NYDFS’ Mortgage Banking Division commenced a routine examination of RMS, which included a review of its compliance with Part 500. RMS is headquartered in Maine, but it is registered as mortgage banker in New York and other states. During the examination, NYDFS determined that RMS failed to report a March 2019 data breach incident, as required by Part 500.
The breach at issue stemmed from a phishing attack carried out against an RMS employee, which led to unauthorized access of the personal data of mortgage loan applicants. RMS also allegedly failed to conduct an investigation of the breach and identify the data exposed until prompted by NYDFS during the investigation. NYDFS also concluded that RMS failed to maintain a comprehensive Cybersecurity Risk Assessment, as required by Part 500.
In addition to the $1.5 million financial penalty, RMS agreed to specific actions to ensure that its cybersecurity program is complaint with Part 500. In its press release, NYDFS noted that “RMS cooperated throughout the examination and investigation, and has appeared committed to expediting remediation of its cybersecurity controls.”
The announcement of the settlement of this cybersecurity enforcement action by NYDFS highlights the importance of comprehensive and prompt response to cybersecurity and data breach incidents, as well as the need to be aware of and comply with notification requirements imposed by state and federal regulators, in addition to requirements imposed by other governmental agencies. As more regulators appear to be moving in the direction of imposing regulations similar to Part 500, the ability of companies to make prompt and accurate reports will only become more important. In addition, companies regulated by NYDFS should take note of an increasingly aggressive enforcement posture that the agency appears to be taking with respect to compliance with Part 500.