New York’s Department of Financial Services (“DFS”) announced on Wednesday, March 3, 2021, that an independent mortgage lender, Residential Mortgage Services Inc. (“RMS”), has agreed to pay a $1.5 million fine to the agency in a settlement resulting from violations of its Cybersecurity Regulation. This is just the second enforcement action brought by DFS under the Cybersecurity Regulation, which was the first of its kind nationally.
RMS experienced a cyber incident in March, 2019, when an intruder gained access to an employee’s email account by way of a phishing attack, according to the company’s settlement with DFS. The employee’s email account frequently contained sensitive data from mortgage loan applicants, such as social security numbers and bank account numbers. When the intruder attempted to access the employee’s email account, the employee received an alert to authenticate the login through the company’s multifactor authentication system. The employee provided the authentication, permitting remote access to her email account, even though she had not triggered the request herself. This is an example of how human error is one of the biggest risks when it comes to cybersecurity, because although RMS had multifactor authentication in place for its employee emails, the employee’s misuse of that system led to a breach.
RMS failed to “conduct an appropriate investigation” into the data breach and was therefore unable to provide a data breach notice to consumers or any state agency. Specifically, the Cybersecurity Regulation, 23 NYCRR 500.17(a)(1), requires notice to the DFS within 72 hours. RMS also failed to have a comprehensive cybersecurity risk assessment, which is required by the Cybersecurity Regulation, 23 NYCRR 500.09. As explained in the settlement agreement, a risk assessment “should result in thoughtful cybersecurity programs specifically tailored to safeguard the confidentiality of company and consumer data.”
DFS acknowledged RMS’ “commitment to remediation by devoting significant financial and other resources to enhance its cybersecurity program, including through changes now underway to its policies, procedures, systems, governance structures, and personnel,” and that RMS has also provided a commitment for further remediation. In addition to the monetary penalty, the settlement provisions include submittal of a Cybersecurity Incident Response Plan, a Cybersecurity Risk Assessment, and Training and Monitoring materials within ninety days of the date of the consent order.
In the March 3rd press release announcing the settlement, the Superintendent of Financial Services Linda A. Lacewell said that “[i]t is of paramount concern to protect all consumers as cyber threats continue to surge during a vulnerable time,” and that “DFS will continue to take nation-leading actions to ensure that our licensees fulfill their cybersecurity duties, safeguarding the private data of their New York customers, and all of the customers they serve, no matter where they reside.”