New York DFS Fines Mortgage Lender in Cybersecurity Enforcement Action

Patterson Belknap Webb & Tyler LLP

Patterson Belknap Webb & Tyler LLP

New York’s Department of Financial Services (“DFS”) announced on Wednesday, March 3, 2021, that an independent mortgage lender, Residential Mortgage Services Inc. (“RMS”), has agreed to pay a $1.5 million fine to the agency in a settlement resulting from violations of its Cybersecurity Regulation. This is just the second enforcement action brought by DFS under the Cybersecurity Regulation, which was the first of its kind nationally.

RMS experienced a cyber incident in March, 2019, when an intruder gained access to an employee’s email account by way of a phishing attack, according to the company’s settlement with DFS. The employee’s email account frequently contained sensitive data from mortgage loan applicants, such as social security numbers and bank account numbers. When the intruder attempted to access the employee’s email account, the employee received an alert to authenticate the login through the company’s multifactor authentication system. The employee provided the authentication, permitting remote access to her email account, even though she had not triggered the request herself. This is an example of how human error is one of the biggest risks when it comes to cybersecurity, because although RMS had multifactor authentication in place for its employee emails, the employee’s misuse of that system led to a breach.

RMS failed to “conduct an appropriate investigation” into the data breach and was therefore unable to provide a data breach notice to consumers or any state agency. Specifically, the Cybersecurity Regulation, 23 NYCRR 500.17(a)(1), requires notice to the DFS within 72 hours. RMS also failed to have a comprehensive cybersecurity risk assessment, which is required by the Cybersecurity Regulation, 23 NYCRR 500.09. As explained in the settlement agreement, a risk assessment “should result in thoughtful cybersecurity programs specifically tailored to safeguard the confidentiality of company and consumer data.”

DFS acknowledged RMS’ “commitment to remediation by devoting significant financial and other resources to enhance its cybersecurity program, including through changes now underway to its policies, procedures, systems, governance structures, and personnel,” and that RMS has also provided a commitment for further remediation. In addition to the monetary penalty, the settlement provisions include submittal of a Cybersecurity Incident Response Plan, a Cybersecurity Risk Assessment, and Training and Monitoring materials within ninety days of the date of the consent order. 

In the March 3rd press release announcing the settlement, the Superintendent of Financial Services Linda A. Lacewell said that “[i]t is of paramount concern to protect all consumers as cyber threats continue to surge during a vulnerable time,” and that “DFS will continue to take nation-leading actions to ensure that our licensees fulfill their cybersecurity duties, safeguarding the private data of their New York customers, and all of the customers they serve, no matter where they reside.”

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Patterson Belknap Webb & Tyler LLP | Attorney Advertising

Written by:

Patterson Belknap Webb & Tyler LLP

Patterson Belknap Webb & Tyler LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.