The New York Department of Financial Services (DFS) recently entered a settlement for $1.5 million with a Maine based mortgage lender over allegations that the company failed to comply with the state’s cybersecurity rules.

During a routine examination of the company’s cybersecurity systems, the DFS found that the company did not adequately disclose a data breach stemming from a phishing attack that captured the company’s consumer information.  The New York cybersecurity rule requires that entities licensed with the DFS must report “cybersecurity events” within 72 hours of their occurrences.  The company was well outside of the allotted time to report to DFS because the examination of the company uncovered the cybersecurity event 18 months after it happened.

Additionally, the routine examination exposed that the company did not have a comprehensive cybersecurity risk assessment, which the state’s cybersecurity rule requires.  The DFS requires comprehensive risk assessments to ensure that companies keep a watchful eye over their consumer’s nonpublic information.

The consent order requires the company to make certain cybersecurity improvements to comply with state regulations.  The company identified the customers whose data was potentially accessed and offered them a credit monitoring and identity theft package for a period of time.