In early March, the New York Department of Financial Services (NYDFS) announced a settlement involving a $1.5M penalty and mandatory remediation in response to a mortgage lender’s alleged failure to report a cyber breach, and other alleged cybersecurity failures. This enforcement action marks the second public enforcement action under 23 NYCRR Part 500 (the “Cybersecurity Regulation”) (see our post on the prior action here).
It is noteworthy that the settlement follows a routine safety and soundness exam by the regulator which included a review of security issues under the Cybersecurity Regulation. This settlement provides an example of both the alleged failure to have reported a security incident and the potential that any such failure will later be detected by the NYDFS in routine examinations.
The consent order noted two major cybersecurity failings on the part of the licensee, Residential Mortgage Services, Inc. (“Residential Mortgage”), according to the NYDFS:
In addition to assessing a $1.5M civil penalty, the settlement provisions require Residential Mortgage to make the following submissions to the NYDFS within 90 days:
Residential Mortgage also agreed to “fully cooperate” with the NYDFS “regarding all terms of this Consent Order,” and the NYDFS reserved all rights to take further action in the event of noncompliance. The consent order notes Residential Mortgage’s “commendable cooperation” with the investigation and remediation efforts, including “devoting significant financial and other resources to enhance its cybersecurity program.”