The New York State Department of Financial Services (NYDFS) announced on March 3rd that Residential Mortgage Services, Inc. (RMS) will pay a $1.5 million penalty to New York State for violations of the Cybersecurity Regulation, Part 500 of Title 23 (NYCRR 500 23) of the New York Codes, Rules, and Regulations.
“It is of paramount concern to protect all consumers as cyber threats continue to surge during a vulnerable time,” said Superintendent of Financial Services Linda A. Lacewell. “DFS will continue to take nation-leading actions to ensure that our licensees fulfill their cybersecurity duties, safeguarding the private data of their New York customers, and all of the customers they serve, no matter where they reside.”
RMS collected private data in the course of its day-to-day operations, closing thousands of mortgage loans annually. In July 2020, NYDFS conducted an examination of RMS as a licensed mortgage banker. During the examination, NYDFS uncovered evidence that allegedly revealed that RMS had been subject to a cyber breach in 2019 that had not been reported to NYDFS.
The breach involved unauthorized access to the email account of an RMS employee with access to a significant amount of sensitive personal data of mortgage loan applicants. This cyber breach allegedly arose when that employee clicked on a hyperlink in a phishing email that falsely appeared to originate from a RMS business partner. Until prompted to do so by the NYDFS in 2020, the company failed to conduct an investigation and identify the consumer data exposed. The findings of the exam concluded RMS violated the DFS Cybersecurity Regulation in failing to timely report the breach, and that RMS failed to have a comprehensive Cybersecurity Risk Assessment, another requirement of the Cybersecurity Regulation.
As part of the settlement, RMS agrees to the penalty of $1.5 million and has commenced further improvements to its existing cybersecurity program, ensuring that its cybersecurity controls are fully compliant with the Cybersecurity Regulation. The Department notes that RMS cooperated throughout the examination and investigation, and has appeared committed to expediting remediation of its cybersecurity controls.
DFS’s Cybersecurity Regulation became effective in March 2017. The Cybersecurity Regulation was drafted with substantial industry input: DFS surveyed nearly 200 regulated banking institutions and insurance companies, met with a cross-section of those surveyed and cybersecurity experts during the drafting period, and granted two rounds of notice and comment. Additional implementation time was granted for multiple provisions, and the regulation was not fully in effect until March 2019.
The NYDFS press release about this enforcement action is available here.