New York DFS fines mortgage lender in cybersecurity enforcement action | Patterson Belknap Webb & Tyler LLP
The New York Department of Financial Services (“DFS”) announced on Wednesday March 3, 2021 that an independent mortgage lender, Residential Mortgage Services Inc. (“RMS”), has agreed to pay a fine of 1.5 million. dollars to the agency in a settlement resulting from violations of its cybersecurity policy. This is only the second enforcement action brought by DFS under the cybersecurity regulations, which was the first of its kind nationwide.
RMS experienced a cyber incident in March 2019, when an intruder gained access to an employee’s email account through a phishing attack, according to company policy with DFS. The employee’s email account frequently contained sensitive data from mortgage applicants, such as social security numbers and bank account numbers. When the intruder attempted to access the employee’s email account, the employee received an alert to authenticate the connection through the company’s multi-factor authentication system. The employee provided authentication, allowing remote access to her email account, even though she had not initiated the request herself. This is an example of how human error is one of the biggest risks in cybersecurity, because although RMS has implemented multi-factor authentication for employee emails, the misuse of this system by the employee led to a violation.
RMS did not “properly investigate” the data breach and therefore was unable to provide a notice of the data breach to consumers or any public body. Specifically, the Cyber Security Regulation, 23 NYCRR 500.17 (a) (1), requires notification to the DFS within 72 hours. RMS also did not conduct a comprehensive cybersecurity risk assessment, which is required by Cybersecurity Regulation, 23 NYCRR 500.09. As explained in the settlement agreement, a risk assessment “should result in thoughtful cybersecurity programs specifically designed to protect the privacy of business and consumer data.”
The DFS has recognized “RMS ‘commitment to remediation by devoting significant financial and other resources to improving its cybersecurity program, including through ongoing changes to its policies, procedures, systems, security structures. governance and staff ”, and that RMS is also committed to additional remediation. In addition to the monetary penalty, the settlement provisions include the submission of a cybersecurity incident response plan, cybersecurity risk assessment, and training and monitoring materials within ninety days of the date of the consent order.
In the March 3 press release announcing the settlement, Financial Services Superintendent Linda A. Lacewell said, “[i]Protecting all consumers is paramount as cyberthreats continue to increase during a time of vulnerability, ”and“ DFS will continue to take leadership steps to ensure our licensees meet their cybersecurity obligations, ” by protecting the private data of their new York customers and all the customers they serve, no matter where they reside.