Daily Banking News
$42.39
-0.38%
$164.24
-0.07%
$60.78
+0.07%
$32.38
+1.31%
$260.02
+0.21%
$372.02
+0.18%
$78.71
-0.06%
$103.99
-0.51%
$76.53
+1.19%
$2.81
-0.71%
$20.46
+0.34%
$72.10
+0.28%
$67.30
+0.42%

Cybersecurity Enforcement: New York Department of Financial Services issues first


Consistent with its increasing activity in the cybersecurity enforcement space, in March 2021, the NYDFS issued its first penalty under the Cybersecurity Regulation. This client alert explores the settlement and offers takeaways on the areas of focus by the NYDFS in enforcement actions under the Cybersecurity Regulation.

On March 3, 2021, the New York State Department of Financial Services (“NYDFS”) announced that mortgage lender, Residential Mortgage Services, Inc. (“RMS”) will pay a penalty of $1.5 million to the State to settle violations of NYDFS Cybersecurity Regulation, 23 NYCRR 500 (“Cybersecurity Regulation”).1 Although, the NYDFS commenced its first enforcement action in July 2020 against insurer First American Title Insurance Company, this appears to represent the first penalty issued by the NYDFS under the Cybersecurity Regulation and the second reported enforcement action. 

As we have set forth in our previous client alerts,2 NYDFS’s Cybersecurity Regulation establishes numerous specific administrative and technical security requirements for covered entities to adopt and implement. The violations here stem from failures by RMS to disclose a 2019 data breach and to conduct required Cybersecurity Risk Assessments. Importantly, the violations were uncovered during a routine compliance examination between March and August 2020, providing notice to covered entities that the NYDFS will be proactive in its efforts to ensure compliance with the Cybersecurity Regulation. The NYDFS settlement continues a trend among regulators and lawmakers to focus on cybersecurity enforcement and establishing defined standards for compliance. 

The NYDFS Examination and Discovery of the 2019 Data Breach

On March 30, 2020, NYDFS commenced a routine safety and soundness examination of RMS for the period between January 2017 and December 2019, which included an assessment of RMS’s compliance with the Cybersecurity Regulation. During the course of the examination, RMS disclosed that it had suffered a data breach 18 months earlier, in March 2019, and that it had not conducted an in-depth investigation of the incident nor disclosed the event’s occurrence to NYDFS or other state agencies. 

The breach originated from a phishing email sent to an RMS employee. As a mortgage lender licensed in over 20 states, RMS collects sensitive personal information from customers applying for mortgage loans, including social security and bank account numbers. On March 5, 2019, an employee who collects a “substantial amount” of this data received a phishing email that appeared to come from a business partner. The employee followed a malicious link in the email to a website where she provided her email credentials. Although RMS maintained multi-factor authentication to protect company email accounts, the employee approved several remote login attempts to her email account, thereby granting the intruder access. The following day, on March 6, the employee notified RMS’s IT staff of the incident. The IT team traced the breach to an IP address in South Africa and blocked the unauthorized access to the email account. RMS did not investigate the matter further.

According to NYDFS, RMS failed to “(1) identify whether Employee’s mailbox contained private consumer data during the breach, (2) identify which consumers were impacted, and (3) apply the applicable state notice requirements triggered by the breach.” Its failure to investigate the incident until prompted by NYDFS and its failure to disclose the breach for 18 months were both in violation of the Cybersecurity Regulation. 

In its examination, NYDFS further discovered that RMS was in violation of the requirement under the Cybersecurity Regulation to maintain and conduct comprehensive cybersecurity risk assessments. Under the Cybersecurity Regulation, licensees must “identify and evaluate periodically vulnerability to cybersecurity risks and threats . . .” and design a…



Read More: Cybersecurity Enforcement: New York Department of Financial Services issues first

Get real time updates directly on you device, subscribe now.

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments

Get more stuff like this
in your inbox

Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.