On March 3, 2021, the New York Department of Financial Services (NYDFS) announced a Consent Order with a NYDFS-licensed Maine-based mortgage banker and loan servicer settling alleged violations of the NYDFS cybersecurity regulations. (In the matter of Residential Mortgage Services, Inc., March 3, 2021).

As a result of the regular safety and soundness examination of Residential Mortgage Services (RMS) in March 2020 for the period of January 1, 2017 through December 31, 2019, the NYDFS reviewed RMS’s compliance with the NYDFS cybersecurity regulations (23 NYCRR Part 500.) While the examination was going on, RMS filed the required annual certification for 2019 of compliance with the NYDFS cybersecurity regulations.

Unfortunately, the examination revealed that RMS had never fully investigated a cybersecurity event that had occurred in March 2019. On March 6, 2019, RMS learned that the email account of an employee who collected substantial amount of sensitive personal data from mortgage loan applicants was compromised by an unauthorized intruder the prior day.

On the afternoon of March 5, 2019, the employee had responded to a phishing email, one bearing the false appearance of originating from a business partner. RMS had installed multi-factor authentication (MFA), as required by the NYDFS cybersecurity regulations. In this case, MFA involved an alert sent to the employee, which consisted of a notice that someone was seeking approval to login to her email account and asked her to approve the access. She indicated her approval. After the fifth such alert, she notified the RMS’ IT department, which determined that an intruder had accessed the employee’s email account on four occasions between March 5 and 6 and blocked further access to the account. However, RMS failed to investigate the intrusion further.

The consent order states that the NYDFS found that RMS:

  • Had failed to (1) determine whether the employee’s mailbox contained private consumer data during the breach, (2) identify which consumers were impacted, and (3) apply the applicable state notice requirements triggered by the breach
  • Initiated a proper investigation into the incident and determined which consumer and state breach notices were required by law only after prompting from the NYDFS and 18 months after the breach
  • Did not have a comprehensive cybersecurity risk assessment required by the Cybersecurity regulation

As a result, the NYDFS determined that the failure to appropriately investigate the March 2019 breach “undermine[d] the accuracy” of RSM’s certificate of compliance with the NYDFS cybersecurity regulations it had filed for 2019.

The Consent Order required RMS to pay $1.5 million, and within 90 days, submit to NYDFS all of the following: a comprehensive written Cybersecurity Incident Response Plan; a comprehensive cyber risk assessment; RMS’ risked-based policies, procedures and controls; and documentation on its more recent cyber training.

While some settlements with financial services regulators may indicate that the financial services company being penalized neither admits nor denies the regulator’s allegations, or just includes a generic indication of wanting to resolve the matter without a need for formal proceedings, this consent order states specifically that “the Parties acknowledge that failures to conduct business in accordance with such standards require immediate remediation and imposition of a civil monetary penalty.”