Banking and Finance Law Daily Mortgage lender settles New York’s cybersecurity charges, pays $1.5M civil penalty
Thursday, March 4, 2021

Mortgage lender settles New York’s cybersecurity charges, pays $1.5M civil penalty

By Thomas G. Wolfe, J.D.

The NYDFS found that Residential Mortgage Services, Inc. violated New York’s Cybersecurity Regulation by failing to report a cyber breach.

In a settlement with the New York State Department of Financial Services (NYDFS), Residential Mortgage Services, Inc. (RMS), a licensed mortgage banker, has agreed to resolve charges that it violated New York’s Cybersecurity Regulation by failing to report a March 2019 cybersecurity breach that exposed the private data of New York residents. Under the NYDFS administrative consent order, RMS will pay a $1.5 million civil monetary penalty to the state of New York State for violating the regulation. In keeping with the settlement, RMS already has begun the process of making improvements to its existing cybersecurity program to ensure that its cybersecurity controls are "fully compliant with the Cybersecurity Regulation." The NYDFS also noted that RMS "cooperated throughout the examination and investigation" by the state agency, and RMS appears to be "committed to expediting remediation of its cybersecurity controls."

NYDFS Superintendent of Financial Services Linda Lacewell commented that it is the agency’s "paramount concern to protect all consumers as cyber threats continue to surge during a vulnerable time" and that the NYDFS will continue take actions to "ensure that our licensees fulfill their cybersecurity duties" and safeguard the private data of their customers.

Backdrop. In March 2017, the NYDFS’s Cybersecurity Regulation (Part 500 of Title 23 of the Official Compilation of Codes, Rules, and Regulations of the State of New York) became effective. It was the first comprehensive state cybersecurity regulation in the nation.

During its July 2020 examination of RMS, the NYDFS uncovered evidence that RMS had been the subject of a cyber breach in March 2019. However, the cyber breach had not been reported to the NYDFS, which constituted a violation of Section 500.17 of the Cybersecurity Regulation. According to the agency, the breach "involved unauthorized access to the email account of an RMS employee with access to a significant amount of sensitive personal data of mortgage loan applicants." Moreover, until the company was prompted to do so in 2020 by the NYDFS, RMS "failed to conduct an internal investigation and identify the consumer data exposed," the agency found. This also ran afoul of the New York Cybersecurity Regulation because it requires companies to conduct a "comprehensive Cybersecurity Risk Assessment" in this type of situation.

Consent order. In addition to the $1.5 million civil monetary penalty, which is to be paid within 10 days of execution of the NYDFS administrative consent order, RMS is required to:

  • continue to strengthen its controls to protect its cybersecurity systems and the private data of consumers;
  • submit to the NYDFS a "comprehensive written Cybersecurity Incident Response Plan;"
  • submit to the NYDFS a report about its current risked-based policies, procedures, and controls concerning cybersecurity monitoring; and
  • submit to the NYDFS a report about the company’s current "cybersecurity awareness training for all personnel."

Companies: Residential Mortgage Services, Inc.

MainStory: TopStory CyberPrivacyFeed DataBreach DataSecurity EnforcementActions IdentityTheft NewYorkNews Privacy StateBankingLaws

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More

Banking and Finance Law Daily: Breaking legal news at your fingertips

Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on banking and finance legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.