Monday, April 12, 2021
On March 1, 2017, the New York State Department of Financial Services (“NYDFS”) Cybersecurity Requirements for Financial Services Companies (the “Cybersecurity Regulation”) became effective.
[1] Fast forward four years, where NYDFS issued its first penalty under the Cybersecurity Regulation arising from a standard examination. On March 3, 2021, NYDFS entered into a Consent Order with Residential Mortgage Services, Inc. (“RMS”) that requires RMS to pay a penalty of $1.5 million after a standard examination uncovered an unreported email compromise impacting New York consumers and a lack of periodic risk assessments by RMS. Previously, the only NYDFS cybersecurity enforcement action was against a title insurance company that experienced a large, publicly-reported data breach. The fact that NYDFS penalized RMS in connection with a standard examination demonstrates the importance of covered entities’ compliance with the Cybersecurity Regul
Transitional Periods (23 NYCRR 500.22), and
Severability (23 NYCRR 500.23).
Enforcement Action
On March 3, 2021, NYDFS entered into a consent order with RMS under the New York Banking Law. The NYDFS enforcement action commenced from a routine examination that started in March 2020, which uncovered the fact that RMS had experienced an email compromise in March 2019 where an RMS employee with a significant amount of individuals’ personal information stored in their email account was not investigated nor was notification to individuals or regulators provided. Further, NYDFS identified in its examination that RMS did not have a comprehensive Cybersecurity Risk Assessment.
For the settlement of the enforcement action, RMS agreed to pay the penalty of $1.5 million to NYDFS and to commence further improvements to its existing cybersecurity program, including certain cybersecurity controls in compliance with the Cybersecurity Regulation. Of importance, NYDFS observed RMS’s cooperatio