The New York State Department of Financial Services (NYDFS) on Wednesday fined Residential Mortgage Services (RMS), a licensed mortgage banker, $1.5 million for violating New York’s cyber-security regulation.

New York’s first-in-the-nation cyber-security regulation, which took effect in March 2017, is designed to address cyber-security threats and strengthen cyber-security and data protection processes by requiring clearly defined compliance standards, cyber-security controls, and the timely reporting of cyber-security events. The first charges filed under the regulation came in July 2020.

The details: RMS collected private data during its day-to-day operations, closing thousands of mortgage loans annually, according to NYDFS. A July 2020 examination uncovered evidence RMS experienced a cyber-security breach in 2019 but did not report it to NYDFS, as it was required to do.

“The breach involved unauthorized access to the email account of an RMS employee with access to a significant amount of sensitive personal data of mortgage loan applicants,” NYDFS said. “Until prompted to do so by DFS in 2020, RMS failed to conduct an investigation and identify the consumer data exposed.”

Specifically, examiners “conducted a safety and soundness examination of Residential Mortgage and discovered significant failures in compliance and reporting,” the consent order stated. The exam’s findings concluded RMS failed to timely report the breach and did not have in place a comprehensive cyber-security risk assessment, another requirement of the state’s cyber-security regulation.

Remediation efforts: In addition to the penalty, RMS has undertaken further improvements to its existing cyber-security program, ensuring its cyber-security controls are fully compliant with the state regulation. NYDFS further noted RMS cooperated throughout the examination and investigation and has committed to expediting remediation of its cyber-security controls.

Compliance message: “DFS will continue to take nation-leading actions to ensure that our licensees fulfill their cyber-security duties, safeguarding the private data of their New York customers, and all of the customers they serve, no matter where they reside,” said Superintendent of Financial Services Linda Lacewell in a press release.

Jaclyn Jaeger is a freelance contributor to Compliance Week after working for the company for 15 years. She writes on a wide variety of topics, including ethics and compliance, risk management, legal, enforcement, technology, and more.

Topics