NYDFS fines mortgage banker $1.5M for cyber-security violations

By Jaclyn Jaeger2021-03-05T13:34:00+00:00

No comments

The New York State Department of Financial Services (NYDFS) on Wednesday fined Residential Mortgage Services (RMS), a licensed mortgage banker, $1.5 million for violating New York’s cyber-security regulation.

New York’s first-in-the-nation cyber-security regulation, which took effect in March 2017, is designed to address cyber-security threats and strengthen cyber-security and data protection processes by requiring clearly defined compliance standards, cyber-security controls, and the timely reporting of cyber-security events. The first charges filed under the regulation came in July 2020.

The details: RMS collected private data during its day-to-day operations, closing thousands of mortgage loans annually, according to NYDFS. A July 2020 examination uncovered evidence RMS experienced a cyber-security breach in 2019 but did not report it to NYDFS, as it was required to do.

“The breach involved unauthorized access to the email account of an RMS employee with access to a significant amount of sensitive personal data of mortgage loan applicants,” NYDFS said. “Until prompted to do so by DFS in 2020, RMS failed to conduct an investigation and identify the consumer data exposed.”

Specifically, examiners “conducted a safety and soundness examination of Residential Mortgage and discovered significant failures in compliance and reporting,” the consent order stated. The exam’s findings concluded RMS failed to timely report the breach and did not have in place a comprehensive cyber-security risk assessment, another requirement of the state’s cyber-security regulation.

Remediation efforts: In addition to the penalty, RMS has undertaken further improvements to its existing cyber-security program, ensuring its cyber-security controls are fully compliant with the state regulation. NYDFS further noted RMS cooperated throughout the examination and investigation and has committed to expediting remediation of its cyber-security controls.

Compliance message: “DFS will continue to take nation-leading actions to ensure that our licensees fulfill their cyber-security duties, safeguarding the private data of their New York customers, and all of the customers they serve, no matter where they reside,” said Superintendent of Financial Services Linda Lacewell in a press release.

Jaclyn JaegerJaclyn Jaeger is an editor with Compliance Week and has written on a wide variety of topics, including ethics and compliance, risk management, legal, enforcement, technology, and more.

Topics

No comments

Article
NYDFS guidance addresses common MFA problems—and how to fix them
2021-12-08T19:10:00Z
The New York State Department of Financial Services outlined common vulnerabilities in multi-factor authentication and how to address them from a cybersecurity risk management standpoint.
Article
Robinhood Crypto anticipates $10M penalty for cyber, AML failures
2021-07-07T18:26:00Z
Robinhood Markets said its cryptocurrency platform might face a penalty of “at least” $10 million from the New York State Department of Financial Services for anti-money laundering and cyber-security failures.
Article
NYDFS regulation a best-practices model for cyber-security training
2021-02-01T17:05:00Z
Companies must make cyber-security a continuous priority as threats evolve, often more quickly than the technology and regulations to counter them. That’s why the New York Department of Financial Services, under Maria Vullo, developed a policy that should act as a model for organizations.

No comments yet

You're not signed in.

Only registered users can comment on this article.

More Regulatory Enforcement

Article
Allianz unit pleads guilty in $6B fraud settlement
2022-05-17T23:39:00Z
Allianz Global Investors U.S. and three former portfolio managers were charged with lying to investors about a complex options trading strategy, as well as forging documents to cover up the scheme, leading to multibillion dollar losses.
Article
DOJ’s Kenneth Polite to CCOs: Tell me your compliance success stories
2022-05-17T22:56:00Z
Kenneth Polite Jr., head of the Department of Justice’s Criminal Division and a former chief compliance officer, delivered a dynamic keynote address emphasizing the importance of empowering compliance to avoiding prosecution at Day 2 of Compliance Week’s National Conference.
Article
KPMG facing $17.6M fine following Carillion tribunal
2022-05-13T16:48:00Z
KPMG is set to pay a reduced fine of £14.4 million (U.S. $17.6 million) from the U.K. Financial Reporting Council over its botched audits at collapsed construction company Carillion and software firm Regenersis.

Protect your company from cyber risks

Learn from the latest headlines and protect your company today

NYDFS fines mortgage banker $1.5M for cyber-security violations

Topics

Related articles

NYDFS guidance addresses common MFA problems—and how to fix them

Robinhood Crypto anticipates $10M penalty for cyber, AML failures

NYDFS regulation a best-practices model for cyber-security training

No comments yet

Only registered users can comment on this article.

More Regulatory Enforcement

Allianz unit pleads guilty in $6B fraud settlement

DOJ’s Kenneth Polite to CCOs: Tell me your compliance success stories

KPMG facing $17.6M fine following Carillion tribunal