On March 3rd, the New York Department of Financial Services (“NYDFS”) announced a settlement with Residential Mortgage Services, Inc. (“RMS”) to resolve allegations that RMS violated the NYDFS Cybersecurity Regulation relating to a 2019 cyber breach.

In July 2020, NYDFS conducted an examination of RMS as a licensed mortgage banker.  During the examination, NYDFS uncovered evidence that allegedly revealed that RMS had been subject to a cyber breach that had not been reported to NYDFS.

This cyber breach allegedly arose when a RMS employee clicked on a hyperlink in a phishing email that falsely appeared to originate from a RMS business partner.  The RMS employee provided her email credentials to the malicious website opened by the hyperlink, which compromised the employee’s email account, which contained “a substantial amount of sensitive personal data from mortgage loan.”  Although RMS had implemented multifactor authentication, the RMS employee also facilitated the unauthorized access by clicking her approval in response to an access alert from the MFA application on her mobile device.

NYDFS criticized the company for failing to fully investigate the cyber breach and for failing to provide notification of the breach to consumers and state agencies, such as NYDFS.  NYDFS also criticized RMS’s failure to conduct comprehensive cybersecurity risk assessments as required by the NYDFS Cybersecurity Regulation.  For these failures, NYDFS imposed a $1.5 million penalty.

The NYDFS press release about this enforcement action is available here.  A copy of the NYDFS consent order is available here.