In early March, the New York State Department of Financial Services (“NYDFS”) announced a consent order that required Maine-based mortgage servicer Residential Mortgage Services, Inc. (“Residential”) to pay a $1.5 million fine and implement numerous security measures to remedy alleged data security failures.
The enforcement action and the consent order were the result of a routine NYDFS safety and soundness examination of Residential. The NYDFS alleged that its review of Residential discovered that, in 2019, the company failed to thoroughly investigate and report a cybersecurity incident that involved a business email compromise. The NYDFS also alleged that Residential failed to conduct a risk assessment, which the regulation expressly requires. See 23 NYCRR Part 500.
This is the second action the NYDFS has taken to enforce its cybersecurity regulation, since the measure came into effect in 2017, with the intent to protect consumers and the financial system from increasing threats of cyber-attacks. It is also one of the first instances of a state government sanctioning a company for failing to provide notice of a business email compromise. The settlement makes clear that the NYDFS expects financial institutions to thoroughly investigate cybersecurity incidents and is prepared to impose substantial fines and penalties for investigations that do not meet the department’s expectations.
Residential’s Actions — Common Pattern
The fact pattern of Residential’s cybersecurity incident is quite familiar: an employee fell prey to a phishing attempt, which allowed a bad actor to gain access to the employee’s email inbox. The inbox, in turn, contained a substantial volume of sensitive personal information, such as Social Security numbers and bank account numbers associated with Residential’s customers.
The NYDFS found that Residential’s response to the incident was insufficient because, while Residential identified and blocked the intruder’s IP address, it did not take additional steps to investigate whether the intruder had potentially accessed consumers’ sensitive personal information contained in the employee’s email inbox.
The NYDFS also alleged that Residential should have reported the incident to the NYDFS Superintendent. In the Department’s view, the incident triggered the NYDFS requirement to notify the Department’s financial institutions Superintendent because Residential was required to notify another government agency. The NYDFS alleged that this incident met this threshold because Residential did not: (1) identify whether the employee’s inbox contained sensitive consumer data during the breach (which it did); (2) identify the individuals who were impacted; and (3) determine if the incident triggered any state breach notice requirements (which it did).
The allegations are noteworthy because they impose a duty to thoroughly investigate whether consumer data was exposed as a result of an email compromise, especially when a company handles personal information like Social Security numbers and bank account numbers. It is not clear whether the NYDFS would have sanctioned the company if the employee’s inbox had not contained sensitive consumer data, but that may not be a risk companies want to run.
Finally, the NYDFS found that Residential had not conducted a comprehensive risk assessment, as required by 23 NYCRR Part 500.9, despite certifying that it had done so. The Department alleges that had Residential performed its risk assessment, it could have taken steps to enact appropriate controls over its non-public information and systems.
Covered entities under the regulation should review and implement 23 NYCRR Part 500’s requirements, which broadly require covered entities to create and maintain a cybersecurity program to protect the confidentiality, integrity, and availability of consumer and business non-public information. Financial institutions that are subject to the NYDFS cybersecurity regulations are entities that “operat[e] under or [are] required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the [New York] Banking Law, the Insurance Law or the Financial Services Law,” including, but not limited to, state-chartered banks, foreign banks licensed to operate in New York, mortgage companies, and service providers.
The regulation’s information security requirements include:
- Developing an industry-standard cybersecurity program;
- Appointing an executive to serve as Chief Information Security Officer (CISO) and oversee the cybersecurity program;
- Conducting regular penetration tests, vulnerability assessments, and risk assessments;
- Implementing security safeguards such as multi-factor authentication, data encryption, and limited access privileges; and
- Developing an incident response plan that includes notifying the NYDFS superintendent within 72 hours if the company must notify any other government agency or the incident poses a risk of harming the company’s material operations.
And if it was not clear before, it is now: these are not simply “paper” requirements; the NYDFS expects covered entities to implement and carry out these practices in real world situations.