New Cyber Sheriff in Town: NYDFS Levies $1.5 Million Penalty For Failure to Follow Up on Security Incident

Mar 11, 2021 | Blog

The New York Department of Financial Services (NYDFS) announced a $1.5 million penalty in a Consent Agreement with Residential Mortgage Services, Inc. on March 3, 2021. This Agreement comes on the heels of NYDFS’s release of a report on its investigation of Facebook for sharing women’s health information without their consent. NYDFS has sent a strong message that it will enforce its cybersecurity regulations.

The Residential Mortgage Services Consent Agreement notes that in 2018 an employee clicked on a “phishing” email and then received an alert on her MFA (multi-factor authentication) app on her phone. She tapped the screen to permit entry into the Residential Mortgage system, and then received four more alerts and tapped the screen again even though her “workday was over and she was not herself attempting to access her own account.” After a fifth alert she figured out that someone had tried to gain entry or had gained entry into the system and called IT. IT conducted what the NYDFS described as an “inadequate” investigation and concluded that the intrusion was limited to the employee’s email account. IT decided not to notify any data subjects—including those in the employee’s account—or NYDFS, as required within 72 hours by 23 NYCRR Part 500 (“NYDFS Cybersecurity Regulations”).

The size of the penalty, however, may be related to the discovery of the incident by NYDFS during an annual examination, and then only upon prompting by the examiner. NYDFS commenced an investigation and also ascertained that Residential Mortgage had not conducted a cybersecurity risk assessment as required by the NYDFS Cybersecurity Regulations.

In addition to the $1.5 million penalty, the Consent Agreement also requires Residential Mortgage to prepare a Cybersecurity Incident Response Plan, cybersecurity policies and procedures, and security awareness training materials to submit to NYDFS for approval. Failure to provide these materials will be considered “a presumptive breach of the Agreement.”

NYDFS supervises all organizations licensed or authorized to conduct business in New York under the state’s Banking and Insurance Laws. Its remit extends to health insurers and certain healthcare providers as well as banks, insurers, and brokers. Its remit is broad and companies within it should reevaluate their security controls, particularly those who mistakenly believe that access controls such as were in place at Residential Mortgage and multi-factor authentication alone can prevent data breaches or enforcement actions.

If you have questions regarding compliance with security standards or the NYDFS Cybersecurity Regulations, please contact Kenneth N. Rashbaum.