NYDFS Cybersecurity Enforcement Action No. 2 — this time from a routine examination. Agency examiners identified significant non-compliance with the Cybersecurity Regulation by a mortgage banker, Residential Mortgage Services Inc.
– An employee handling sensitive customer information fell victim to a phishing scam in 2019
– The company failed to report the breach to NYDFS within 72 hours as required
– Indeed, it only reported it for the first time during an examination in mid-2020
– The company also failed to conduct a “comprehensive” cybersecurity risk assessment in 2019 as required
– Yet its CISO certified in April 2020 that the firm was in full compliance with the regulation
– The company will pay a $1.5 MM penalty and remediate
– Important: the penalty is assessed under the Banking Law for unsafe/unsound conduct — not the Financial Services Law.

Link to the Consent Order can be found here: https://www.dfs.ny.gov/system/files/documents/2021/03/ea20210303_residential_mortgage_0.pdf