NYDFS Continues Tough Enforcement of New York's Cybersecurity Regulation in $1.5 Million Settlement with Residential Mortgage Services

On March 3, 2021, the New York Department of Financial Services (NYDFS) announced its execution of a consent order (the Order) with Residential Mortgage Services, Inc. (RMS), a NYDFS-licensed mortgage banker and mortgage loan servicer, that fines RMS $1,500,000 for its violations of Cybersecurity Regulation, Part 500 of Title 23 of the New York Codes, Rules, and Regulations (Part 500). According to the Order, RMS failed to meet its Part 500 obligations by inadequately responding to a data security breach and neglecting to have conducted a comprehensive cybersecurity risk assessment. The Order details the extra measures RMS should have taken in addition to those implemented before and in response to the breach, and provides that RMS must submit to the NYDFS, within 90 days of the Order, a comprehensive cybersecurity incident response plan, cybersecurity risk assessment, cybersecurity awareness training materials, and risk-based policies, procedures and controls. This action is the latest demonstration of the seriousness with which NYDFS is approaching enforcement of Part 500, which became fully effective in March 2019. It comes on the heels of NYDFS' recently issued Industry Letter warning of a cyber campaign to steal consumers' nonpublic information (NPI) from public-facing websites and just before an Alert to regulated entities regarding vulnerabilities discovered in Microsoft Exchange servers. And it is the second Part 500 enforcement action, following the NYDFS' initial enforcement action approximately seven months ago against First American Title Insurance Company (FirstAm), which the NYDFS alleged had failed to address a cyber vulnerability that exposed NPI.

The findings underlying the Order were identified by NYDFS examiners during a safety and soundness examination of RMS covering the period from January 1, 2017 through December 31, 2019. In response to the NYDFS' inquiry as to whether RMS had submitted any notices of a Cybersecurity Event¹ during the review period, RMS informed the NYDFS of a previously unreported incident: in March 2019, a bad actor phished an employee's login credentials and used them to gain access four different times to that employee's e-mail account after the employee unsuspectingly approved of multi-factor authentication (MFA) prompts on the employee's smartphone on each occasion. Upon being notified by the employee of the fifth such instance, RMS responded by blocking the cyber intruder's access and implementing measures to help prevent other phishing incidents, including applying automatic warning labels to emails sent from external sources, IP filtering and analysis, periodic penetration, and additional defense testing by third-party consultants. RMS did not, however, inspect the employee's emails to evaluate what consumer sensitive data may have been exposed or whether notices to impacted consumers, state agencies, and/or the NYDFS were required under state data breach notification laws and Part 500. Notably, as the Order reiterates, Part 500 requires covered entities to provide the NYDFS with notice of any Cybersecurity Event within 72 hours of an entity's determination that such event has occurred.

The Order emphasizes the NYDFS's view that RMS's failure to investigate the incident fully was particularly egregious given that the employee had regular access to the sensitive data of a significant number of mortgage loan consumers. Indeed, after NYDFS' review prompted RMS to conduct an internal investigation of the employee's emails, RMS concluded that numerous elements of consumer data had been accessed by the intruder and notice to impacted consumers and state governmental authorities was required under applicable state data breach notification laws. Such after-the-fact investigative and preventative measures taken by covered entities, the Order indicates, may be of little use in achieving compliance with or avoiding liability under Part 500.

The Order also states that RMS' Chief Information Security Officer inaccurately filed RMS' required annual certification of Part 500 compliance because RMS had failed to conduct a comprehensive cybersecurity risk assessment, as Part 500 requires. Under Part 500, each covered entity must annually submit this certification attesting to its compliance with Part 500 during the prior calendar year. The Order acknowledges that RMS had certain existing cybersecurity measures in place, such as MFA, end-point protection software, and antivirus protection. But implementing measures to counter possible cybersecurity risks does not fulfill an entity's obligation to have a risk assessment under Part 500. Such an assessment must review cybersecurity threats and the safeguards in place to protect against those threats and evaluate whether the safeguards adequately protect against those risks. The Order stresses the risk assessment as "the foundation of the risk-based cybersecurity program required by the Cybersecurity Regulation" that "should result in thoughtful cybersecurity programs specifically tailored to safeguard the confidentiality of company and consumer data."

The Order is just one place in which the NYDFS has stressed the importance of conducting cybersecurity risk assessments. The NYDFS has repeatedly emphasized that Part 500 covered entities need to conduct such assessments to fully investigate, document and support annual certifications of compliance. The NYDFS also has made clear that inaccurate filings can be used as a basis for investigation and enforcement actions under Part 500.

The Order serves as a warning to and guide for financial institutions that may prompt them to reevaluate whether their existing cybersecurity safeguards, policies and procedures are sufficient to meet the requirements of Part 500. It reinforces the imperative for covered entities to fully comply with all aspects of Part 500––even where entities believe that their cybersecurity safeguards and processes are sufficient to meet their level of risk or are consistent with industry standards. It also instructs these entities on the concrete steps they must take in response to breaches, particularly those involving unauthorized access to an employee's email account. To protect the sensitive data of their consumers and avoid civil monetary penalties, regulated entities should consider whether there is a need to integrate guidance from the Order into their own policies and procedures. Above all else, entities must remain vigilant in assessing cybersecurity risks and continually revise their own compliance programs as needed based on the entities' risk profiles and emerging cybersecurity threats.

Financial institutions interested in conducting Part 500-compliant cybersecurity assessments or that have questions regarding their obligations under the rule may contact any of the authors of this Advisory or their usual Arnold & Porter contact. The firm's Financial Services and Privacy, Cybersecurity and Data Strategy teams would be pleased to assist with any questions about cybersecurity compliance and enforcement more broadly.

© Arnold & Porter Kaye Scholer LLP 2021 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.