In March 2017, New York State’s Department of Financial Services (“DFS”) implemented the nation’s first cybersecurity rules requiring all regulated entities, such as banks, insurers, financial businesses, and regulated virtual currency operators, to fortify their cybersecurity protocols by implementing and maintaining cybersecurity policies (the “Cybersecurity Regulation”). These protocols and policies include, among other things, establishing a detailed security plan, increasing the monitoring of third-party vendors, appointing chief information security officers, and reporting breaches to the Superintendent of the Department of Finance within 72 hours of identifying a Cybersecurity Event.[1] The Cybersecurity Regulation is codified at 23 NYCRR 500.

For the second time, DFS has fined a regulated entity for failure to comply with the Cybersecurity Regulation. In March 2020, DFS commenced an examination of Residential Mortgage Services, Inc. (“Residential”), a Mortgage Banker (as defined in the Banking Law) based in Maine and licensed in New York. The examination encompassed a general compliance, safety, and soundness review, as well as compliance with the Cybersecurity Regulation. During the review, Residential disclosed for the first time a Cybersecurity Event, which had occurred nearly 18 months earlier. Specifically, an employee, who handles sensitive personal data, received a phishing e-mail and clicked on a hyperlink to a malicious website. DFS determined that although Residential’s technical support staff was alerted to the suspicious activity, Residential’s internal investigation was inadequate since it did not conduct any further inquiry after concluding the unauthorized access was limited to the employee’s e-mail account. Further, DFS determined Residential failed to satisfy the notification requirements of the Cybersecurity Regulation, as Residential failed to (i) identify whether the employee’s mailbox contained private consumer data during the breach and which consumers were impacted; and (ii) notify the Department of Finance within 72 hours of identifying a Cybersecurity Event. Finally, DFS determined that Residential was missing a comprehensive cybersecurity risk assessment, which should have led to the periodic evaluation of controls designed to protect nonpublic information and information systems.

As a result of the violations of the Cybersecurity Regulation, Residential reached a settlement with DFS, whereby it would pay a penalty in the amount of $1,500,000. Residential also agreed to strengthen its controls to protect its cybersecurity systems and private data of its consumers including, submitting to DFS a Cybersecurity Incident Response Plan and Cybersecurity Risk Assessment (as defined in the Cybersecurity Regulation), as well as materials concerning Residential’s risk-based policies, procedures and controls and cybersecurity awareness training for its employees, consistent with requirements of the Cybersecurity Regulation.

This recent settlement is a reminder to banks, insurers, financial businesses, and regulated virtual currency operators that DFS is enforcing the Cybersecurity Regulation and placing harsh penalties on regulated entities that fail to comply. Regulated entities should familiarize themselves with the Cybersecurity Regulation and ensure their cybersecurity protocols and policies comply with the regulation. Further, in the event of a breach, the Chief Information Security Officers, or other individuals tasked with assuming responsibility for regulatory compliance, should ensure that the company performs an adequate investigation and meets all notification requirements, including notifying the Superintendent of the Department of Finance within 72 hours of identifying a breach.