Department of Financial Services Announces Cybersecurity Settlement with Mortgage Lender

  • Source:

Treliant Takeaway:

Treliant helps firms prepare for compliance with regulatory guidance and expectations. On July 22, 2020 the New York State Department of Financial Services (DFS) filed its First Cybersecurity Enforcement Action against a leading title insurance provider for exposing millions of documents with consumers’ personal information. These charges are the first to be filed against the title insurance provider, alleging violations of DFS’ Cybersecurity Regulation, Part 500 of Title 23 of the New York Codes, Rules, and Regulations.

On March 3, 2021, DFS announced a cybersecurity settlement with a Mortgage Lender for failing to report a cyber breach exposing NY residents’ private data.

Covered entities who are not in full compliance with Part 500 are taking a risk if there are gaps that are exposed during an audit or regulatory exam. DFS Cybersecurity Regulation became effective in March 2017. Additional implementation time was granted for multiple provisions, and the regulation was not fully in effect until March 2019.

Press Release Highlights:

  • A licensed mortgage banker, collected private data in the course of its day-to-day operations, closing thousands of mortgage loans annually. A July 2020 examination uncovered evidence that the firm had been the subject of a cyber breach in 2019 which had not been reported to DFS, in violation of Part 500.17 of the Cybersecurity Regulation.
  • The breach involved unauthorized access to the email account of an employee with access to a significant amount of sensitive personal data of mortgage loan applicants. Until prompted to do so by DFS in 2020, the firm failed to investigate to identify the consumer data exposed. The findings of the exam concluded that the firm violated the DFS Cybersecurity Regulation in failing to timely report the breach, and that the firm failed to have a comprehensive Cybersecurity Risk Assessment, another requirement of the Cybersecurity Regulation.
  • As part of the settlement, the firm agrees to the penalty and has commenced further improvements to its existing cybersecurity program, ensuring that its cybersecurity controls are fully compliant with the Cybersecurity Regulation.  The Department notes that the firm cooperated throughout the examination and investigation, and has appeared committed to expediting remediation of its cybersecurity controls.

Examiners are looking more closely at how firms have implemented regulatory driven cybersecurity controls and in particular, Board and senior management oversight.

Chief Information Security Officers (“CISO”) and their teams need to be ready to demonstrate compliance with cybersecurity regulations and be ready for a thorough look at the underlying processes by the regulators. Do you want to be the next headline?

Our professionals include but are not limited to, former CISOs and Internal Auditors. We understand how to make your cybersecurity programs work effectively and to prepare for more in-depth regulatory examinations which inevitably are coming soon.