On March 3, 2021, the New York Department of Financial Services (NYDFS) announced its execution of a consent order (the Order) with Residential Mortgage Services, Inc. (RMS), a NYDFS-licensed mortgage banker and mortgage loan servicer. The Order fines RMS $1,500,000 for its violations of Cybersecurity Regulation, Part 500 of Title 23 of the New York Codes, Rules, and Regulations (Part 500). According to the Order, RMS failed to meet its Part 500 obligations by inadequately responding to a data security breach and failing to conduct a comprehensive cybersecurity risk assessment. This action is the latest demonstration of the seriousness with which NYDFS is approaching enforcement of Part 500, which became fully effective in March 2019.
The Order serves as a warning to and guide for financial institutions that may prompt them to reevaluate whether their existing cybersecurity safeguards, policies, and procedures are sufficient to meet the requirements of Part 500. Moreover, it reinforces the imperative for covered entities to fully comply with all aspects of Part 500––even where entities believe that their cybersecurity measures meet their level of risk or are consistent with industry standards.
To learn more about the Order and its implications for the financial services industry, read this Advisory.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.