On March 3, 2021, the New York Department of Financial Services (DFS) announced that Residential Mortgage Services, Inc. ("Residential Mortgage" or the "Company") would pay a $1.5 million penalty for violations of the Cybersecurity Regulation, 23 N.R.C.R.R. Part 500. Just six weeks later, on April 14, 2021, DFS announced (https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202104141) another settlement agreement with insurance brokerage firm National Securities Corporation ("National Securities" or the "Firm"). These two enforcement actions under the Cybersecurity Regulation coming in quick succession, and just months after DFS's first enforcement action, signals DFS's commitment to prioritizing the cybersecurity of the financial markets and consumer information (see our post on the first enforcement action here).
The Cybersecurity Regulation places certain cybersecurity requirements on entities operating under the authority of DFS, including banking institutions, mortgage companies and insurance companies. These requirements are intended to ensure that the financial services industry protects its customer information and financial systems from the ever-increasing threat of cyberattacks, and include core cybersecurity program features and notification obligations. The Cybersecurity Regulation, the first of its kind in the United States when enacted in 2017, has served as a model for other regulators, including the Federal Trade Commission (FTC) and the National Association of Insurance Commissioners (NAIC).
March 2021 Enforcement Action
The March settlement with Residential Mortgage stems from the company's failure to disclose a 2019 data breach. Under the Cybersecurity Regulation, covered entities must disclose certain cybersecurity events to DFS within 72 hours of discovery. Residential Mortgage did not disclose the incident until almost 18 months later, and then only when DFS announced a routine safety and soundness examination of the company, which included the company's compliance with the Cybersecurity Regulation.
The 2019 breach involved unauthorized access to the email account of a Residential Mortgage employee who had access to a significant amount of sensitive customer data. The intrusion occurred on March 5, 2019, when the employee provided her employee email credentials in response to a phishing email that appeared to come from a business partner. Residential Mortgage had implemented multi-factor authentication (MFA), so that the employee also had to give approval via the MFA application on her phone to allow access. The employee approved requests for access to her email account four times over the course of March 5.
Residential Mortgage learned of the unauthorized access one day later, on March 6, when the employee reported the anomalous activity to the company's Information Technology (IT) Department. The IT Department immediately determined that an unauthorized user had accessed the employee's email account and blocked the IP address that was used. The IT Department determined no further inquiry was needed as the breach was limited to that employee's email account.
DFS found that this was an inadequate investigation, given the degree of access that the employee had to sensitive customer information, including social security and bank account numbers. Under § 500.17(a)(1) of the Cybersecurity Regulation, entities must notify DFS no later than 72 hours after determining that a cybersecurity event has occurred when that cybersecurity event either (a) must be disclosed to a government or self-regulatory body, or (b) is reasonably likely to materially harm the entity's normal operations. DFS concluded that the majority of state data breach notification laws require that consumers be notified when their social security number or bank account number is compromised. Under those state laws, Residential Mortgage should have notified the impacted customers and appropriate government bodies, thus triggering the notification requirement under the Cybersecurity Regulation.
In the course of its investigation, DFS also discovered that Residential Mortgage lacked a comprehensive cybersecurity risk assessment in violation of the Cybersecurity Regulation. Section 500.09(a) requires entities to identify and periodically evaluate their vulnerabilities to cybersecurity risks and certify compliance with the Cybersecurity Regulation annually. DFS acknowledged that Residential Mortgage had cybersecurity measures in place, such as MFA, end-point protection software and antivirus protection, but nonetheless found its assessment lacking. The assessment required by the Cybersecurity Regulation requires entities to review cybersecurity threats and the safeguards in place to protect against those threats, and then evaluate whether the safeguards adequately protect against those risks. In the Consent Order, DFS described the required risk assessment as "the foundation of the risk-based cybersecurity program required by the Cybersecurity Regulation," and noted that it "should result in thoughtful cybersecurity programs specifically tailored to safeguard the confidentiality of company and consumer data."
In assessing the appropriate penalty, DFS cited a number of factors that inform the calculation, including the company's cooperation with DFS in the investigation, the seriousness of the violation, and the company's good faith and financial resources. DFS also noted the presence of cybersecurity protections at the time of the breach and Residential Mortgage's subsequent remediation efforts, including devoting significant resources to enhancing its cybersecurity program, policies, procedures, systems, governance structures and personnel.
In addition to the $1.5 million penalty, DFS also imposed a remediation plan on Residential Mortgage. As part of this plan, Residential Mortgage is required to submit a comprehensive written Incident Response Plan, Cybersecurity Risk Assessment and written policies for employee training and monitoring to DFS within 90 days. The remediation plan is designed to bring Residential Mortgage into full compliance with the Cybersecurity Regulation and is consistent with DFS's enforcement goals: ensuring the security of financial markets and customer information.
April 2021 Enforcement Action
DFS's settlement with National Securities is the third action enforcing the Cybersecurity Regulation and comes with the largest monetary: National Securities will pay $3 million to settle the charges.
DFS began its investigation into National Securities' cybersecurity program when the Firm reported two separate cyber events to DFS, one in October 2019 and the second in May 2020. Both of these reported events impacted employees' Office 365 email accounts, and were determined to be the likely result of a phishing scam. Further, each of these cyber events potentially impacted customers' personal information.
DFS's investigation into the reported cyber events revealed that National Securities did not have multi-factor authentication (MFA) in place at the time of the two phishing incidents. Section 500.12(b) of the Cybersecurity Regulation requires that covered entities implement MFA when there is external access to internal networks. The MFA requirement applies to email platforms such as Office 365 and Google's G Suite services. Furthermore, National Securities did not implement reasonably equivalent or more secure access controls to these email platforms, which would have exempted them from the MFA requirement. The fact that MFA was not fully implemented also meant that National Securities had falsely certified its 2018 compliance with the Cybersecurity Regulation.
During the course of its investigation, DFS also discovered that National Securities had experienced an additional two cyber events that it had failed to report to DFS, in violation of § 500.17(a)(1) of the Cybersecurity Regulation. Like the cyber events that National Securities did report, the unreported cyber events were also determined to be the result of phishing scams. Though the Firm notified impacted consumers and other regulators, including the IRS, SEC, FBI and county sheriff, it failed to also notify DFS.
There are a number of takeaways from these enforcement actions for companies subject to the Cybersecurity Regulation. Initially, these actions show the importance of establishing and maintaining a cybersecurity program that complies with all applicable laws and regulations. DFS discovered Residential Mortgage's violations through a routine safety examination, suggesting that DFS will be proactive and thorough in assessing companies' compliance with the Cybersecurity Regulation.
The settlement with National Securities highlights the need for companies themselves to be thorough in their own internal reviews. Though National Securities was in the process of implementing MFA, it failed to do so for its employees by the required date, and then again for independent contractors. Furthermore, though National Securities notified regulators and consumers of all four of the cyber events, it did not notify DFS, highlighting the importance of diligent review of cybersecurity obligations.
The remediation plan between DFS and Residential Mortgage, as well as that of DFS and National Securities, highlights the need for companies to ensure that their cybersecurity program is carefully tailored to identify and mitigate cyber vulnerabilities and protect consumer information. In other words, companies should do more than implement various controls to prevent cyber incidents; they should also endeavor to have comprehensive policies and procedures in place to detect, identify, remediate and mitigate cyber incidents, such as an incident response plan and cybersecurity awareness training for employees. In light of the DFS Superintendent's promise to continue taking action to protect the security of customer data, covered entities should confirm their ongoing compliance with the Cybersecurity Regulation. Looking ahead, financial institutions not subject to the authority of DFS should keep in mind that the Cybersecurity Regulation has already inspired similar regulation in several states and proposed amendments to the Gramm-Leach-Bliley Act, suggesting that oversight of the financial sector's cybersecurity practices will continue to develop.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.