Failure to report Cybersecurity event leads to large fine

In March of 2019, an employee of Residential Mortgage Services, Inc. (“RMS”), a mortgage banker licensed in the State of New York, fell victim to an email phishing attempt. The employee in question clicked a malicious link and entered her RMS email credentials.  RMS had secured their email accounts with multi-factor authentication (“MFA”) which requires something the user knows (their password) and something the user has (their cell phone).  With MFA in place, the breached credentials alone were not enough for the cybercriminal to access the employees email account; however, when the employee approved several MFA push notifications that evening, despite not actively attempting to log into her email, the cybercriminal was granted access. 

The next day, the employee reported the “anomalous activity” to the RMS IT staff who immediately determined that unauthorized access had occurred on four occasions from an IP address originating in South Africa and blocked further access.  A full investigation was not completed, and the Cybersecurity Event was not reported to New York State Department of Financial Services (“DFS”) within 72 hours as required by 23 NYCRR 500.17(a)(1) or (a)(2).

In 2020, RMS was the subject of a routine examination by DFS.  During the examination, the DFS examiner “sought to confirm that [RMS] had not submitted any notice of a Cybersecurity Event with DFS.”   At this point, the RMS CISO disclosed the above-described Cybersecurity Event for the first time, nearly 18 months after it had occurred.

RMS retained outside counsel and an outside cybersecurity consultant to fully investigate the Cybersecurity Event, eventually leading to notices being sent to all required governmental agencies and all potentially impacted consumers.

During the course of the examination, it was also discovered that RMS did not have a comprehensive Cybersecurity Risk Assessment as required by 23 NYCRR 500.9.

In March of 2021, RMS and DFS entered into a Consent Order which provided that RMS, inter alia, would pay a civil penalty in the amount of $1,500,000. In the order, DFS acknowledged RMS for their ongoing efforts post disclosure and for the many technologies they did have in place.

RMS’s employee training failed them on several levels, both on the end user and IT staff level.  The end user employee not only fell subject to a phishing attempt but authorized access to her account on at least four occasions by improperly responding to MFA notifications.  The IT staff appears to have been unaware of the required reporting obligations.  Employee training is a key part, often overlooked, of any cybersecurity policy.  The DFS remains serious about cybersecurity and the reader is cautioned to do the same.

A full copy of the consent order can be found here. 

Contributed by:
Eric Swarthout, President
THOROUGHBRED TITLE SERVICES