The New York Department of Financial Services (“NYDFS”) fined a mortgage bank $1.5 million for violations of New York’s Cybersecurity Regulation, including failure to report a past cyber incident.
On March 3, 2021, the NYDFS announced it had entered into a consent order with a mortgage bank for violating New York’s first-in-the-nation Cybersecurity Regulation, which became effective in March 2019. The settlement results from the agency’s findings during a routine compliance examination that the mortgage bank had failed to investigate adequately a cyber incident that exposed private data, failed to report the incident under state data breach notification laws and the NYDFS Cybersecurity Regulation, and failed to conduct a comprehensive cybersecurity risk assessment—despite a certification of compliance with the Cybersecurity Regulation provided by the Chief Information Security Officer.
The examination revealed that the bank was aware of a successful phishing attack on an employee’s email account that contained sensitive personal data of loan applicants. The NYDFS considered the bank’s investigation into the incident to be inadequate because the bank did not review the…
