NYDFS fines mortgage banker $1.5M for cyber-security violations

The New York State Department of Financial Services (DFS) announced today that Residential Mortgage Services, Inc. (“RMS”) will pay a $1.5 million penalty to New York State for violations of the Cybersecurity Regulation, Part 500 of Title 23 of the New York Codes, Rules, and Regulations.

“It is of paramount concern to protect all consumers as cyber threats continue to surge during a vulnerable time,” said Superintendent of Financial Services Linda A. Lacewell.  “DFS will continue to take nation-leading actions to ensure that our licensees fulfill their cybersecurity duties, safeguarding the private data of their New York customers, and all of the customers they serve, no matter where they reside.”

RMS, a licensed mortgage banker, collected private data in the course of its day-to-day operations, closing thousands of mortgage loans annually.   A July 2020 examination uncovered evidence that RMS had been the subject of a cyber breach in 2019 which had not been reported to DFS, in violation of Part 500.17 of the Cybersecurity Regulation. 

The breach involved unauthorized access to the email account of an RMS employee with access to a significant amount of sensitive personal data of mortgage loan applicants. Until prompted to do so by DFS in 2020, RMS failed to conduct an investigation and identify the consumer data exposed.  The findings of the exam concluded RMS violated the DFS Cybersecurity Regulation in failing to timely report the breach, and that RMS failed to have a comprehensive Cybersecurity Risk Assessment, another requirement of the Cybersecurity Regulation.

As part of the settlement, RMS agrees to the penalty and has commenced further improvements to its existing cybersecurity program, ensuring that its cybersecurity controls are fully compliant with the  Cybersecurity Regulation.  The Department notes that RMS cooperated throughout the examination and investigation, and has appeared committed to expediting remediation of its cybersecurity controls.

DFS’s Cybersecurity Regulation became effective in March 2017.  The Cybersecurity Regulation was drafted with substantial industry input:  DFS surveyed nearly 200 regulated banking institutions and insurance companies, met with a cross-section of those surveyed and cybersecurity experts during the drafting period, and granted two rounds of notice and comment.  Additional implementation time was granted for multiple provisions, and the regulation was not fully in effect until March 2019.  

DFS’s Cybersecurity Regulation has served as a model for other regulators, including the U.S. Federal Trade Commission, multiple states, and the National Association of Insurance Commissioners (NAIC). 

For more details visit