After failing to report a breach in 2019, a mortgage company earlier this month agreed to pay $1.5 million to New York State for violating its landmark Cybersecurity Regulation.
The Cybersecurity Regulation, Part 500 of Title 23 of the New York Codes, Rules, and Regulations, requires financial organizations under the New York Department of Financial Services’ supervision to develop a cybersecurity policy among other requirements; one of the regulation's stipulations includes reporting a data breach within 72 hours.
According to the NYDFS, when the mortgage company, Residential Mortgage Services, Inc., experienced a breach that exposed the sensitive personal data of mortgage loan applicants in 2019, it went unreported; it wasn't until July 2020 that the department discovered evidence of the breach as part of a safety and soundness examination of the company.
RMS is based in South Portland, Maine but it’s a licensed as mortgage loan servicer in New York State, meaning it’s subject to NYDFS' provisions and regulations. According to a Consent Order published by NYDFS, RMS closed 13,973 residential mortgage loans in 2019.
“It is of paramount concern to protect all consumers as cyber threats continue to surge during a vulnerable time," Superintendent of Financial Services Linda A. Lacewell said following the settlement, "DFS will continue to take nation-leading actions to ensure that our licensees fulfill their cybersecurity duties, safeguarding the private data of their New York customers, and all of the customers they serve, no matter where they reside."
Specifically, NYDFS said in its agreement that its examination uncovered “serious failures in compliance and reporting" in connection with the Cybersecurity Regulation. That's despite the company's CISO filing a certification of compliance with the regulation in April 2020.
A Certification of Compliance essentially demonstrates a company's compliance with the regulation and that it has mechanisms in place to protect the confidentiality, integrity, and availability of its networks and systems. NYDFS bumped the deadline back to June in light of the pandemic last year but RMS filled its out on April 3, according to NYDFS.
According to the Order, in September 2020, NYDFS asked RMS to confirm that it hadn't experienced a "Cybersecurity Event" in 2019. It was at that time, despite it occurring 18 months prior, that the company's CISO finally disclosed the issue.
In the disclosure, the CISO said the email account of an employee who collects sensitive data on mortgage loan applicants was compromised via a phishing attack. The employee responded to the email, believing it was from a business partner; the attacker then convinced the user to visit a malicious website in which the employee willingly entered their work email credentials. In some scenarios, that would have been enough for the attacker to access the email account but the company was using multi-factor authentication, or MFA.
Unfortunately, according to the report, the employee tapped her screen four times later that night when prompted - even though she wasn't working at the time - something which let the intruder into the account.
The company's response to the incident was lacking, according to the NYDFS; it noticed the email had been access via an IP in South Africa but didn't look into whether the attack was localized to just the email account, nor did it contact any of the mortgage applicants - or anyone, really - who may have been implicated by the attack.
It's unclear, at least judging from the Consent Order, how many applicants may have had their data exposed; the employee handled data including social security numbers and bank accounts but "Residential Mortgage failed to identify whether Employee's mailbox contained private consumer data during the breach" and whether consumers were impacted.
As part of the settlement, the company says it plans to make some changes to its cybersecurity program to ensure its compliance with the Cybersecurity Regulation.
To prevent phishing and meet compliance, the company says it implemented:
- Automatic warning labels on emails sent from an external source;
- Automatic warning and filtering to identify phishing emails prior to reaching end-users;
- IP filtering and analysis to prevent access from suspicious locations;
- Periodic penetration and other defense testing by third-party consultants
In addition to failing to report the breach, NYDFS' examination also uncovered that the company didn’t have a comprehensive cybersecurity risk assessment, a tool required by NYDFS designed to help covered entities understand cyber risks they face, in place. With something like that, the department says the organization would have deduced it needed the “periodic evaluation of controls designed to protect Nonpublic Information and information systems.”
In implementing a risk assessment, a company can help prevent threats by ensuring company and consumer data like PII, along with IT systems, are kept confidential and secure.
The NYDFS is has been taking enforcement around its Cybersecurity Regulation seriously, especially over the last 12 months.
Last August it filed its first enforcement action against First American Title Insurance Company for failing to maintain adequate controls around protection non-public information. The company allegedly exposed over 885 million documents containing sensitive information over the course of years. Included in that data was consumers’ private information, including bank account numbers, mortgage and tax records, Social Security numbers, and drivers’ license images.