New York Regulator Issues Second Enforcement Action Under Cyber Rules

The New York Department of Financial Services’ (DFS) second enforcement action to date under its cybersecurity regulation underscores the importance of promptly investigating potential cybersecurity events. It also raises questions about whether insurance coverage would be available for amounts paid for alleged violations of the regulation.

On March 3, 2021, DFS announced that it had entered into a settlement with a mortgage lender, Residential Mortgage Services Inc. (RMS), over violations of DFS’ Cybersecurity Requirements for Financial Services Companies. The regulatory enforcement action against RMS is the second such action to date brought under the cybersecurity regulation, which first took effect on March 1, 2017. It’s also the first settlement under the regulation.

DFS’ first enforcement action under the cybersecurity regulation against First American Title Insurance Company was announced in July 2020 and was pending at the time of publication.

The cybersecurity regulation contains various requirements that apply to companies regulated by DFS, such as banks and insurance companies. Among other things, the regulation requires companies to adopt a cybersecurity program to protect consumers’ private information and to conduct periodic risk assessments of their information systems. In addition, the regulation requires companies to provide notice to DFS within 72 hours of certain cybersecurity incidents.

Under this recent settlement, RMS agreed to pay a $1.5 million penalty to DFS and to take certain other steps directed by DFS, including submitting a cybersecurity incident response plan.

The enforcement action against RMS arose out of a cyber breach that occurred in 2019, which RMS had not reported to DFS. Rather, DFS independently discovered the breach during a routine examination of RMS’s general compliance with the New York Banking Law around September 2020.

DFS contended that the failure to timely report the breach, as well as RMS’s failure to conduct a further investigation once it learned of the breach, among other failures, constituted a violation of the cybersecurity regulation.

According to the consent order DFS entered with RMS on March 3, the email account of an RMS employee, a privately held mortgage lender, was compromised by an unauthorized intruder on March 5, 2019.

The employee had received a phishing email containing a hyperlink to a malicious website and clicked on the link. Upon following the link, the employee provided the username and password required to log-in to her RMS email account.

The employee then passed the multi-factor identification system by tapping her phone screen four times to provide authentication and permit remote access to her email account.

Ultimately, after continued activity, the employee grew suspicious and notified RMS’ IT staff, who determined that a hacker had gained access to the employee’s email account and blocked further access.

The March 2019 incident was not discovered by DFS until 18 months later during a general compliance examination conducted by DFS’s Mortgage Banking Division, which included a review of compliance with the cybersecurity regulation.

Following the discovery by DFS, RMS took steps to investigate which consumers were impacted by the March 2019 incident, hiring outside counsel specializing in data privacy as well as a cybersecurity consultant.

In December 2020, RMS notified the appropriate state agencies and impacted customers. DFS acknowledged that RMS’ cooperation with the investigation commitment to further efforts to remediate the issues identified in the consent order was commendable.

However, the DFS consent order is critical of RMS’ IT staff for failing to conduct any further inquiry after concluding that the unauthorized access had occurred. DFS noted that this failure was “egregious” given that the employee’s email account had access to the private data of mortgage loan consumers, including social security numbers and bank account numbers.

As a result of the employee’s access to such information, DFS concluded that this incident constituted a cybersecurity event triggering notification requirements. The consent order states that RMS failed to take appropriate action to satisfy the notification requirements and failed to conduct a comprehensive cybersecurity risk assessment.

RMS agreed to pay a $1.5 million civil money penalty to DFS and to take further steps to comply with the cybersecurity regulation.

Under New York Banking Law § 44, DFS is authorized to impose a penalty on regulated entities for failure to comply with applicable statutes or regulations, payable to the people of New York State.

Similarly, under Banking Law § 44-a, DFS may impose a penalty for failure to submit any report required under the Banking Law or for submitting a report that contains false or misleading information.

In some situations where a government agency or regulator imposes a fine or civil money penalty, the order will contain a provision prohibiting the company hit with the fine or penalty from seeking insurance coverage for such amounts, in order to preserve the deterrent effect of the civil penalty.

Here, the DFS consent order does not contain such a provision, raising the question of whether RMS could potentially seek insurance coverage for the penalty.

New York law has long prohibited the insurability of punitive damages as a matter of public policy. In 2018, the New York Appellate Division, First Department, held in J.P. Morgan Securities v. Vigilant Ins. Co., 166 A.D.3d 1 (App. Div. 2018) that a $140 million disgorgement payment to the SEC constituted a penalty, and therefore, did not fall within the policy’s definition of loss.

This decision is currently on appeal before the New York Court of Appeals, so businesses and insurers should closely watch for the Court of Appeals to weigh in on this issue. The First Department has also previously held that where damages are intended to be compensatory in nature, public policy does not bar their insurability.

Because Banking Law §§ 44 and 44-a provide that the penalties are payable to the people of the state, and there is no provision in the law that requires such funds to be used as compensation for affected consumers, this might suggest that the penalties imposed under these statutes are punitive, rather than compensatory in nature.

The latest enforcement action and settlement under the cybersecurity regulation underscores the importance for businesses and individuals to continually assess their compliance with applicable laws and regulations, and where necessary, consult with qualified counsel and experts.

Further, it is important for business and insurers to monitor the impact of ongoing case law on the potential insurability of fines and penalties.

Finally, due to the developing regulatory landscape of data privacy, it is important for every business to work with competent counsel in developing a plan for protecting data, investigating breaches and planning post-breach response to ensure compliance and avoid fines and penalties that may follow such events.