In early March 2021, the New York State Department of Financial Services (“DFS”) issued a consent order for Residential Mortgage Company to pay $1.5 million due to non-compliance with Cybersecurity Regulation, Part 500 of Title 23 of the New York Code.
This significant financial penalty serves as a strong reminder to all companies under Part 500 to prioritize their compliance. Since February 2017, New York has required financial companies to implement and report detailed frameworks in order to safeguard consumer data privacy.
Part 500 applies to any organization regulated by DFS, significantly impacting the financial, banking, and insurance industries in the United States. Violations of this law can result in penalties of up to $250,000 per day of violation or one percent of total banking assets.
Companies subject to Part 500 have been eagerly awaiting the outcome of this case as it sets a precedent. On March 03, 2021, DFS reached its first resolution under Part 500 with Residential Mortgage Services, resolving the matter without further proceedings. As a result, Residential Mortgage must pay a civil monetary penalty of $1.5 million within ten days of executing the consent order.
DFS considered factors such as Residential Mortgage’s cooperation, financial resources, and good faith during the investigation, as well as the gravity of the violation and the public interest, in making this determination. In imposing this significant financial penalty, DFS sends a clear message to other companies regulated under Part 500: compliance is of utmost importance.
Additionally, DFS has imposed various remedial measures on Residential Mortgage to enhance its cybersecurity systems and secure customer data. These measures include the implementation of a cyber-security incident response plan, a cyber-security risk assessment within 90 days of the order, and the establishment of training and monitoring programs within 90 days of the order.