First DFS Resolution Under Its Cyber Rules Highlights the Risks of Inadequate Cyber Investigations

8 March 2021
View Debevoise Update

On March 3, 2021, the DFS reached its first full resolution under its Part 500 Cybersecurity Regulation, a Consent Order with Residential Mortgage Services that imposes a $1.5 million penalty for several violations including:

  • Failure to investigate whether an attacker, who compromised a single email mailbox, accessed private data of individuals.
  • Failure to satisfy various state breach notification obligations.
  • Failure to notify the DFS of the incident.
  • Failure to conduct a cybersecurity risk assessment, as required by Part 500.

In this Client Update, we provide the following four takeaways from the DFS’s latest cybersecurity enforcement action . . . Continue reading.