Cyber Incident Victim: Residential Mortgage Services, Inc.

In 2019, Residential Mortgage Services, Inc. (RMS), a licensed mortgage banker, experienced a cybersecurity breach that went unreported to the New York Department of Financial Services (NYDFS). The incident remained undisclosed until July 2020, when NYDFS conducted a routine examination of RMS’s operations. During this review, examiners uncovered evidence indicating RMS had been compromised by a cyber intrusion the previous year. NYDFS alleged that RMS violated the department’s Cybersecurity Regulation (23 NYCRR Part 500) by failing to report the breach as required. The regulation mandates timely notification of cybersecurity events that could materially harm normal operations or customer data. RMS’s lack of disclosure triggered a formal investigation into its compliance practices and breach response protocols.

On March 3, 2021, NYDFS announced a settlement with RMS to resolve the regulatory violations stemming from the 2019 incident. The enforcement action highlighted RMS’s failure to adhere to notification requirements under Part 500. While the consent order did not publicly specify the breach’s root cause, data scope, or number of affected individuals, it confirmed RMS’s lack of timely reporting delayed regulatory oversight. The settlement required RMS to pay a monetary penalty and enhance its cybersecurity governance, including incident response planning and executive accountability measures. The penalty underscored NYDFS’s focus on enforcing transparency obligations for regulated entities. Public disclosure of the enforcement action also brought reputational consequences, emphasizing the operational and legal risks of non-compliance with cybersecurity reporting mandates.