On March 3, 2021, the DFS reached its first full resolution under its Part 500 Cybersecurity Regulation, a Consent Order with Residential Mortgage Services that imposes a $1.5 million penalty for several violations including:

• Failure to investigate whether an attacker, who compromised a single email mailbox, accessed private data of individuals.
• Failure to satisfy various state breach notification obligations.
• Failure to notify the DFS of the incident.
• Failure to conduct a cybersecurity risk assessment, as required by Part 500.

In this Client Update, we provide the following four takeaways from the DFS’s latest cybersecurity enforcement action . . . Continue reading.