info@thewbkfirm.com
202.628.2000

State Regulatory Developments

State Financial Regulatory Agencies Settle with Large Investment Firm and its Mortgage Servicing Affiliates over Cybersecurity Breach

23 Jan 2025

Fifty-three state financial regulatory agencies settled with a large investment firm and three mortgage servicing affiliates, over allegations that the companies did not maintain adequate cybersecurity practices and failed to cooperate fully with the state regulators after a malware data breach that affected millions of customers. 

The allegations stemmed from a 2021 incident in which an employee of one of the companies accidentally downloaded malware during an internet search.  In the ensuing months, state regulators from four states led an examination of the companies’ cybersecurity practices, which revealed alleged violations of state and federal IT and Cybersecurity laws.  The state regulators allege that the companies did not initially fully comply with the investigation.

Under the settlement, the companies agreed to pay an administrative penalty of approximately $20 million, and about $740,000 in administrative costs.  The companies also agreed to implement a corrective plan that will remedy the allegedly deficient cybersecurity practices and satisfy the state regulators’ supervisory demands.  Notably, the companies must maintain:

  • An incident response plan that, among other things, includes procedures for a network operations center to address network and server incidents, a security operations center to perform security monitoring and incident detection, and a security incident response team;
  • An internal audit framework for the IT cybersecurity program, which must conform to international standards for such programs;
  • A risk management program that focuses on privacy and security risks related to customer information as defined in 16 C.F.R. § 314.2(d); and
  • Policies and procedures related to the security of information systems and customer information that third-party service providers hold or can access, in accordance with the Safeguards Rule and the related NY DFS Rule.

Further, the companies must engage an independent third-party consultant to review these policies and procedures and make reports to a committee composed of representatives from the state regulators.