Residential Mortgage Services (RMS) has agreed with New York state’s Department of Financial Services to pay $1.5m after failing to report a cyber breach.

An examination by the department last June uncovered evidence RMS suffered a cyber breach in 2019 which had not been reported to the department as required by the state’s Cybersecurity Regulation. 

The incident involved unauthorised access to the email account of an employee with access to a significant amount of sensitive personal data of mortgage loan applicants, the department (DFS) said.

“Until prompted to do so by DFS in 2020, RMS failed to conduct an investigation and identify the consumer data exposed,” it added.

The investigation – which the company cooperated with throughout – also found RMS did not have a comprehensive cybersecurity risk assessment as obliged under the Cybersecurity Regulation.

“It is of paramount concern to protect all consumers as cyber threats continue to surge during a vulnerable time,” said superintendent of financial services Linda Lacewell.  

As part of the settlement, RMS has agreed to improve its existing cyber security programme and ensure controls fully comply with the Cybersecurity Regulation.

Headquartered in South Portland, Maine, and a licensed mortgage banker, RMS collects private data in its day-to-day operations, closing thousands of mortgage loans annually. It operates in 21 states including New York, plus the District of Columbia.

PrivSec Global, a live streaming event, takes place on 23-25 March featuring more than 200 speakers and 64 sessions on privacy, data protection and cyber-security.