On January 9, 2025, 51 State Financial Regulatory Agencies (the “Agencies”) announced a coordinated consent order and settlement agreement with nonbank mortgage servicing companies (the “Companies”). This action came following a data breach that impacted 5.8 million customers, allegedly due to deficient cybersecurity practices, and for lack of cooperation with state regulators.
The Companies are licensed as mortgage brokers, lenders, and/or servicers under the laws of each participating state. On October 11, 2021, a cybersecurity breach occurred which compromised the personal information of an estimated 5.8 million customers. The Agencies allege that deficient IT and cybersecurity practices were identified in contravention of federal and state-specific compliance laws and regulations. For example, they allege that the Companies had deficient IT patch management and deficient centralized IT vulnerability remediation monitoring and enterprise monitoring, among other issues. They also claim that the Companies did not fully comply with the examination authority of the Agencies.
The parties agreed that the Companies’ corporate governance frameworks related to the IT and cybersecurity programs will be monitored and consumer remediation efforts will continue. The Companies will also pay an administrative penalty of $19,629,400 to be prorated among each participating state, as well as administrative costs.
[View source.]
