California and 52 state financial regulatory agencies have announced a coordinated action against mortgage company Bayview Asset Management LLC, and three of its affiliates, Lakeview Loan Servicing, Community Loan Servicing, and Pingora Holdings (collectively, the Bayview Companies).
The action was over deficient cybersecurity practices and lack of full cooperation with state regulators following a data breach that affected 5.8 million customers.
The business was assessed a $20m fine and corrective plan in the final settlement issued by the Conference of State Bank Supervisors, and the company has agreed to take specified corrective actions, improve cybersecurity programs, undergo independent assessments, and provide three years of additional reporting to state regulators.
State regulators in California, Maryland, North Carolina, and Washington State led the multistate effort.
Malicious software
The case originated in October 2021, when a Bayview Asset Management employee unknowingly downloaded malicious software while conducting job-related internet searches, according to the settlement agreement.
Criminal actors exploited the breach, installing malware and extracting sensitive data, including personally identifiable information, from the company’s network.
Bayview and its affiliates responded by notifying affected consumers, offering support services, and providing free credit and identity theft monitoring.
While the companies informed various state and federal regulators and counterparties about the breach, they failed to meet the notification requirements of all state mortgage regulators in a timely manner, the settlement agreement states.
Cyber risk and mortgage firms
The 2021 data breach also prompted some civil lawsuits against Bayview and its affiliates.
Last month, the Office of the Comptroller of the Currency warned that cyber risk remains elevated for lenders.
Bayview’s experience is just one of a number of cyberattacks to have affected the mortgage industry, with other recent cases involving companies, including First American, with the company reporting such an incident in December 2023, less than a month after paying New York’s Department of Financial Services $1m as part of a separate cybersecurity violation.
Also disclosed in December 2023: The personal data on every current and former customer of Mr. Cooper Group was stolen during an October cyberattack. One month before, Fidelity National Financial, one of the nation’s largest title insurance companies, had reported an attack.