If you are in a hurry -> Lessons Learned and Best Practices

Introduction

In January 2025, Bayview Asset Management LLC (a large nonbank mortgage servicer) and three affiliates (Lakeview Loan Servicing, Community Loan Servicing, and Pingora Holdings) agreed to a $20 million multistate settlement.

Fifty-three state financial regulators (including California, Maryland, North Carolina, and Washington leading the effort (State Regulators Levy $20 Million Penalty on Nation’s Largest Nonbank Mortgage Servicing Company | CSBS)) coordinated the action after a 2021 cyberattack that exposed 5.8 million consumers’ personal data (State Regulators Levy $20 Million Penalty on Nation’s Largest Nonbank Mortgage Servicing Company | CSBS) (Maryland Secures $564K in Settlement Over Data Breach Impacting Thousands - The Southern Maryland Chronicle).

Regulators faulted Bayview for “deficient cybersecurity practices” and for failing to fully cooperate with the post-breach examination (California Joins States in Levying $20 Million Penalty Against Nation’s Largest Nonbank Mortgage Servicing Company - DFPI) (State Regulators Levy $20 Million Penalty on Nation’s Largest Nonbank Mortgage Servicing Company | CSBS).

The settlement requires Bayview to pay the fine and undertake a corrective plan (improving its security program, undergoing independent reviews, and reporting for three years) (State Regulators Levy $20 Million Penalty on Nation’s Largest Nonbank Mortgage Servicing Company | CSBS).

(Best 200+ Hacker Pictures [HD] | Download Free Images on Unsplash) The breach began in October 2021 when a Bayview employee inadvertently downloaded malware during routine internet use (Bayview Asset Management LLC and Affiliates Consent Order | Mass.gov) (Bayview settles with 53 state regulators for $20m over cyberattack – Global Relay Intelligence & Practice).

Over the following weeks, threat actors installed additional malicious software and exfiltrated data, extracting personally identifiable information from Bayview’s systems (Bayview Asset Management LLC and Affiliates Consent Order | Mass.gov).

Eventually, about 5.8 million consumers’ records were compromised.

Bayview did notify affected customers and offered support services, but regulators found delays and gaps in reporting. In particular, Bayview did not notify all state regulators promptly as required by law, hampering supervisory review (Bayview Asset Management LLC and Affiliates Consent Order | Mass.gov) (Maryland Secures $564K in Settlement Over Data Breach Impacting Thousands - The Southern Maryland Chronicle).

In April 2022 the State Mortgage Regulators launched a targeted examination, during which Bayview initially failed to fully comply with information requests, delaying the exam process (Bayview Asset Management LLC and Affiliates Consent Order | Mass.gov) (Announcement: Settlement Agreement and Consent Order Against Bayview Asset Management, LLC ⋆ Department of Savings and Mortgage Lending).

Regulatory Enforcement and Claims

The multistate settlement is essentially an administrative enforcement action (not a private lawsuit) brought by state financial regulatory agencies under their licensing and examination authority.

The claims asserted fall into several categories:

• Regulatory non‐cooperation: Bayview was accused of violating exam authority by withholding information and responding late to examiners. CSBS and state regulators noted Bayview “did not fully cooperate with” the breach investigation (State Regulators Levy $20 Million Penalty on Nation’s Largest Nonbank Mortgage Servicing Company | CSBS) and “failed to comply with state requests in a timely and complete manner” during the early examination (Announcement: Settlement Agreement and Consent Order Against Bayview Asset Management, LLC ⋆ Department of Savings and Mortgage Lending) (Bayview Asset Management LLC and Affiliates Consent Order | Mass.gov).

• Deficient cybersecurity controls: Regulators identified multiple technical shortcomings in Bayview’s IT security. The consent order and press releases explicitly cite insufficient patch management, poor vulnerability scanning and remediation, inadequate IT asset tracking, and failures to encrypt sensitive data at rest (Bayview Asset Management LLC and Affiliates Consent Order | Mass.gov). These deficiencies were deemed violations of federal/state data-security laws and mortgage licensing standards. In short, Bayview’s security program “did not meet federal or state requirements” (Announcement: Settlement Agreement and Consent Order Against Bayview Asset Management, LLC ⋆ Department of Savings and Mortgage Lending), amounting to regulatory violations (and effectively negligent risk management).

• Failure to meet data-protection rules: Bayview was found to have violated various notification and data-safeguard obligations. For example, Maryland regulators noted Bayview “initially failed to notify [their] regulators of the breach as required by law” (Maryland Secures $564K in Settlement Over Data Breach Impacting Thousands - The Southern Maryland Chronicle). This suggests possible violations of state breach-notification laws and even federal privacy safeguards (e.g. GLBA Safeguards Rule). Although Bayview did eventually inform customers, the regulators treated the delays as a compliance failure.

• Negligence and consumer-protection claims (litigation): Independent of the state action, Bayview and its subsidiaries also face civil lawsuits from impacted borrowers. Plaintiffs in a consolidated Florida case allege that Bayview (through its servicer affiliates) was “negligent in failing to protect their PII, including Social Security numbers” (Third servicer entangled in massive data breach litigation | National Mortgage News). These claims mirror typical data-breach negligence suits and invoke consumer-protection theories (though to date no consumer judgment or class settlement is reported).

In summary, regulators framed the enforcement around Bayview’s regulatory compliance failures and cybersecurity negligence.

The specific findings cited by the examiners include the above technical lapses and delays.

The collective action underscores that mortgage servicers have affirmative duties to safeguard data and to assist state examinations (California Joins States in Levying $20 Million Penalty Against Nation’s Largest Nonbank Mortgage Servicing Company - DFPI) (Maryland Secures $564K in Settlement Over Data Breach Impacting Thousands - The Southern Maryland Chronicle).

Technical Failures Identified

The official exam report (CSBS Multi-State Cybersecurity Examination) detailed the following key technical shortcomings in Bayview’s infrastructure:

• Patch Management Gaps: Laptops, servers, or network devices had unpatched vulnerabilities. The consent order notes “insufficient IT patch management” (Bayview Asset Management LLC and Affiliates Consent Order | Mass.gov) as a deficiency. This likely allowed malware to persist.

• Weak Vulnerability Remediation: There was no effective centralized system to track and remediate discovered vulnerabilities. Regulators found “insufficient centralized IT vulnerability remediation monitoring” (Bayview Asset Management LLC and Affiliates Consent Order | Mass.gov), meaning gaps in how Bayview identified and fixed security flaws.

• Lack of Asset Inventory: Bayview did not maintain a robust inventory of IT assets and data. The consent cited “insufficient IT inventory tracking” (Bayview Asset Management LLC and Affiliates Consent Order | Mass.gov). Poor asset management can lead to unmonitored systems where breaches can hide.

• Missing Encryption: Not all sensitive information was encrypted at rest. The exam specifically pointed to “failure to appropriately encrypt certain personally identifiable information when that data was at rest” (Bayview Asset Management LLC and Affiliates Consent Order | Mass.gov). Encryption at rest is a common requirement (e.g. under NYDFS rules) and its absence magnifies breach risk.

• Incident Response Delays: Bayview’s breach response was slow. The initial attack (Oct 11, 2021) went largely unnoticed until malware triggered in late October. Even after discovery, Bayview’s notifications to some regulators lagged. Regulators cited both “inadequate information technology practices” and a “delayed response” that worsened the breach’s impact (Maryland Secures $564K in Settlement Over Data Breach Impacting Thousands - The Southern Maryland Chronicle) (Bayview Asset Management LLC and Affiliates Consent Order | Mass.gov).

These findings show that Bayview’s cybersecurity program was not commensurate with the risk.

They provided the factual basis for the regulators’ claims. (For example, regulators considered these gaps “violations of certain federal and state-specific compliance laws and regulations” (Bayview Asset Management LLC and Affiliates Consent Order | Mass.gov).)

Claims and Legal Theories

Although this enforcement action was brought by regulators, it implicates familiar legal concepts.

CISOs should note the following claim types at play:

• Regulatory Violations: The core of the case is violation of state licensing and supervision laws. In effect, Bayview breached the conditions of its mortgage servicer licenses by having an inadequate cybersecurity program and by obstructing exams (State Regulators Levy $20 Million Penalty on Nation’s Largest Nonbank Mortgage Servicing Company | CSBS) (Bayview Asset Management LLC and Affiliates Consent Order | Mass.gov). Regulators can impose administrative penalties for such violations.

• Negligence: Borrowers’ lawsuits characterize Bayview’s failures as ordinary negligence or breach of duty. Courts have already consolidated claims against Bayview’s affiliates, accusing them of “negligence in failing to protect … PII” (Third servicer entangled in massive data breach litigation | National Mortgage News). While not part of the $20M deal, these suits underscore that technical lapses can support liability to consumers.

• Consumer Protection/Fair Dealing: Though not explicitly cited in the settlement, poor data security can also trigger consumer-protection statutes (unfair practices) or breach of fiduciary duty claims under mortgage regulations. Regulators implied consumer harm by emphasizing the need to protect “consumer data” (State Regulators Levy $20 Million Penalty on Nation’s Largest Nonbank Mortgage Servicing Company | CSBS) (Maryland Secures $564K in Settlement Over Data Breach Impacting Thousands - The Southern Maryland Chronicle). Mortgage laws often require servicers to protect borrower information; violating those can be deemed an “unfair or deceptive act.”

• Exam Compliance and Disclosure Requirements: Separate from negligence, regulators treat non-disclosure to examiners as a distinct violation. Bayview’s initial refusal to share privileged incident reports violated state record-keeping requirements (Bayview Asset Management LLC and Affiliates Consent Order | Mass.gov) (Bayview Asset Management LLC and Affiliates Consent Order | Mass.gov). This can be analogized to contempt or obstruction in a regulatory context.

Overall, the settlement focuses on regulatory non-compliance and cybersecurity negligence, but it also reflects consumer-protection concerns (holding companies accountable for data harms).

CISOs should view all these as intertwined risks.

Lessons Learned and Best Practices

To avoid similar enforcement actions and liabilities, CISOs should ensure robust security and regulatory processes.

Key best practices include:

• Comprehensive Patch and Vulnerability Management: Establish formal patching policies and vulnerability-scanning programs. The Bayview case highlights that failing to apply security updates or track software vulnerabilities invites breaches (Bayview Asset Management LLC and Affiliates Consent Order | Mass.gov). Maintain an asset inventory so no systems fall through the cracks. Use tools (e.g. automated patch deployers, CVE scans) to track remediation.

• Encryption of Sensitive Data: Encrypt personally identifiable information both at rest and in transit. Regulators faulted Bayview for leaving PII unencrypted in storage (Bayview Asset Management LLC and Affiliates Consent Order | Mass.gov). Industry standards (GLBA, NYDFS 500, etc.) expect encryption or equivalent protections. Where possible, tokenize or remove sensitive data from live systems.

• Network Segmentation and Access Controls: Limit the blast radius of malware. Use network segmentation (especially between corporate and production systems) and implement strong access controls/MFA. If the Bayview breach had been isolated, lateral spread could have been reduced.

• Employee Security Awareness: Since the incident started with a malicious download, ongoing training is vital. Regularly train employees on phishing and malware avoidance (simulated phishing exercises can help). Monitor and restrict web browsing as appropriate. Even one user clicking wrong can undermine security.

• Incident Response and Regulatory Notification Plans: Have a tested breach response plan that includes communication protocols. Immediately engage IT, legal, and compliance teams upon detecting an incident. Notify regulators and impacted consumers in accordance with legal timelines. Bayview was criticized for late notifications to some state regulators (Bayview Asset Management LLC and Affiliates Consent Order | Mass.gov) (Maryland Secures $564K in Settlement Over Data Breach Impacting Thousands - The Southern Maryland Chronicle); next time, ensure all obligations (state and federal) are met promptly. Document all steps and maintain evidence for examiners.

• Full Cooperation with Examinations: Treat regulatory exams and inquiries as top priorities. Provide requested documents completely and transparently. The case shows that withholding or delaying information can itself become an enforcement issue (Announcement: Settlement Agreement and Consent Order Against Bayview Asset Management, LLC ⋆ Department of Savings and Mortgage Lending) (Bayview Asset Management LLC and Affiliates Consent Order | Mass.gov). Build a culture of compliance: prepare answers, preserve logs, and designate liaisons to work with examiners.

• Independent Security Assessments: Regularly engage third-party auditors or penetration testers. As part of the settlement Bayview must have independent assessments of its cybersecurity. Proactively doing this can identify weaknesses before regulators do. Follow industry frameworks (NIST CSF, CIS Controls, ISO 27001) and standards. Maintain documentation of these reviews to show diligence.

• Cybersecurity Program Governance: Align your program to regulatory standards (e.g. NYDFS Cybersecurity Regulation, FFIEC guidance, GLBA). Establish clear policies, roles, and periodic reporting on security metrics. Bayview’s corrective requirements include updating its program to meet “federal standards and New York State DFS regulations”, indicating regulators expect compliance with published rules. CISOs should ensure policies are up to date and enforced.

• Consumer Data Minimization: Limit the data you collect and retain. The more data stored, the greater the breach impact. Implement data retention and deletion policies so that sensitive data older than needed is securely purged. This reduces the scope of any incident and demonstrates good-faith data stewardship.

• Cyber Insurance and Budgeting: While not a technical control, ensure you have adequate cyber insurance (which may require robust security measures as underwriting conditions). Invest in security commensurate with risk. The $20M penalty underscores that under-investing in security can be far costlier than funding protections upfront.

By applying these measures, organizations can significantly lower the chance of a breach and mitigate legal exposure.

The Bayview settlement is a reminder that regulators will hold companies accountable for the full cycle of data protection – from preventive security controls to transparent communication during investigations.

CISOs must view regulatory compliance and cybersecurity hygiene as twin pillars of a defensible security program.

References: News reports and official releases on Bayview’s breach and settlement (State Regulators Levy $20 Million Penalty on Nation’s Largest Nonbank Mortgage Servicing Company | CSBS) (California Joins States in Levying $20 Million Penalty Against Nation’s Largest Nonbank Mortgage Servicing Company - DFPI) (Announcement: Settlement Agreement and Consent Order Against Bayview Asset Management, LLC ⋆ Department of Savings and Mortgage Lending) (Maryland Secures $564K in Settlement Over Data Breach Impacting Thousands - The Southern Maryland Chronicle) (Bayview Asset Management LLC and Affiliates Consent Order | Mass.gov) (Bayview Asset Management LLC and Affiliates Consent Order | Mass.gov) (Third servicer entangled in massive data breach litigation | National Mortgage News). (All sources U.S.-based, Jan 2025)