NewYork’s Department of Financial Services (DFS) brought its first enforcement action against a company over alleged violations of cybersecurity requirements.

The DFS filed a statement of charges against First American Title Insurance Co. alleging that a weakness in the company’s cybersecurity exposed consumers’ sensitive personal information, including bank account numbers, tax records and Social Security Numbers.

The regulator also alleged the company failed to promptly address the exposure after it was discovered in December 2018.

The allegations have not been proven. A hearing on the charges is scheduled for Oct. 26 at the DFS offices in New York.

In a statement, First American said it “strongly disagrees” with the charges. The company said its own investigation found “a very limited number of consumers” had their personal information accessed, and that there was “no evidence of misuse.”

“At First American, security, privacy and confidentiality are of the highest priority, and we intend to vigorously defend ourselves against the Department’s unreasonable charges,” the statement said.

The regulator’s cybersecurity rules were introduced in March 2017, although certain provisions weren’t fully implemented until 2019.

Last year, the DFS also created the first dedicated cybersecurity division at a financial industry regulator.