NYFDS fines OneMain $4.25m for violations of Cybersecurity Regulation
“This settlement demonstrates the Department’s ongoing dedication to upholding the responsibility of licensees, particularly those with access to personal financial information of consumers such as OneMain, in taking all actions necessary to protect the data of New Yorkers.”
The New York Department of Financial Services has announced that OneMain Financial Group LLC will pay a $4.25 million penalty for violations of its Cybersecurity Regulation (23 NYCRR Part 500).
According to the NYDFS, OneMain failed to effectively manage third-party service provider risk, manage access privileges, and maintain a formal application security development methodology.
These failures significantly increased the company’s vulnerability to cybersecurity events, alleged the NYDFS which went live with its Cybersecurity Regulation in March 2017.
The Cybersecurity Regulation, 23 NYCRR Part 500, has served as a model for other regulators, including the U.S. Federal Trade Commission, multiple states, the National Association of Insurance Commissioners (NAIC), and the CSBS Nonbank Model Data Security Law.
Licensees must operate to best protect their own Information Systems and consumer data
NYDFS Superintendent Adrienne A. Harris said: “DFS’s first-in the-nation Cybersecurity Regulation creates the essential framework through which licensees must operate to best protect their own Information Systems and consumer data. This settlement demonstrates the Department’s ongoing dedication to upholding the responsibility of licensees, particularly those with access to personal financial information of consumers such as OneMain, in taking all actions necessary to protect the data of New Yorkers.”
OneMain is a licensed lender and mortgage servicer specializing in nonprime lending. OneMain allegedly failed to effectively manage user access privileges to Information Systems that provide access to non-public information from its customers.
For example, OneMain permitted local administrative users to share accounts, compromising the ability to identify malicious actors, and also permitted those accounts to use the default password provided by OneMain at the time of user onboarding, increasing the risk of unauthorized access.
The NYDFS also concluded that the firm’s application security policy lacked a formalized methodology addressing all phases of the company’s software development life cycle. OneMain used a non-formalized project administration framework it had developed in-house that failed to address certain key software development life cycle phases, a consequence of which was increased vulnerability to cybersecurity events.
In addition, OneMain did not timely conduct due diligence for certain high- and medium-risk vendors, despite the existence of a third-party vendor management policy requiring that each vendor undergo an assessment to determine the vendor’s risk rating and the appropriate level of due diligence OneMain should perform on the vendor.
Even after the occurrence of multiple cybersecurity events precipitated by the vendors’ improper handling of non-public information and poor cybersecurity controls, OneMain failed to appropriately adjust several vendors’ risk scores, NYDFS stated.