Superintendent of Financial Services Adrienne A. Harris announced today that OneMain Financial Group LLC (“OneMain”) will pay a $4.25 million penalty to New York State for violations of DFS’s Cybersecurity Regulation (23 NYCRR Part 500).
OneMain failed to effectively manage third-party service provider risk, manage access privileges, and maintain a formal application security development methodology, significantly increasing the company’s vulnerability to cybersecurity events.
“DFS’s first-in the-nation Cybersecurity Regulation creates the essential framework through which licensees must operate to best protect their own Information Systems and consumer data,” said Superintendent Harris. “This settlement demonstrates the Department’s ongoing dedication to upholding the responsibility of licensees, particularly those with access to personal financial information of consumers such as OneMain, in taking all actions necessary to protect the data of New Yorkers.”
OneMain, a licensed lender and mortgage servicer, is a publicly traded company specializing in nonprime lending. The Department’s investigation found, among other things, that OneMain had failed to effectively manage user access privileges to Information Systems that provide access to non-public information from its customers. For example, OneMain permitted local administrative users to share accounts, compromising the ability to identify malicious actors, and also permitted those accounts to use the default password provided by OneMain at the time of user onboarding, increasing the risk of unauthorized access.
The Department’s investigation further found that OneMain’s application security policy lacked a formalized methodology addressing all phases of the company’s software development life cycle. Instead, OneMain used a non-formalized project administration framework it had developed in-house that failed to address certain key software development life cycle phases, a consequence of which was increased vulnerability to cybersecurity events.
Additionally, OneMain did not timely conduct due diligence for certain high- and medium-risk vendors, despite the existence of a third-party vendor management policy requiring that each vendor undergo an assessment to determine the vendor’s risk rating and the appropriate level of due diligence OneMain should perform on the vendor. OneMain further failed to appropriately adjust several vendors’ risk scores even after the occurrence of multiple cybersecurity events precipitated by the vendors’ improper handling of non-public information and poor cybersecurity controls. As part of the settlement, OneMain has agreed to engage in further significant remediation measures.
DFS’s Cybersecurity Regulation became effective in March 2017, and it has served as a model for other regulators, including the U.S. Federal Trade Commission, multiple states, the National Association of Insurance Commissioners (NAIC), and the CSBS Nonbank Model Data Security Law. To review the OneMain consent order, visit the DFS website.