On May 25, 2023, the New York Department of Financial Services (NYDFS) announced that OneMain Financial Group (OneMain) will pay a $4.25 million fine pursuant to a consent order to settle alleged violations of NYDFS’s Cybersecurity Regulation (23 NYCRR Part 500), which included improperly storing passwords and not sufficiently managing risk from third-party data storage. According to NYDFS, OneMain has also agreed to engage in significant remediation measures as part of the settlement.
The Cybersecurity Regulation went into effect in 2017 and mandates minimum cybersecurity standards for any banking, insurance and brokerage firms using a license to operate in New York.1 OneMain is a licensed lender and mortgage servicer that specializes in non-prime lending, making the publically traded company a covered entity subject to the Cybersecurity Regulation.
In its consent order, NYDFS claims that a review of OneMain’s cybersecurity policies uncovered deficiencies in compliance and internal controls that led to an enforcement investigation regarding violations of the Cybersecurity Regulation. NYDFS’s findings included the following:
- Lack of Documentation for Cybersecurity Policy–There was a lack of sufficient documentation to effectively implement and maintain a written policy to address business continuity and disaster recovery planning and resources (BCDR). The company’s BCDR was insufficient as it did not document the requirements, functions and interdependencies of their system.
- Lack of Limitations for Access Privileges–There were a number of issues with the requirement to limit access privileges, including storing key passwords in a shared folder named “PASSWORDS.” This vulnerability could allow anyone with access to that internal shared drive to alter, delete or move the folder.
- Application Security Problems–Although it conducted extensive in-house application development, the company’s written policies for protecting information systems and nonpublic information (NPI) did not include a formalized methodology covering the entire software development lifecycle.
- Cybersecurity Personnel and Intelligence Training Deficiencies–The company did not effectively track or adequately implement training for over 500 information technology employees. The company also did not provide secure coding training for its developers, which would have helped developers with identifying security vulnerabilities in their applications.
- Issues with Third-Party Service Provider Security Policy–While the company had vendor risk assessments that ranked the level of risk with the appropriate level of due diligence that should be performed, the company did not timely perform due diligence on certain high and medium risk vendors. Some vendors were allowed to begin working without completion of onboarding security questionnaires. Relatedly, when a vendor improperly handled NPI, the company did not adjust risk scores but simply terminated its relationship with the vendor, and did so without enhancing its own third-party policies.
According to the consent order, security gaps like these may have contributed to three cybersecurity events OneMain suffered from 2017-2020, and many of the gaps were identified by the company previously by its internal audit unit. This case parallels a similar order from NYDFS to EyeMed in October 2022, where the company settled for $4.5 million for alleged violations of the Cybersecurity Regulation in connection with a July 2020 email data breach (read more about that case here).
Similar to the EyeMed settlement, OneMain agreed to take specific actions to improve its cybersecurity controls and procedures, including, but not limited to: implementation of a written BCDR policy with documentation, a proper access privilege plan and up-to-date personnel training. The consent order acknowledges OneMain’s cooperation and credits its ongoing efforts to continuously improve its cybersecurity program.
For more information on cybersecurity expectations for businesses in New York, the New York Attorney General’s (AG) recent publication on effective data security provides guidance based on the AG’s data breach-related investigations and prosecutions, including password hygiene, customers notice and other cybersecurity best practices.
1 Covered entities include: partnerships, corporations, branches, agencies and associations operating under, or required to operate under, a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law. 23 NYCRR § 500.1.