OneMain to pay $4.25M penalty to NY State for violations of DFS’s Cybersecurity Regulation
OneMain Financial Group LLC will pay a $4.25 million penalty to New York State for violations of DFS’s Cybersecurity Regulation. OneMain failed to effectively manage third-party service provider risk, manage access privileges, and maintain a formal application security development methodology, significantly increasing the company’s vulnerability to cybersecurity events.
The Department’s investigation found, among other things, that OneMain had failed to effectively manage user access privileges to Information Systems that provide access to non-public information from its customers. For example, OneMain permitted local administrative users to share accounts, compromising the ability to identify malicious actors, and also permitted those accounts to use the default password provided by OneMain at the time of user onboarding, increasing the risk of unauthorized access.
The Department’s investigation further found that OneMain’s application security policy lacked a formalized methodology addressing all phases of the company’s software development life cycle. Instead, OneMain used a non-formalized project administration framework it had developed in-house that failed to address certain key software development life cycle phases, a consequence of which was increased vulnerability to cybersecurity events.
Additionally, OneMain did not timely conduct due diligence for certain high- and medium-risk vendors, despite the existence of a third-party vendor management policy requiring that each vendor undergo an assessment to determine the vendor’s risk rating and the appropriate level of due diligence OneMain should perform on the vendor. OneMain further failed to appropriately adjust several vendors’ risk scores even after the occurrence of multiple cybersecurity events precipitated by the vendors’ improper handling of non-public information and poor cybersecurity controls. As part of the settlement, OneMain has agreed to engage in further significant remediation measures.
DFS’s Cybersecurity Regulation became effective in March 2017, and it has served as a model for other regulators, including the U.S. Federal Trade Commission, multiple states, the National Association of Insurance Commissioners (NAIC), and the CSBS Nonbank Model Data Security Law.