OneMain financial hit with $4.25M fine over cybersecurity lapses

The New York Department of Financial Services (NYDFS) has recently publicized a $4.25 million fine against OneMain Financial Group LLC. The reason behind this stringent measure relates to OneMain's alleged violations of the Cybersecurity Regulation, also known as 23 NYCRR Part 500.

Specific information security integrity violations

NYDFS accuses OneMain of not implementing necessary precautions to manage risks associated with third-party service providers. They also claim that the firm didn't properly oversee access privileges and fell short in establishing a formal protocol for application security development. Such oversights have allegedly amplified the susceptibility of the company to cyber threats, following the implementation of the Cybersecurity Regulation in March 2017.

Relevance of NYDFS information security policy and statements

The Cybersecurity Regulation (23 NYCRR Part 500) has set a precedent for other regulatory bodies, including the U.S. Federal Trade Commission, various states, the National Association of Insurance Commissioners, and the CSBS Nonbank Model Data Security Law. NYDFS Superintendent Adrienne A. Harris underlines the importance of this regulation in shaping the fundamental framework through which licensed firms must operate to safeguard their own information systems and customer data. Harris further added, "This settlement underscores our commitment to holding licensees, like OneMain, accountable, especially those handling sensitive financial data. Our aim is to ensure that all necessary steps are taken to protect the data of New Yorkers."

Specific deficiencies and consequences

OneMain, a licensed lender and mortgage servicer specializing in nonprime lending, has reportedly struggled to manage user access privileges effectively. This lapse has allowed administrative users to share accounts, compromising the ability to pinpoint malicious actors. Coupled with the use of default passwords during user onboarding, the risk of unauthorized access has surged. NYDFS identified further issues in the company's security policy, which lacked a robust methodology covering the entirety of the software development life cycle. The in-house developed project administration framework didn't adequately address essential aspects of the software development life cycle, leading to enhanced vulnerability to cyber incidents. Moreover, despite having a policy to manage third-party vendor risks, OneMain was found to delay conducting required due diligence for some high- and medium-risk vendors. Furthermore, even after several cyber incidents instigated by vendors' mishandling of non-public information and inadequate cybersecurity controls, OneMain reportedly failed to update the risk ratings of these vendors accordingly.