By press release on May 25, 2023, The New York Department of Financial Services (“DFS”) announced a Consent Order with OneMain Financial Group LLC (“OneMain”) for failing to comply with the DFS’s Cybersecurity Regulation (23 NYCRR Part 500). This is the tenth such enforcement action announced by the DFS.

The Consent Order followed a full scope examination by the DFS that found deficiencies in OneMain’s compliance, internal controls, management, and technology systems, and an enforcement investigation that identified violations of the DFS’s Cybersecurity Regulation. Under the Consent Order, OneMain is required to pay a civil monetary penalty in the amount of $4.25 million and undertake various remediation steps. 

The Consent Order articulated five areas of non-compliance with certain provisions of the Cybersecurity Regulations, namely OneMain’s failure to: (1) “implement and maintain a cybersecurity policy” for business continuity and disaster recovery (“BCDR”) based on a risk assessment consistent with 23 NYCRR § 500.03; (2) limit user access privileges to certain electronically stored nonpublic information as required by 23 NYCRR § 500.07; (3) implement policies and procedures to protect its systems during “application development” and “quality assurance operations” as required by 23 NYCRR § 500.08; (4) provide its personnel with adequate cybersecurity training as required by 23 NYCRR § 500.10(a)(3); and (5) implement policies and procedures to vet the cybersecurity practices of third-party service providers as required by 23 NYCRR § 500.11(a).

The DFS was critical of OneMain’s failure to document its BCDR plan, noting in pointed language that “documentation is the cornerstone of an effective BCDR strategy.” Another of the DFS’s allegations centered on OneMain’s deficient password security. The company stored a list of key passwords in a shared folder titled “PASSWORDS” that could be accessed by anyone within the company. Although the file was encrypted and password protected, the DFS alleged that this storage system provided an easy target for hackers. Additionally, many OneMain administrative accounts continued using the default password that was provided during initial setup. The DFS additionally highlighted OneMain’s deficiencies with respect to providing “secure coding training” for its developers, emphasizing its willingness to look at highly technical parameters in making its findings of violations. According to paragraph 23 of the Consent Order, OneMain had previously identified several of these issues in its own internal audits, yet failed to correct them.

The Consent Order demonstrates the DFS’s continued focus on vendor management. The DFS pointed to OneMain’s onboarding of certain vendors prior to completing its due diligence process. The DFS additionally focused on OneMain’s failure to update its risk assessments of certain vendors after those vendors had suffered multiple security breaches (even though OneMain terminated its relationship with those vendors).

OneMain agreed to take steps to remediate its failures in these areas in addition to paying the monetary penalty.

This most recent enforcement action by the DFS demonstrates its continuing efforts to hold Covered Entities accountable for violations of the Cybersecurity Regulation. It is also a reminder of the importance of complying with the Regulation, and, in particular, the need to evaluate and monitor the cybersecurity practices of third-party vendors.