NYDFS Fines OneMain $4.25M for Cybersecurity Failures

June 13, 2023

Reading Time : 3 min

On May 25, 2023, the New York Department of Financial Services (NYDFS) announced that  OneMain Financial Group (OneMain) will pay a $4.25 million fine pursuant to a consent order to settle alleged violations of NYDFS’s Cybersecurity Regulation (23 NYCRR Part 500), which included improperly storing passwords and not sufficiently managing risk from third-party data storage. According to NYDFS, OneMain has also agreed to engage in significant remediation measures as part of the settlement.

The Cybersecurity Regulation went into effect in 2017 and mandates minimum cybersecurity standards for any banking, insurance and brokerage firms using a license to operate in New York.1 OneMain is a licensed lender and mortgage servicer that specializes in non-prime lending, making the publically traded company a covered entity subject to the Cybersecurity Regulation.

In its consent order, NYDFS claims that a review of OneMain’s cybersecurity policies uncovered deficiencies in compliance and internal controls that led to an enforcement investigation regarding violations of the Cybersecurity Regulation. NYDFS’s findings included the following: 

  1. Lack of Documentation for Cybersecurity Policy–There was a lack of sufficient documentation to effectively implement and maintain a written policy to address business continuity and disaster recovery planning and resources (BCDR). The company’s BCDR was insufficient as it did not document the requirements, functions and interdependencies of their system.
  2. Lack of Limitations for Access Privileges–There were a number of issues with the requirement to limit access privileges, including storing key passwords in a shared folder named “PASSWORDS.” This vulnerability could allow anyone with access to that internal shared drive to alter, delete or move the folder.
  3. Application Security Problems–Although it conducted extensive in-house application development, the company’s written policies for protecting information systems and nonpublic information (NPI) did not include a formalized methodology covering the entire software development lifecycle.
  4. Cybersecurity Personnel and Intelligence Training Deficiencies–The company did not effectively track or adequately implement training for over 500 information technology employees. The company also did not provide secure coding training for its developers, which would have helped developers with identifying security vulnerabilities in their applications.
  5. Issues with Third-Party Service Provider Security Policy–While the company had vendor risk assessments that ranked the level of risk with the appropriate level of due diligence that should be performed, the company did not timely perform due diligence on certain high and medium risk vendors. Some vendors were allowed to begin working without completion of onboarding security questionnaires. Relatedly, when a vendor improperly handled NPI, the company did not adjust risk scores but simply terminated its relationship with the vendor, and did so without enhancing its own third-party policies.

According to the consent order, security gaps like these may have contributed to three cybersecurity events OneMain suffered from 2017-2020, and many of the gaps were identified by the company previously by its internal audit unit. This case parallels a similar order from NYDFS to EyeMed in October 2022, where the company settled for $4.5 million for alleged violations of the Cybersecurity Regulation in connection with a July 2020 email data breach (read more about that case here). 

Similar to the EyeMed settlement, OneMain agreed to take specific actions to improve its cybersecurity controls and procedures, including, but not limited to: implementation of a written BCDR policy with documentation, a proper access privilege plan and up-to-date personnel training. The consent order acknowledges OneMain’s cooperation and credits its ongoing efforts to continuously improve its cybersecurity program.

For more information on cybersecurity expectations for businesses in New York, the New York Attorney General’s (AG) recent publication on effective data security provides guidance based on the AG’s data breach-related investigations and prosecutions, including password hygiene, customers notice and other cybersecurity best practices.

Please contact a member of Akin’s cybersecurity, privacy and data protection team if you have any questions about the NYDFS Cybersecurity Regulation or how it may affect your company.

1 Covered entities include: partnerships, corporations, branches, agencies and associations operating under, or required to operate under, a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law. 23 NYCRR § 500.1.

Share This Insight

Previous Entries

Data Dive

November 19, 2024

The European Union’s AI Office published the inaugural General-Purpose AI Code of Practice on November 14, 2024. The Code is intended to assist providers of AI models in their preparations for compliance with the forthcoming EU AI Act, to be enforced from August 2, 2025. The Code is designed to be both forward-thinking and globally applicable, addressing the areas of transparency, risk evaluation, technical safeguards and governance. While adherence to the Code is not mandatory, it is anticipated to serve as a means of demonstrating compliance with the obligations under the EU AI Act. Following a consultation period that garnered approximately 430 responses, the AI Office will be empowered to apply these rules, with penalties for nonconformity potentially reaching 3% of worldwide turnover or €15 million. Three additional iterations of the Code are anticipated to be produced within the coming five months.

...

Read More

Data Dive

November 15, 2024

On October 29, 2024, the DOJ issued a proposed rule prohibiting and restricting certain transactions that could allow persons from countries of concern, such as China, access to bulk sensitive personal data of U.S. citizens or to U.S. government-related data (regardless of volume).

...

Read More

Data Dive

October 17, 2024

During the course of any lending transaction, lenders will conduct a due diligence review of the borrower, including reviewing any relevant “know-your-customer” information.

...

Read More

Data Dive

September 17, 2024

Following the publication of the European Union’s Artificial Intelligence Act (AI Act or Act) on 12 July 2024, there are now a series of steps that various EU bodies need to take towards implementation. One of the first key steps is in relation to the establishment of codes of practice to “contribute to the proper application” of the AI Act.

...

Read More

Data Dive

August 6, 2024

On July 30, 2024, the Senate passed the Kids Online Safety and Privacy Act (S. 2073) via an overwhelmingly bipartisan vote of 91-3 shortly before departing for the August recess.

...

Read More

Data Dive

July 18, 2024

On 12 July 2024, the European Union Artificial Intelligence Act (AI Act or Act) was published in the Official Journal of the European Union (EU), marking the final step in the AI Act’s legislative journey. Its publication triggers the timeline for the entry into force of the myriad obligations under the AI Act, along with the deadlines we set out below. The requirement to ensure a sufficient level of AI literacy of staff dealing with the operation and use of AI systems will, for example, apply to all providers and deployers on 2 February 2025.

...

Read More

Data Dive

July 18, 2024

On June 18, 2024, the United States Securities and Exchange Commission (SEC) announced a settlement with R.R. Donnelley & Sons Company (RRD) for alleged internal control and disclosure failures following a ransomware attack in 2021. Without admitting or denying the SEC’s findings, the business communications and marketing services provider agreed to pay a civil penalty of over $2.1 million to settle charges alleging violations of Section 13(b)(2)(B) of the Securities Exchange Act of 1934 (Exchange Act) and Exchange Act Rule 13a-15(a).1

...

Read More

Data Dive

June 11, 2024

In May, the National Institute of Standards and Technology (NIST) issued updated recommendations for security controls for controlled unclassified information (CUI) that is processed, stored or transmitted by nonfederal organizations using nonfederal systems, (NIST Special Publication 800-171 (SP 800-171), Revision 3). These security requirements are “intended for use by federal agencies in contractual vehicles or other agreements that are established between those agencies and nonfederal organizations.”1 While these new controls are only applicable to nonfederal entities that agree to comply with the new issuance, Revision 3 signals the next phase of expected security for government contractors.

...

Read More

© 2024 Akin Gump Strauss Hauer & Feld LLP. All rights reserved. Attorney advertising. This document is distributed for informational use only; it does not constitute legal advice and should not be used as such. Prior results do not guarantee a similar outcome. Akin is the practicing name of Akin Gump LLP, a New York limited liability partnership authorized and regulated by the Solicitors Regulation Authority under number 267321. A list of the partners is available for inspection at Eighth Floor, Ten Bishops Square, London E1 6EG. For more information about Akin Gump LLP, Akin Gump Strauss Hauer & Feld LLP and other associated entities under which the Akin Gump network operates worldwide, please see our Legal Notices page.