New York State’s Department of Financial Services (DFS) announced this week that mortgage lender and servicer OneMain Financial will pay a $4.25 million penalty due to lapses in its cybersecurity controls by “failing to effectively manage third-party service provider risk, manage access privileges, and maintain a formal application security development methodology.”
This made the company significantly more vulnerable to cybersecurity attacks, the state’s finance department said in a statement announcing the settlement.
“DFS’s first-in-the-nation Cybersecurity Regulation creates the essential framework through which licensees must operate to best protect their own Information Systems and consumer data,” said DFS’ Superintendent of Financial Services Adrienne Harris. “This settlement demonstrates the Department’s ongoing dedication to upholding the responsibility of licensees, particularly those with access to personal financial information of consumers such as OneMain, in taking all actions necessary to protect the data of New Yorkers.”
OneMain, which specializes in nonprime lending, “failed to effectively manage user access privileges to Information Systems that provide access to non-public information from its customers,” DFS said in its announcement of the settlement. An investigation found that the company did not “effectively manage user access privileges to Information Systems that provide access to non-public information from its customers,” according to DFS.
For example, local administrative users were permitted to share accounts, making the ability to identify potentially bad actors more difficult. The investigation also found that those accounts often used the default password provided at onboarding, which increased the potential for unauthorized access, DFS said.
“The Department’s investigation further found that OneMain’s application security policy lacked a formalized methodology addressing all phases of the company’s software development life cycle,” DFS said. “Instead, OneMain used a non-formalized project administration framework it had developed in-house that failed to address certain key software development life cycle phases, a consequence of which was increased vulnerability to cybersecurity events.”
The consent order stemming from the settlement also details instances where DFS identified lapses in application security, cybersecurity personnel and intelligence training as well as specific cybersecurity events that took place between 2017 and 2020.
The consent order also details that OneMain was cooperative throughout the process, and recognized its efforts to “remediate shortcomings” identified by DFS in its investigation.
“The Department also recognizes and credits OneMain’s ongoing efforts to remediate the shortcomings identified by the Department and to continuously improve its cybersecurity program,” the consent order said.