The $4.25 million fine is the result of a consent order from the New York State Department of Financial Services. OneMain Financial Group says it has since resolved the security issues.
05/31/2023 9:25 A.M.
2 minute read
The New York State Department of Financial Services (DFS) announced last week that OneMain Financial Group, a lender and mortgage servicer, will pay a $4.25 million penalty to New York State for violations of DFS’s Cybersecurity Regulation.
“DFS’s first-in the-nation Cybersecurity Regulation creates the essential framework through which licensees must operate to best protect their own Information Systems and consumer data,” said Superintendent of Financial Services Adrienne A. Harris in a press release issued May 25. “This settlement demonstrates the Department’s ongoing dedication to upholding the responsibility of licensees, particularly those with access to personal financial information of consumers such as OneMain, in taking all actions necessary to protect the data of New Yorkers.”
In its release, DFS said it found that OneMain failed to effectively manage third-party service provider risk, manage access privileges, and maintain a formal application security development methodology, significantly increasing the company’s vulnerability to cybersecurity events.
OneMain Financial Group provided the following statement on the consent order to ACA International:
“OneMain is committed to being a leader in cybersecurity and will continue our substantial investments in our cybersecurity and data protection programs. We are pleased to have resolved this historical matter relating primarily to a past examination of our policies from 2017 to early 2020, which the company has long since addressed. Cybersecurity is an evolving area, and we intend to continue our focus on enhancing our capabilities to meet risks as they arise in the future, in accordance with best practices for our industry and in cooperation with our regulators.”
In addition to paying the fine, the settlement provisions require OneMain to:
- Implement a written policy to address Business Continuity and Disaster Recovery planning and the maintenance of documentation;
- Implement a plan to properly review and maintain user access privileges;
- Maintain and implement written policies and procedures for the protection of the company’s Information Systems and the NPI stored on those information systems during application development;
- Implement training procedures sufficient to address relevant cybersecurity risks and verify that key cybersecurity personnel have completed training sufficient to maintain current knowledge of changing cybersecurity threats and countermeasures; and
- Update its policies and procedures to ensure protection of NPI that is accessible to, or held by, third parties,
The consent order acknowledges that OneMain was cooperative throughout the investigation.
It notes that DFS “also recognizes and credits OneMain’s ongoing efforts to remediate the shortcomings identified by the Department and to continuously improve its cybersecurity program. Among other things, OneMain has demonstrated its commitment to remediation by devoting significant financial and other resources to its cybersecurity program.”
Read the consent order (PDF) here.
ACA SearchPoint highlight: For more information on data security, ACA members can review these SearchPoint documents: Payment Card Data Security and State Requirements for Record Maintenance and Disposal.
Remember, subscribe to ACA Daily and Member Alerts under your My ACA profile when logged in to acainternational.org to receive updates on the ACA Huddle.