NYSDFS Announces $4,250,000.00 Penalty for Cybersecurity Control Failures

On May 25th, 2023 NYSDFS published a press release which announced OneMain Financial Group, LLC failed to “effectively manage third-party service provider risk, manage access privileges, and maintain a formal application security development methodology, significantly increasing the company’s vulnerability to cybersecurity events.”. Resulting in a $4.25 million dollar settlement. 

What were the cybersecurity deficiencies?

Overview of Violations of Law and Regulations

1. Failed to implement and maintain their BCDR plan and resources 500.03(e).

The business continuity and disaster recovery plan (BCDR) was found to have lacked some critical components which included a call tree, vendor list, emergency contact list, instructions on performing backup tests, and technical diagrams of the systems and networks.


2. Failed to maintain and review user access privileges, in violation of 23
NYCRR § 500.07.

There were multiple findings related to access privileges which resulted in the violation of section 500.07. 

  1.  A manual review process for over 11,000+ accounts conducted by the INFOSEC team on a periodic basis. 
  2. The use local administrative users sharing accounts. 
  3. Accounts used the default password provided during the time of onboarding. 
  4. Passwords found in a shared directory where access was not adequately restricted. A folder named “PASSWORDS” contained a file that could be moved, deleted, or renamed.

4. Failed to implement policies and procedures that protected Information
Systems and NPI during application development, in violation of 23 NYCRR § 500.08.

This section relates to policies and procedures used to protect the network and systems during application development. There were deficiencies with polices found: 

  • Lacked a formalized methodology for project administration 
  • Project administration/framework lacked key development life cycle phases

4. Failed to provide its cybersecurity personnel with training sufficient to
address relevant cybersecurity risks and failed to verify that key cybersecurity personnel take steps to maintain current knowledge of changing cybersecurity threats and countermeasures, in violation of 23 NYCRR § 500.10.


500.10 relates to training for cybersecurity threats, vulnerabilities, and testing. The findings:

  • Failed to implement training for over 500 information technology employees 
  • Failure to provide secure coding training for developers
  • Failed to verify key cybersecurity personnel take steps to maintain cybersecurity knowledge up-to-date

5. Failed to ensure the security of the NPI that was accessible to, or held
by, its third-party service providers, in violation of 23 NYCRR § 500.11(a)

500.11 is all about third-party service vendors and their inherent risk to the internal network. The following findings were discovered:

  • failed to conduct timely due-diligence for high-risk and medium-risk vendors. 
  • allowed third-party vendors to begin working prior to completing the onboarding security questionnaire and third-party information risk acceptance. 
  • Failure to adjust the risk-score of third-party vendors precipitated by vendors’ improper handling of NPI and poor cybersecurity controls. 

OneMain shall continue to strengthen and remediate its controls and procedures to
protect its cybersecurity systems and consumers’ NPI in accordance with the relevant provisions
and definitions of 23 NYCRR Part 500. Within one hundred and eighty (180) days of the date of
this Consent Order” 


Remediation is to occur within 180 days, which includes updates to the BCDR policy, a plan to review and maintain user access rights, maintain policies for NPI handling and Information Systems during application development, introduce training for cybersecurity risks, and update policies to ensure protection of NPI by third-parties.

Are you compliant with NYSDFS?

Discover if your network meets the highest security standards with confidence.