September 1, 2023
On May 25th, 2023 NYSDFS published a press release which announced OneMain Financial Group, LLC failed to “effectively manage third-party service provider risk, manage access privileges, and maintain a formal application security development methodology, significantly increasing the company’s vulnerability to cybersecurity events.”. Resulting in a $4.25 million dollar settlement.
1. Failed to implement and maintain their BCDR plan and resources 500.03(e).
The business continuity and disaster recovery plan (BCDR) was found to have lacked some critical components which included a call tree, vendor list, emergency contact list, instructions on performing backup tests, and technical diagrams of the systems and networks.
2. Failed to maintain and review user access privileges, in violation of 23
NYCRR § 500.07.
There were multiple findings related to access privileges which resulted in the violation of section 500.07.
4. Failed to implement policies and procedures that protected Information
Systems and NPI during application development, in violation of 23 NYCRR § 500.08.
This section relates to policies and procedures used to protect the network and systems during application development. There were deficiencies with polices found:
4. Failed to provide its cybersecurity personnel with training sufficient to
address relevant cybersecurity risks and failed to verify that key cybersecurity personnel take steps to maintain current knowledge of changing cybersecurity threats and countermeasures, in violation of 23 NYCRR § 500.10.
500.10 relates to training for cybersecurity threats, vulnerabilities, and testing. The findings:
5. Failed to ensure the security of the NPI that was accessible to, or held
by, its third-party service providers, in violation of 23 NYCRR § 500.11(a)
500.11 is all about third-party service vendors and their inherent risk to the internal network. The following findings were discovered:
OneMain shall continue to strengthen and remediate its controls and procedures to
protect its cybersecurity systems and consumers’ NPI in accordance with the relevant provisions
and definitions of 23 NYCRR Part 500. Within one hundred and eighty (180) days of the date of
this Consent Order”
Remediation is to occur within 180 days, which includes updates to the BCDR policy, a plan to review and maintain user access rights, maintain policies for NPI handling and Information Systems during application development, introduce training for cybersecurity risks, and update policies to ensure protection of NPI by third-parties.
Discover if your network meets the highest security standards with confidence.