OneMain is a sub-prime lender operating in 44 US states, with a reported turnover of $4.37 billion in annual revenue in 2021.
An audit carried out by the DEPARTMENT OF FINANCIAL SERVICES found deficiencies in compliance, internal controls, management, and technology systems.
- Failure to appropriately adjust the risk scores of several vendors after the occurrence of multiple Cybersecurity Events precipitated by the vendors’ improper handling of NPI and poor cybersecurity controls.
- Specifically, insufficient due diligence process prior to engaging third-party vendors and failure to properly monitor these vendors, as well as the Company’s failure to ensure the use of secure development practices for in-house developed applications, made OneMain more vulnerable to instances of unauthorized access to customer NPI.a.
- And, on July 10, 2020, OneMain, using its online portal, sent a link containing code to hundreds of customers as part of the first stage of a software update roll out.
- This code was not thread-safe, however, and certain customers who logged into their accounts were unintentionally migrated to other account holders’ documents.
- Failure to ensure the security of the NPI that was accessible to, or held by, its third-party service providers, in violation of 23 NYCRR § 500.11(a).
According to the record of the enforcement action, OneMain broke the following specific laws:
- Failure to implement and maintain written policies that adequately addressed its BCDR planning and resources, in violation of 23 NYCRR § 500.03(e).
- Failure to maintain and review user access privileges, in violation of 23 NYCRR § 500.07.
- Failure to implement policies and procedures that protected Information Systems and NPI during application development, in violation of 23 NYCRR § 500.08.
- Failure to provide its cybersecurity personnel with training sufficient to address relevant cybersecurity risks and failed to verify that key cybersecurity personnel take steps to maintain current knowledge of changing cybersecurity threats and countermeasures, in violation of 23 NYCRR § 500.10.
- Failure to ensure the security of the NPI that was accessible to, or held by, its third-party service providers, in violation of 23 NYCRR § 500.11(a).