New York’s Department of Financial Services signaled once again its intent to strongly enforce the state’s Cybersecurity Regulation by finding OneMain Financial Group violated the law in several ways and imposing a $4.25 million penalty payment.

DFS announced OneMain, which specializes in nonprime loans, “failed to effectively manage third-party service provider risk, manage access privileges, and maintain a formal application security development methodology, significantly increasing the company’s vulnerability to cybersecurity events.” OneMain agreed to resolve the matter in a consent order with the state and said it has already taken action to address the violations.

The findings and settlement are the latest in a series of enforcements of the 2017 law known as Reg 500. New York has been active in enforcing the law, which it claims served as a model for other regulators, including the U.S. Federal Trade Commission, multiple states, the National Association of Insurance Commissioners (NAIC), and the CSBS Nonbank Model Data Security Law. 

“DFS’s first-in the-nation Cybersecurity Regulation creates the essential framework through which licensees must operate to best protect their own Information Systems and consumer data,” said Superintendent of Financial Services Adrienne A. Harris. “This settlement demonstrates the Department’s ongoing dedication to upholding the responsibility of licensees, particularly those with access to personal financial information of consumers such as OneMain, in taking all actions necessary to protect the data of New Yorkers.”

With the financial industry becoming increasingly reliant on digital platforms and data sharing, the state is expected to remain vigilant and prioritize cybersecurity to protect customer information. EyeMed paid a $4.5 million penalty late last year after the state found similar violations of the law.

OneMain Financial Group Left Itself Vulnerable to Cybersecurity Attacks

OneMain Financial Group, which reported more than $1 billion in revenue for the first quarter of 2023, specializes in loans to individuals who may face challenges securing financing from other lenders.

New York DFS found the company’s cybersecurity control failures significantly increased its vulnerability to cyber attacks and data breaches. Included in the findings are that OneMain:

  • failed to effectively manage user access to information systems that provide access to non-public information from its customers. In one instance, local administrative users shared accounts, compromising the ability to identify malicious actors. Those accounts used default password provided by OneMain at the time of user onboarding, increasing the risk of unauthorized access.
  • failed to implement an application security policy that addressed all phases of the company’s software development life cycle. Instead, the company used a “non-formalized project administration framework” developed in house, which failed to address key development phases, increase the risk of cybersecurity events.
  • failed to conduct timely due diligence on vendors, despite the existence of a third-party vendor management policy requiring each vendor be assessed to determine the vendor’s risk rating. This led to the company failing to adjust several vendors’ risk scores even after the occurrence of multiple cybersecurity events because they improperly handled non-public information.

Some of the specific examples of violations included a folder named PASSWORDS that contained encrypted passwords available to anyone with access to an internal shared drive, a third-party vendor tasked with managing online payments providing unauthorized access to customers’ personal information because it did not purge old account numbers, and a hacker accessing emails from OneMain’s collections law firm that contained customer identifiers.

Companies Must be Proactive on Cybersecurity

With DFS paying such close attention to online security, companies subject to REG 500 enforcement should be proactive about cybersecurity. Harris Beach offers a dynamic combination of legal and technical support to protect digital assets and business interests, as well as a rapid response team in the event of a breach. We provide a full range of data privacy and cybersecurity services – from compliance counseling and legal risk assessments to defense in litigation and regulatory investigations, as well as advisement on following the National Institute of Standards and Technology protocols.

Our cybersecurity team of attorneys, information security and communications management professionals leverages its experience with highly regulated industries to provide the strategic counsel and guidance organizations need to manage the potentially devastating risks associated with the theft or compromise of intellectual property or the personal information of customers or employees.

Harris Beach also offers technical support, including compliance tools that support risk management., a wholly-owned subsidiary of Harris Beach, offers a first-of-its-kind solution: software that integrates the law. CyMetric is a cloud-based software, which streamlines the process of building, deploying, updating and assessing cyber and data privacy programs. Not only does it incorporate industry-standard security frameworks to ensure your policies meet or exceed regulatory requirements, it distills cybersecurity regulations into detailed controls to deliver policies that fit your risk tolerance and compliance requirements. This reduces dependency on legal counsel to provide regulatory mapping and cybersecurity compliance policies.

For more information on this alert or related subject matters, contact New York cybersecurity attorney Alan M. Winchester at and (212) 313-5403.

This alert is not a substitute for advice of counsel on specific legal issues.

Harris Beach has offices throughout New York state, including Albany, Buffalo, Ithaca, Long Island, New York City, Rochester, Saratoga Springs, Syracuse and White Plains, as well as Washington D.C., New Haven, Connecticut and Newark, New Jersey.