Cyber lapses result in $4.25m penalty for OneMain Financial Group


OneMain, a lender specializing in loans for individuals with “nonprime” credit histories, has been fined $4.25 million by the New York State DFS due to significant cyber lapses.

The investigation revealed that the company had failed to effectively manage third-party service provider risk, control access privileges, and maintain a formal application security development methodology, leaving them vulnerable to cybersecurity events.

The DFS investigation highlighted several key areas where OneMain’s cybersecurity practices were lacking. One example was the company’s practice of allowing local administrative users to share accounts and utilize default passwords provided during onboarding. Furthermore, the company’s application security was found to have significant problems, as they used an internally developed, non-formalized project administration framework that failed to address crucial software development life cycle phases.

Another area of concern identified by the DFS was OneMain’s failure to appropriately assess third-party vendors’ cybersecurity risks, despite having a policy in place for determining risk ratings. This oversight was particularly troubling, as multiple cybersecurity incidents were directly linked to the improper handling of non-public information by these vendors.

Responding to the findings, OneMain Financial Group stated that they had already taken action to address the issues raised during the investigation. The company emphasized its commitment to enhancing its cybersecurity capabilities in accordance with industry best practices and in collaboration with regulatory authorities. OneMain acknowledged that cybersecurity is an evolving area and pledged to remain vigilant in mitigating future risks.

It is worth noting that OneMain Financial Group reported revenues of $1.09bn for the first quarter of 2023. The company’s specialization in providing loans to individuals who may face challenges securing financing from other lenders highlights the importance of robust cybersecurity measures to protect sensitive customer data.

The DFS and the New York State attorney general’s office have consistently demonstrated a proactive stance in pursuing cybersecurity settlements from companies operating in the state. Recent cases involving EyeMed, an insurer, and SHEIN, a retailer, exemplify their commitment to ensuring data protection. This week alone, the attorney general has also fined a sporting goods retailer and a medical management company for similar data protection lapses.

As the financial industry becomes increasingly reliant on digital platforms and data sharing, it is crucial for companies like OneMain Financial Group to prioritize cybersecurity to safeguard their customers’ information and maintain the trust of regulators and the public.

Last week, a Chinese cyberespionage initiative was detected that focuses on the essential infrastructure within Guam, an American territory in the Pacific Ocean, by Microsoft.

Copyright © 2023 RegTech Analyst

Enjoyed the story? 

Subscribe to our weekly RegTech newsletter and get the latest industry news & research

Copyright © 2018 RegTech Analyst


The following investor(s) were tagged in this article.