A mortgage servicer will pay $4.25 million to settle allegations it left customer information vulnerable to cyberattacks by failing to implement required controls under New York’s cybersecurity law.

OneMain Financial Group did not comply with requirements mandated by New York’s 2017 Cybersecurity Regulation, the New York State Department of Financial Services (NYDFS) stated in a consent order agreed to with the company and signed off on Wednesday.

The details: OneMain had written policies for conducting due diligence related to third parties, as required by the regulation, but did not follow them, the NYDFS said. One outcome of this failure was that from December 2017 through January 2018, a vendor that processed debit card payments for OneMain inadvertently gave some customers access to other customers’ personal data, the NYDFS alleged.

OneMain also failed to adjust risk scores for vendors when warranted, the regulator said.

The firm allowed administrators to keep default passwords and share accounts, which compromised its ability to prevent intrusions and identify malicious individuals, the NYDFS said.

“This settlement demonstrates the department’s ongoing dedication to upholding the responsibility of licensees, particularly those with access to personal financial information of consumers such as OneMain, in taking all actions necessary to protect the data of New Yorkers,” said Adrienne Harris, superintendent of the NYDFS, in a press release.

Compliance considerations: OneMain agreed to complete a handful of remedial tasks within 180 days and provide written documentation of the completion to the NYDFS within the following 60 days.

The tasks include creating written policies and procedures to protect data of the company and mortgage applicants, address business continuity and disaster recovery planning, and putting in place a plan to review user access privileges.

The NYDFS credited OneMain for its cooperation, allocation of “significant” financial resources to remediation, and its ongoing efforts to resolve the shortcomings identified.

Company response: “OneMain is committed to being a leader in cybersecurity and will continue our substantial investments in our cybersecurity and data protection programs,” the company said in an emailed statement. “We are pleased to have resolved this historical matter relating primarily to a past examination of our policies from 2017 to early 2020, which the company has long since addressed. Cybersecurity is an evolving area, and we intend to continue our focus on enhancing our capabilities to meet risks as they arise in the future, in accordance with best practices for our industry and in cooperation with our regulators.”

Adrianne Appel writes regulatory news, policy, and trends for Compliance Week. She previously reported about policy developments for Bloomberg Law and Bloomberg Government.

Topics