Financial Services Superintendent Adrienne A. Harris announced that OneMain Financial Group LLC was fined $4.25 million for cybersecurity violations.
This firm has not provided effective risk management related to the activities of third-party service providers. Also, the company could not cope with the management of access privileges at the proper level. Another flaw in the functioning of the firm was the lack of acceptable support for the official methodology of application security development. These negative factors have caused a high level of vulnerability of OneMain in terms of the likelihood of destructive influence of criminal events in cyberspace.
Superintendent Harris says that the USA’s first DFS cybersecurity ordinance creates a framework through which licensees must act to protect their information systems and consumer data.
This settlement demonstrates the Department’s commitment to upholding licensees’ responsibilities. In this case, special attention is paid to those who have access to the personal financial information of consumers.
OneMain, a licensed lender and mortgage service provider, is a publicly-traded company. The firm specializes in subprime lending. The results of the investigation conducted by the department indicate that the company inefficiently managed user access rights to information systems. For example, local users with administrative rights had the opportunity to share accounts, which reduces the effectiveness of the tool for identifying interference from criminals.
The department’s investigation also testified that there was no formalized methodology in the OneMain application security policy that covers all stages of the company’s software development. The firm used an informal system of project administration developed by its own forces. As a result of this approach, vulnerability to cyber threats has emerged.
Also, OneMain did not conduct due diligence on some high- and medium-risk suppliers in a timely manner. This is actually ignoring the management rules of third-party vendors, which provide for determining the level of reliability in each case of interaction.
As we have reported earlier, Fertility App Fines $200,000 for Leaking Customer’s Health Data.
