NYDFS continues to roll out enforcement actions for cybersecurity lapses. The latest is with lender OneMain. According to NYDFS allegations in its Consent Order:
• This is the second cybersecurity enforcement action to arise from a routine examination, instead of a Cybersecurity Event.
• Meaning, as noted before, these enforcement actions are now routine.
• Third Party Risk Management is front and center here —
• OneMain did not timely conduct due diligence for certain high- and medium-risk vendors, despite the existence of a third-party vendor management policy which required this.
• OneMain failed to adjust several vendors’ risk scores even after the occurrence of multiple cybersecurity events precipitated by the vendors’ improper handling of NPI and poor cybersecurity controls.
• OneMain permitted local administrative users to share accounts, compromising the ability to identify malicious actors, and permitted those accounts to use the default password provided by OneMain at the time of user onboarding.