May 25, 2023, New York’s Department of Financial Services (“DFS”) announced another enforcement action under the state’s Cybersecurity Requirements for Financial Services Companies, 23 N.Y.C.R.R. Part 500 (“Reg 500”).  According to the press release, OneMain Financial Group LLC (“OneMain”) will pay a $4.25 million penalty to New York State for alleged violations of Reg 500.  

In the Consent Order, DFS pointed to several provisions of Reg 500 for which it alleged OneMain came up short:

• 23 NYCRR § 500.03: requires all covered entities to implement and maintain a cybersecurity policy that is based on the covered entity’s risk assessment and addresses business continuity and disaster recovery planning and resources.
• 23 NYCRR § 500.07: requires covered entities to limit user access privileges to information systems that provide access to Nonpublic Information (“NPI”);
• 23 NYCRR § 500.08: requires covered entities to implement and maintain policies and procedures to protect information systems and NPI during application development and quality assurance operations;
• 23 NYCRR § 500.10(a)(3): requires covered entities to provide cybersecurity personnel with cybersecurity training and verify that key cybersecurity personnel take steps to maintain current knowledge of changing cybersecurity threats and countermeasures; and
• 23 NYCRR § 500.11(a): requires covered entities to implement written policies and procedures that address, among other things, due diligence processes used to evaluate the adequacy of cybersecurity practices of third-party service providers.

These provisions of Reg 500 describe controls one might find in just about any cybersecurity framework, not just one focused on entities that provide financial services. For example, under the HIPAA Privacy and Security Rules, simply adopting a set of policies and procedures that address the standards under the Security Rule would be insufficient if they were not based on a risk assessment. That is, cybersecurity policies and procedures should reflect the threats and vulnerabilities to the organization identified in a risk assessment. Likewise, the New York SHIELD Act requires covered entities to “select[] service providers capable of maintaining appropriate safeguards,” not just require those safeguards by contract. The same is true for fiduciaries of ERISA-covered retirement plans – fiduciaries must exercise prudence in the selection of entities providing services to the plan.  

Among the examples provided in the Consent Order was a folder containing passwords, that was named “PASSWORDS.” DFS acknowledged the folder was encrypted and password protected, but cautioned that “anyone with access to that internal shared drive, which included personnel in OneMain’s call center, could rename, move, or delete the folder.” New York’s Attorney General recently released a guide for businesses on effective data security that addresses strong password hygiene.

Another area of concern cited by DFS was the management of third-party service providers. Having a written vendor assessment policy is not enough. According to DFS, the required due diligence to assess the cybersecurity risk of vendors must be performed timely. Allowing vendors to commence work prior to completing the assessment process is problematic. Also problematic is failing to adjust a cybersecurity risk score assigned to a third-party vendor after the vendor experience a cybersecurity event that arguably warrants a change to its risk profile.  

This settlement demonstrates the Department’s ongoing dedication to upholding the responsibility of licensees, particularly those with access to personal financial information of consumers.” Superintendent of Financial Services Adrienne A. Harris.

The Consent Order points out that it is not enough to establish a written cybersecurity program. That program must be actively managed and adjusted based on changing circumstances.