On May 25, 2023, the New York Department of Financial Services (“NYDFS”) announced a settlement with OneMain Financial Group LLC (“OneMain”), a licensed lender and mortgage servicer, for violations of the NYDFS Cybersecurity Regulation, 23 NYCRR Part 500, between August 2017 and March 2020. The settlement requires OneMain to pay a $4.25 million penalty and, within 180 days, to implement and maintain appropriate business continuity, disaster recovery, access, and vendor management policies and procedures.
Through its enforcement investigation, NYDFS concluded that OneMain failed to establish and maintain a cybersecurity program designed to detect and recover from cybersecurity events, to protect the confidentiality and integrity of the company’s information systems, and to safeguard consumers’ non-public information, which increased the risk of cybersecurity events and resulted in multiple instances of customers’ information being exposed in 2017 and 2018.