OneMain Financial Group was fined $4.25 million by the New York Department of Financial Services after THREE cybersecurity events revealed the company failed to follow basic cybersecurity controls and required third-party due diligence.
Problems included: internal sharing of passwords including storing all their passwords in a folder called: "Passwords" (yes, you read that correctly), use of manual audits to review over 11,000 users across hundreds of applications (human error problem), even then their internal audit findings were ignored, and subsequent DFS audits detected even more problems that their internal audit missed.
Aside from cybersecurity issues, their problems were compounded by failing to adhere to required third-party due diligence best practices.
The vendor issues, including a lack of “appropriate level of due diligence,” saw the company relying on at least eight business partners deemed high-risk and medium-risk. In multiple instances, DFS found OneMain allowed a vendor to begin work, even after making those risk-based determinations.
What’s more, “OneMain failed to appropriately adjust the risk scores of several vendors after the occurrence of multiple cybersecurity events precipitated by the vendors’ improper handling of NPI and poor cybersecurity controls,” according to DFS. “Instead, OneMain simply terminated its relationship with each of the vendors and… without… enhancing its own third-party service policies.
Many of these problems can be avoided, which is why Venture Lynk offers a comprehensive due diligence review of your vendors as well as the cybersecurity know-how to help your company avoid a similar fate.
Read more at SC Media.