NY DFS Strikes Again on Cyber Fails
New York state regulators are at it again, serving up yet another enforcement action over poor cybersecurity practices that can serve as a quick case-study for the rest of us trying to figure out a sustainable way forward on cyber compliance issues.
The company in question this time is OneMain Financial Group, a publicly traded mortgage lender and loan servicing business. The New York Department of Financial Services (DFS) fined OneMain $4.25 million in a settlement announced Thursday, for a host of poor cybersecurity practices. Notably, this enforcement action was not about any particular breach of customer data; DFS simply took OneMain to task for sloppy cybersecurity practices. So if you’re looking for bad practices to avoid at your own company, pull up a chair.
OneMain’s issues first came to light during a DFS regulatory examination, which escalated into a formal enforcement investigation as more issues came to light. Let’s start with access control, a pervasive headache for CISOs and internal auditors.
As described in the settlement order with DFS, OneMain’s internal audit team flagged numerous access control issues in 2018 and 2019. For example, the IT security team conducted reviews of access privileges manually, which introduces a high risk of human error. (OneMain is a large business, with hundreds of applications and more than 11,000 users.) Internal audit also found administrative users sharing accounts, which makes it impossible to identify malicious actors; and found accounts that still used default passwords that OneMain assigned to the users when first onboarded. Passwords were stored on shared department drives, and although one file containing passwords was encrypted, it was also labeled “PASSWORDS” for anyone to see.
Another concern was OneMain’s in-house process for application development. According to DFS regulations, financial services firms (which develop a lot of apps themselves) are supposed to have written policies and procedures that include a formal methodology for the firm’s software development lifecycle. Instead, DFS examiners found that OneMain was using a project administration framework that it had developed internally — but that’s not the same as a formalized methodology.
Making matters worse, OneMain also failed to provide adequate training in secure coding for its developers, even as they were developing their apps according to an informal framework rather than a formal methodology.
Vendor Management Failures Too
DFS also requires financial firms to exercise control over their third-party vendors that might have access to the firm’s confidential data. Specifically, the firm needs written policies for due diligence of third parties and contractual protections relating to the third parties’ use of encryption and multi-factor authentication.
The good news: OneMain did have a third-party vendor management policy that requires each vendor to undergo a risk assessment that determined the appropriate level of due diligence OneMain should perform on the vendor. The bad news: OneMain didn’t conduct due diligence in a timely manner for certain high-risk and medium-risk vendors, rendering their risk ratings moot.
For example, OneMain allowed some vendors to begin working at OneMain before completing OneMain’s onboarding security questionnaire. Even more troubling, when cybersecurity events did happen thanks to a vendor’s poor cybersecurity controls, OneMain simply fired the offending vendor — but OneMain did not re-examine or enhance its own third-party risk management and due diligence procedures.
At least partly thanks to those third-party risk management shortcomings, OneMain did suffer several cybersecurity events over the course of four years, although none seem to be major breaches that warrant their own enforcement action and press release.
Cyber Lessons for the Rest of Us
This case caught my eye because it’s about failures of process, rather than specific cybersecurity breaches.
Yes, some breaches did occur, especially stemming from vendor risk management mistakes; but the settlement order spends most of its time talking about loose processes for access control, software development, and training. It tells the rest of us what types of process failures catch a regulator’s eye, which is good for an IT auditor or internal auditor to know.
We should also appreciate the issues with OneMain’s third-party risk management system that drew DFS fire. Not only was DFS unhappy with OneMain’s loosey-goose approach to vendor risk management, such as letting vendors begin work before their onboarding was completed. DFS was unhappy because OneMain did not revisit its third-party risk management program after a third-party risk went wrong. Let’s excerpt a few lines directly from the settlement order:
Additionally, OneMain failed to appropriately adjust the risk scores of several vendors after the occurrence of multiple Cybersecurity Events precipitated by the vendors’ improper handling of NPI and poor cybersecurity controls. Instead, OneMain simply terminated its relationship with each of the vendors and did so without simultaneously enhancing its own third-party service policies and procedures or due diligence processes.
That language points directly at something I’ve mentioned before about “reasonable assurance” in compliance programs: once you know that your program has failed, you can’t ignore that fact and allow your compliance program to continue operating as usual. You must pay more attention to that risk from there forward, because that’s what a reasonable person does in the conduct of their own affairs.
Last lesson: several deficiencies cited by DFS were first flagged by OneMain’s internal audit team, yet the deficiencies had continued. Why? Did OneMain’s technology team lack sufficient resources to resolve the problems in a timely manner? Did senior management and the board not emphasize the importance of resolving security deficiencies in a timely manner?
Either way, it’s not a good look for a company, because it raises questions about the control environment. Which makes any regulatory examination or enforcement action that much more complicated and expensive. OneMain has a $4.25 million fine to prove it.