top of page

Cyber Bites

NYDFS fines OneMain Financial Group $4.5m for Cybersecurity Violations

The New York Department of Financial Services (NYDFS) fined OneMain Financial Group $4.5 million under Regulation 23 NYCRR Part 500 for violating the following:

  • Effectively manage third-party service provider risk

  • Manage access privileges

  • Maintain a formal application security development methodology

Some specific examples cited by the NYDFS:

OneMain permitted local administrative users to share accounts, compromising the ability to identify malicious actors, and also permitted those accounts to use the default password provided by OneMain at the time of user onboarding, increasing the risk of unauthorized access.


  1. If you are a New York-covered entity, you better be taking 23 NYCRR Part 500 seriously. They certainly are.

  2. Requiring password change after initial login should be the standard operating procedure.

Source: New York Department of Financial Services

Would you like a free, no-obligation Cybersecurity Benchmarking of your organization showing where you stand vs. industry-accepted practices? Click here to schedule a time with one of our associates.


bottom of page