The New York Department of Financial Services (NYDFS) fined OneMain Financial Group $4.5 million under Regulation 23 NYCRR Part 500 for violating the following:
Effectively manage third-party service provider risk
Manage access privileges
Maintain a formal application security development methodology
Some specific examples cited by the NYDFS:
OneMain permitted local administrative users to share accounts, compromising the ability to identify malicious actors, and also permitted those accounts to use the default password provided by OneMain at the time of user onboarding, increasing the risk of unauthorized access.
Takeaways:
If you are a New York-covered entity, you better be taking 23 NYCRR Part 500 seriously. They certainly are.
Requiring password change after initial login should be the standard operating procedure.
Source: New York Department of Financial Services
Would you like a free, no-obligation Cybersecurity Benchmarking of your organization showing where you stand vs. industry-accepted practices? Click here to schedule a time with one of our associates.