With one of the most stringent cybersecurity regulations in the U.S., and arguably the world, the New York Department of Financial Services (NYDFS) has been fining regulated companies millions of dollars for cybersecurity failures under 23 NYCRR 500 (Regulation) since 2020. Recently, it has been broadening the Regulation’s already rigorous obligations on a case-by-case basis through its consent orders. In this guest article, Frankfurt Kurnit partner Richard Borden reviews the key elements of the latest consent order, against OneMain Financial Group, LLC, discusses the issues with the NYDFS’ enforcement approach and offers practical compliance advice for entities subject to the Regulation. See “Cybersecurity Compliance Lessons From NYDFS’ Carnival Action” (Aug. 3, 2022).