May 4, 2025·9 min read

NYDFS 500 Penalties: Real Enforcement Actions and What They Cost

The New York Department of Financial Services has moved past warnings. Here are the actual penalties firms have paid, how DFS calculates fines, and what you can do to stay off the list.

NYDFS has started enforcing 23 NYCRR 500

When 23 NYCRR 500 took effect in March 2017, the NYDFS spent a few years focused on education and voluntary compliance. That period is over. Starting in 2020, the Department began bringing enforcement actions with real financial penalties. The 2023 amendments added more specific requirements and gave DFS stronger enforcement authority under Section 500.20.

Under New York Banking Law and Insurance Law, the NYDFS can impose penalties of up to $1,000 per violation per day for each day the violation continues. When a single violation (like failing to implement MFA) spans months or years, the math gets large quickly.

Real enforcement actions

First American Title Insurance Company (2023)

In November 2023, First American Title agreed to pay a $1 million penalty to settle charges that it violated 23 NYCRR 500 by failing to properly remediate a known vulnerability. The company had discovered a vulnerability in its EaglePro application in May 2019 that exposed over 880 million document images containing sensitive personal data (Social Security numbers, bank account details, mortgage records). DFS found that First American did not follow its own patch management procedures, did not conduct an adequate risk assessment of the vulnerability, and did not properly classify the data exposed.

Specific violations cited: Section 500.2 (cybersecurity program), 500.3 (cybersecurity policy), 500.7 (access privileges), 500.9 (risk assessment), and 500.14(b) (monitoring).

Excellus Health Plan (2021)

Excellus Health Plan, a health insurer licensed in New York, agreed to pay $5.1 million to settle charges related to a data breach that went undetected for over a year. Attackers accessed systems containing information on more than 9.3 million individuals between December 2013 and May 2015. DFS found that Excellus had not implemented sufficient cybersecurity controls, had not conducted a timely risk assessment, and had not adequately restricted access to sensitive data.

Residential Mortgage Servicer (2022)

A New York-licensed mortgage servicer agreed to a $1.5 million penalty and a consent order requiring a full remediation program. The violations: no MFA (Section 500.12), no qualified CISO (Section 500.4), and no regular cybersecurity reporting to the board of directors.

EyeMed Vision Care (2022)

EyeMed, a licensed health insurer, agreed to pay $4.5 million after a phishing attack compromised an email account containing about 2.1 million individuals' data. DFS found that the compromised email account had no MFA, the firm had not limited data retention in email mailboxes, and the risk assessment did not address email security risks. Violations included Sections 500.7 (access privileges), 500.12 (MFA), and 500.15 (encryption).

How penalties are calculated

The NYDFS calculates penalties based on several factors:

Per violation, per day. Each section of 23 NYCRR 500 that is violated counts as a separate violation. Each day the violation continues is a separate occurrence. A firm violating three sections for 365 days faces potential penalties of 3 x 365 x $1,000 = $1,095,000 at minimum.
Severity of harm. Was customer data actually exposed? How many individuals were affected? This influences the final penalty amount.
Duration of non-compliance. How long did the violation persist before it was discovered and remediated? Longer durations result in higher penalties.
Cooperation. Firms that self-report and begin fixing things quickly tend to get lower penalties than those that stonewall or drag their feet.
Prior history. Repeat offenders face higher penalties. A clean compliance history works in your favor.

Consent orders vs penalties

Most NYDFS enforcement actions result in a consent order, not a courtroom judgment. In a consent order, the firm agrees to:

Pay a specified monetary penalty
Implement a detailed remediation plan with specific deadlines
Engage an independent monitor or consultant to verify compliance (at the firm's expense)
Submit periodic compliance reports to DFS for a specified period (typically 1-3 years)

The remediation costs often exceed the penalty itself. Hiring an independent monitor, rebuilding your cybersecurity program under regulatory supervision, and filing compliance reports can easily add another $100,000 to $500,000+ on top of the fine.

What triggers an investigation

DFS investigations typically begin through one of these channels:

Cybersecurity event notifications. Under Section 500.17(a), covered entities must notify DFS within 72 hours of a cybersecurity event that meets certain thresholds. These notifications often prompt DFS to look more closely at the firm's overall compliance posture.
Annual certification gaps. Section 500.17(b) requires annual certification of compliance. Failing to file, filing late, or certifying compliance when you are not actually compliant are all red flags.
Examination findings. DFS conducts its own cybersecurity examinations. Findings from these exams can trigger enforcement actions.
Third-party reports. Data breaches that become public, complaints from consumers, or referrals from other regulators can initiate a DFS investigation.

Common violations that lead to penalties

Looking across the published enforcement actions, these are the sections most frequently cited:

500.12: Multi-factor authentication. Failing to implement MFA for remote access and access to NPI. This appeared in nearly every enforcement action.
500.7: Access privileges and management. Overly broad access, no access reviews, no principle of least privilege.
500.9: Risk assessment. No documented risk assessment, or a risk assessment that did not cover the areas where the violation occurred.
500.4: CISO. No designated CISO or no evidence of CISO reporting to the board.
500.14(b): Monitoring and testing. No evidence of ongoing monitoring of information systems for unauthorized access.

How to reduce your risk

Implement MFA on everything. This is the most common finding by a wide margin. Put MFA on email, remote access, VPN, custodian portals, and any application that stores NPI.
Conduct and document your risk assessment annually. Date it. Sign it. Store it somewhere retrievable. Address the findings with specific remediation actions.
File your annual certification on time. The certification deadline is April 15 each year. Missing it draws attention.
Report cybersecurity events promptly. The 72-hour notification requirement under 500.17(a) is strict. Late reporting compounds the problem.
Keep evidence of everything. A policy without evidence of implementation is a liability, not an asset. Track training completions, access reviews, vulnerability scans, and risk assessment actions.
Close gaps before the examiner finds them. The firms that get penalized are usually not the ones who had a gap and fixed it. They are the ones who knew about the gap and sat on it.

If you want a platform that tracks all of this and generates the evidence trail DFS expects, BlackSheep starts at $249/month.