NYDFS has fined 27 companies more than $144 million for Part 500 violations (NYDFS, Oct. 2025). MFA failures have been cited in at least six DFS enforcement actions since 2021 — most recently PayPal (Jan 2025) and Healthplex (Aug 2025). We implement the controls NYDFS examiners verify — and format reports for DFS review.
NYDFS 23 NYCRR Part 500 is the New York Department of Financial Services cybersecurity regulation that applies to all DFS-licensed entities — including banks, insurance companies, mortgage lenders, RIAs, and fintechs. It mandates a documented cybersecurity program, annual penetration testing, universal MFA, incident response planning, and certification signed by the highest-ranking executive and CISO each April 15 (§ 500.17(b)).
$144M+
Part 500 penalties across 27 NYDFS consent orders (NYDFS, Oct. 2025)
72 hours
Breach reporting window under § 500.17
April 15
Annual certification deadline — signed by your highest-ranking executive and CISO (§ 500.17(b))
Every Part 500 requirement has a corresponding control. We implement the control, document the evidence, and format deliverables for DFS examiner review.
| Section | Requirement | Fortress Service |
|---|---|---|
| § 500.5 | Annual Penetration Testing | Network Penetration Testing |
| § 500.9 | Annual Risk Assessment | Compliance Advisory |
| § 500.12 | MFA for All Individuals Accessing Any Information System | Architecture Hardening |
| § 500.13 | Written Asset Inventory | Managed Network Infrastructure |
| § 500.16 | Incident Response Plan | IR Retainer |
| § 500.20 | CISO Designation | vCISO Services |
| Annual | Compliance Certification (Highest-Ranking Executive + CISO) | Compliance Program Management |
NYDFS is actively enforcing Part 500. MFA failures and breach notification delays are the most common triggers. These are real penalties issued to covered entities.
OneMain Financial
$4.25M
Shared admin accounts on default passwords, weak access privilege management, and lapsed vendor due diligence (NYDFS consent order, May 2023).
Healthplex
$2M
MFA failure and breach notification delay beyond the 72-hour window.
GEICO + Travelers
$11.3M combined
Data breaches via online quoting tools exposing personal data of 120,000+ New Yorkers; joint NY AG/NYDFS settlement, Nov. 2024.
Pattern: NYDFS is actively enforcing MFA requirements across all covered entities. The 2023 amendments extended the MFA mandate to every individual accessing any information system — not just remote access. Firms that have not implemented universal MFA are the highest-risk targets for examination findings.
NYDFS 23 NYCRR Part 500 applies to any entity licensed, registered, chartered, or otherwise authorized to operate under New York banking, insurance, or financial services law. The following entity types are covered:
If your firm holds any New York DFS license or operates in a DFS-regulated activity, you are almost certainly a covered entity. We will confirm your coverage status and scope of obligations at no charge as part of an initial consultation.
Schedule a Free ConsultationFrom gap assessment to annual certification support — a fixed timeline with clear deliverables at each stage.
Map your current controls against Part 500 requirements section by section. Identify what is missing, what is misconfigured, and what puts you at enforcement risk.
Implement required controls: universal MFA, annual penetration test, incident response plan, written asset inventory, and encryption verification.
Produce documentation formatted for DFS examiners: pentest attestation, risk assessment, policy documentation, and access control evidence.
Prepare the executive/CISO certification package, maintain your compliance calendar, and keep controls current as the regulation evolves.
We map your current controls against all Part 500 requirements, identify your highest-priority gaps, and give you a fixed-timeline remediation plan — before your next examination cycle.