The Cost of NYDFS Cybersecurity Noncompliance: What You Need to Know in 2025

The New York State Department of Financial Services (NYDFS) has long been a leader in setting cybersecurity standards for the financial services and insurance sectors. Under 23 NYCRR Part 500, regulated entities are required to implement a comprehensive cybersecurity program that addresses governance, access controls, incident response, and ongoing risk management.

As we move through 2025, NYDFS has signaled that enforcement is accelerating. The recent $2 million settlement with Healthplex, Inc., announced on August 14, 2025, underscores the steep cost of falling short. This case serves as a timely reminder for all covered entities: compliance is not a once-a-year paperwork exercise; it is a continuous obligation with real financial stakes.

What you need to know about NYDFS Cybersecurity Regulations

Part 500 applies to most banks, insurers, and financial service providers operating in New York. At its core, the regulation mandates that each covered entity maintain a written cybersecurity policy approved by the board, conduct periodic risk assessments, limit access to sensitive systems and data, and implement robust security measures such as phishing-resistant multi-factor authentication (MFA).

Equally important is the incident reporting requirement, which mandates that breaches meeting certain criteria must be reported to NYDFS within 72 hours of determination. In addition, every covered entity must file an annual certification of compliance, or acknowledgment of noncompliance, by April 15 each year.

What are the Key Requirements & Upcoming Deadlines?

In 2025, several deadlines and requirements should be top-of-mind for compliance teams. The annual compliance certification for the 2024 calendar year must be submitted by April 15, 2025. Before that filing, organizations must ensure their risk assessment is current and documented.

MFA enforcement is also a major focus for NYDFS this year. Covered entities are expected to have phishing-resistant MFA in place not only for remote network access but also for certain internal systems that handle sensitive information. The expectation is clear: email-only MFA or weaker second factors like SMS one-time codes no longer meet the standard.

Finally, the 72-hour breach reporting requirement remains one of the most critical obligations. Delays in reporting can lead to enforcement actions - even if the breach itself could not have been prevented.

Healthplex Case Study - A $2 Million Lesson

The Healthplex enforcement action provides a clear example of what can happen when these requirements are not met. In this case, a service representative at Healthplex clicked on a phishing email, giving an attacker access to sensitive consumer data stored in the employee’s Outlook 365 account.

Several compliance failures compounded the incident. First, Healthplex had not deployed MFA for its email system, leaving it vulnerable to credential-based attacks. Second, the company lacked an email retention policy, meaning that sensitive data remained in mailboxes far longer than necessary, increasing exposure. Finally, Healthplex failed to notify NYDFS of the breach until more than four months after discovery – well beyond the mandated 72-hour reporting window.

The result was a $2 million penalty, mandatory remediation measures, and a requirement for independent cybersecurity audits focused on MFA deployment. The costs extended far beyond the fine itself, including reputational damage and the operational burden of implementing corrective actions under regulatory scrutiny.

The True Cost of Noncompliance

While the $2 million fine is headline-grabbing, the broader impact of NYDFS noncompliance is often far greater. Legal costs, remediation expenses, internal resource strain, and lost customer trust can quickly escalate. Regulatory investigations can also distract leadership and IT teams from strategic priorities, creating a sustained operational drag.

For regulated entities, noncompliance can also lead to increased cyber liability insurance premiums - or difficulty obtaining coverage at all. And reputational harm, especially in the financial and insurance sectors, can have lasting effects on customer acquisition and retention.

How to Stay Ahead of NYDFS

Proactive compliance requires more than simply meeting the bare minimum. Covered entities should:

• Implement phishing-resistant MFA such as FIDO2 hardware keys or device-bound passkeys across all systems that store or process sensitive information.
• Automate breach detection and reporting to ensure the 72-hour notification rule is met without exception.
• Establish clear data retention policies to limit the amount of information that could be exposed in the event of a breach.
• Conduct annual independent audits to validate that cybersecurity controls meet or exceed NYDFS expectations.

By integrating these measures into their cybersecurity programs, organizations not only reduce enforcement risk but also strengthen overall resilience against evolving threats.

Conclusion

NYDFS has made one thing clear in 2025: compliance with 23 NYCRR Part 500 is not optional, and the cost of failure is steep. The Healthplex settlement illustrates how a single phishing email, combined with gaps in MFA, data retention, and reporting, can spiral into a multi-million-dollar regulatory penalty.

For financial and insurance organizations, the message is simple – treat NYDFS compliance as an ongoing operational imperative. Investing in phishing-resistant authentication, robust governance, and disciplined reporting processes can save millions and protect hard-earned reputations.

Learn how HYPR helps financial and insurance organizations exceed NYDFS requirements with passwordless, phishing-resistant MFA. 

Key Takeaways

• NYDFS is aggressively enforcing 23 NYCRR Part 500, and penalties are climbing.
• Annual compliance certification is due April 15, 2025; phishing-resistant MFA and timely breach reporting are top priorities.
• Healthplex’s $2 million fine shows the financial and reputational risks of noncompliance.
• Proactive, continuous compliance strengthens both security posture and business trust.