TL;DR

• NYDFS issued over $25 million in Part 500 cybersecurity fines between January 2025 and May 2026, across PayPal, eight auto insurers, Healthplex, and Delta Dental
• Two violations dominate: 72-hour incident notification failures (Healthplex, Delta Dental) and third-party service provider risk management failures (eight auto insurers)
• PayPal’s $2M fine was for cybersecurity program gaps that allowed unauthorized data access — not a notification failure
• The November 2023 amendments strengthened third-party oversight, MFA, penetration testing, and CISO reporting requirements — all now in full effect
• If your incident response plan doesn’t include a 72-hour NYDFS notification step, you have a gap

The NYDFS has been issuing one significant cybersecurity enforcement action every two to three months since late 2024. In January 2025, PayPal. In August 2025, Healthplex. In October 2025, eight auto insurers in a single day. In May 2026, Delta Dental.

What’s striking isn’t just the money — it’s how consistent the violations are. The same two failure modes keep appearing across companies of different sizes, sectors, and sophistication levels. And both are failures that a well-maintained Part 500 program should catch.

The Enforcement Record: What NYDFS Found

PayPal: $2 Million (January 23, 2025)

PayPal’s fine wasn’t for getting hacked. It was for cybersecurity program failures that made a breach possible and went undetected until a security analyst found the gap.

The specific failure: inadequate controls allowed unauthorized access to customers’ IRS Forms 1099-K — exposing names, dates of birth, and full Social Security numbers. This is the kind of data that enables identity fraud and tax fraud at scale.

NYDFS cited PayPal for cybersecurity program deficiencies that should have been identified and addressed under Part 500’s requirements for access controls, data classification, and security monitoring. The $2 million penalty reflects both the sensitivity of the data and the program-level failures rather than a single point of failure.

What it signals: NYDFS is auditing whether cybersecurity programs are working, not just whether policies exist. PayPal had policies. The policies didn’t prevent unauthorized data access. That gap is what gets fined.

Eight Auto Insurers: $19+ Million (October 14, 2025)

This is the most instructive set of actions in the recent enforcement record. On a single day in October 2025, NYDFS announced consent orders against eight separate auto insurance companies with a combined total exceeding $19 million in fines:

The root cause: all eight companies used the same third-party data prefill service for insurance quoting. When that service was breached in 2021, consumer data that the insurers had fed through it was compromised.

The violation wasn’t the breach. NYDFS does not fine companies for getting breached. The violation was the absence of adequate cybersecurity programs and policies to assess and manage the risk of that third-party vendor relationship — a direct violation of § 500.11, which requires covered entities to manage the cybersecurity risks posed by third-party service providers.

Eight companies used the same vendor. None of them had adequate third-party oversight programs. All eight got fined.

What it signals: Third-party service provider risk is not a check-the-box exercise. The November 2023 amendments strengthened § 500.11 requirements. NYDFS is testing whether those requirements are actually implemented, not just documented.

Healthplex: $2 Million (August 14, 2025)

Healthplex is an insurance agent and adjuster that experienced a phishing attack exposing private health data and sensitive nonpublic information of tens of thousands of consumers.

The violation: failing to notify NYDFS within 72 hours of determining that a cybersecurity incident had occurred. Under § 500.17(a), the clock starts at determination, not at completion of forensic investigation. Healthplex’s notification came after the 72-hour window — and NYDFS treated the delay as an independent, fineable violation.

What it signals: The 72-hour notification requirement is not aspirational. NYDFS has consistently treated the timeline as a hard compliance requirement. “We were still assessing the scope” is not a defense for missing the deadline.

Delta Dental: $2.25 Million (May 2026)

The most recent action covered a six-month notification delay following the MOVEit zero-day in mid-2023. Delta Dental learned of the incident in June 2023 and confirmed consumer data was impacted in July 2023. NYDFS was notified in December 2023 — approximately five months after the 72-hour clock should have started.

The secondary violation: Delta Dental had extended data retention on MOVEit servers from the default 30-day period to 45 and then 60 days without documented business justification or a policy governing the change. NYDFS cited this as a § 500.13 violation — failing to maintain policies for the secure disposal of data that is no longer necessary for business operations.

This enforcement action is covered in detail in the post “NYDFS Hits Delta Dental With $2.25M” — the key takeaway for this analysis is that it’s the fourth high-profile Part 500 action in an 18-month window, and it shows the same patterns.

The Two Violations That Keep Appearing

Looking at these four actions, the pattern is clear:

Violation Type 1: 72-hour notification failures

• Healthplex (August 2025): phishing attack, notification missed
• Delta Dental (May 2026): MOVEit breach, six-month delay

Violation Type 2: Third-party service provider risk management failures

• Eight auto insurers (October 2025): shared vendor breached, no adequate oversight

Violation Type 3: Cybersecurity program gaps allowing unauthorized access

• PayPal (January 2025): access control failures on sensitive tax data

The third violation type is the hardest to build a checklist around — it depends on the specific program gaps NYDFS identifies. But the first two are highly predictable and entirely preventable.

What the November 2023 Amendments Changed

The enforcement actions aren’t happening in a vacuum. NYDFS finalized amendments to Part 500 in November 2023, the most significant updates since the regulation was first adopted in 2017. Key changes now in full effect:

Enhanced third-party service provider requirements (§ 500.11) Covered entities must now maintain written agreements with third-party service providers that include representations and warranties about those providers’ cybersecurity practices. The requirements are more specific about what must be assessed and how often. The October 2025 auto insurer actions were the first major enforcement of these enhanced requirements.

Expanded MFA requirements The amendments expanded MFA requirements beyond privileged accounts to all remote access to internal networks and all access to any system that contains nonpublic information. The old version required MFA for privileged accounts; the new version is broader.

Annual penetration testing Annual penetration testing is now mandatory for all covered entities (with risk-based frequency for certain lower-risk entities). The old version was risk-based throughout; the new version sets a minimum annual standard.

CISO annual report to the board The Chief Information Security Officer must now provide an annual written report to the senior governing body and board, covering the cybersecurity program’s effectiveness, material cybersecurity risks, and remediation plans for identified issues. The report must be documented and retained.

Expanded incident notification scope The 72-hour notification requirement now explicitly covers ransomware deployments (including situations where ransomware was deployed but operations were not affected), cyberattacks that materially disrupt operations, and cybersecurity events at third-party service providers that affect the covered entity.

Class A company requirements Larger covered entities — defined as having more than 2,000 employees, more than $1 billion in gross annual revenue, or more than $10 billion in year-end total assets — have additional obligations under Part 500, including independent audits of the cybersecurity program and enhanced CISO reporting requirements. Class A compliance was required by November 1, 2025.

The Gap Most Covered Entities Have: Incident Response and 72-Hour Notification

The Healthplex and Delta Dental actions both trace back to the same root cause: incident response programs that didn’t include a 72-hour NYDFS notification step, or didn’t know when to start the clock.

The 72-hour clock starts at determination — the moment a covered entity concludes that a cybersecurity incident meeting the reporting threshold has occurred. Not when the investigation is complete. Not when the scope is quantified. Not when counsel has signed off on the notification letter.

This creates a specific operational requirement: your incident response team must be trained to recognize when a determination has been made, and your IR playbook must include a NYDFS notification step timed from that determination, not from resolution.

The most common gap: incident response programs that were built before the 72-hour requirement was as actively enforced as it is now. The IR plan says “notify regulators as required” without specifying what “required” means, who owns the notification, or what the clock trigger is.

What a defensible 72-hour notification process looks like:

• A defined escalation trigger that identifies when an incident has been “determined” (vs. suspected or under investigation)
• A named owner responsible for the NYDFS notification decision
• A pre-drafted notification template that can be filed quickly
• An explicit policy that determination, not confirmation, starts the clock
• Evidence documentation showing when determination occurred

Third-Party Risk Under § 500.11: What “Adequate Oversight” Actually Means

The auto insurer actions underscore that § 500.11 is one of the most actively tested requirements in Part 500 examinations.

Third-party service provider oversight under Part 500 requires covered entities to:

• Identify and assess cybersecurity risks from third-party service providers
• Maintain policies and procedures for evaluating providers’ cybersecurity practices
• Include contractual requirements around cybersecurity protections and notification
• Periodically assess the cybersecurity practices of providers with access to nonpublic information

What the eight auto insurer actions show is that NYDFS tests this at the portfolio level. It’s not enough for your TPRM policy to exist — NYDFS looked at whether the eight insurers had actually assessed the shared data prefill vendor’s security, had contractual protections in place, and had monitoring processes that would have caught a vendor compromise.

Most companies that are “non-compliant” with § 500.11 aren’t missing a policy. They’re missing the evidence that the policy was executed: vendor risk assessments, security review outputs, contractual obligations, ongoing monitoring cadence, and documented decisions about high-risk vendors.

What “Adequate Oversight” Requires in Practice

1. Vendor inventory that identifies third-party access to nonpublic information — knowing which vendors touch customer data and how
2. Cybersecurity risk assessments for those vendors — not just questionnaires, but documented risk decisions
3. Contractual requirements — written agreements requiring security standards, incident notification (must include notification to the covered entity within 72 hours of a cybersecurity event), and audit rights
4. Ongoing monitoring — not just annual reassessment, but active awareness of vendor security posture changes and incidents
5. Documentation — evidence that all of the above actually happened, available for NYDFS examination

The October 2025 actions suggest that sharing a vendor with multiple peers in the industry is not a mitigating factor. All eight companies were cited independently. Shared industry practice does not reduce regulatory exposure.

The So-What for Your Compliance Program

If you’re a covered entity under Part 500 — and many fintechs don’t realize they are until their first exam — here are the specific gaps most likely to generate a consent order based on 2025-2026 enforcement patterns:

1. Your incident response plan doesn’t have an explicit 72-hour NYDFS notification step. Add it. Define when the clock starts, who owns the notification, and what the pre-drafted notification includes.

2. Your third-party vendor risk program is policy-only. Auditors don’t want to see your policy — they want to see evidence that you assessed vendors, that contracts include the required cybersecurity provisions, and that you’re monitoring ongoing performance. The auto insurer actions are essentially a rubric for what that evidence needs to look like.

3. You haven’t completed an annual penetration test. The November 2023 amendments made this mandatory. If you haven’t done one under the post-amendment requirements, that’s a gap.

4. Your CISO hasn’t provided a written annual report to the board. This is now a hard requirement, not a best practice.

5. You’re not sure which employees and systems fall under the expanded MFA requirements. The amended § 500.12 is broader than the original. Remote access and all access to nonpublic information now require MFA — not just privileged accounts.

6. Your incident notification policy doesn’t define “determination.” If your policy says “notify NYDFS when a cybersecurity incident is determined,” but your IR team doesn’t know what triggers determination vs. ongoing investigation, the 72-hour clock will slip.

Compliance Checklist

The $25 million in fines across 10 enforcement actions since late 2024 is a clear signal from NYDFS: Part 500 is an active examination program, not a filed-and-forgotten regulation. The companies getting fined aren’t technology laggards — PayPal, Hartford Fire, Liberty Mutual, and Farmers are sophisticated organizations with real cybersecurity programs. Their programs had specific gaps on specific requirements. Those gaps became fines.

Every Part 500 covered entity should be able to answer three questions right now:

1. If we receive a 72-hour notification today, does our IR plan tell us exactly what to do?
2. Can we produce evidence that we assessed our major third-party vendors’ cybersecurity practices?
3. Have we completed our post-November 2023 amendment compliance review?

If the answer to any of those is no, those are the gaps most likely to be on an examiner’s checklist.

When an incident does require regulatory notification — to NYDFS, to state regulators, or to consumers — the Incident Response & Breach Notification Kit includes pre-drafted notification letter templates, all-50-states breach notification deadlines, and an incident tracking log built to document response timing for regulatory review.

For a deeper look at Part 500’s 72-hour notification requirement and the determination trigger, see the FFIEC 36-Hour Incident Notification Rule and the Delta Dental NYDFS enforcement action.