NYDFS Imposes $2M Penalty for Violations of its Cybersecurity Regulation

The consent order states that, following an investigation, NYDFS found that the company violated the NYDFS cybersecurity regulation by:

• Failing to implement multi-factor authentication (MFA) on its email system for individuals accessing the internal networks from an external network;
• Lacking a data retention policy, allowing excessive storage of sensitive emails, and failing to develop policies and procedures for the secure disposal of NPI;
• Delaying notification to NYDFS for more than four months, violating the 72-hour reporting requirement from a determination that a reportable cybersecurity event has occurred; and
• Filing improper annual certifications for the calendar years 2018 through 2021, attesting to its compliance with the cybersecurity regulation.

Under the terms of the consent order, the company must:

• Retain an independent auditor to assess its MFA controls and remediate any issues, and
• Pay a $2 million civil monetary penalty.

The NYDFS cybersecurity regulation, first adopted in 2017, was amended in November 2023 with phased in requirements. This most recent enforcement action highlights several key areas for companies to take on cybersecurity in general and under the regulation in particular.

Timely Notification
Timely and accurate notification is critical; delays may result in substantial penalties. Section 500.17(a) requires notification within 72 hours of either (i) “Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity” or (ii) where “notice is required to be provided to any government body, self-regulatory agency or any other supervisory body.” The assessment of the first notification standard may involve a legal and technical determination of whether the impact is material.  However, in this case, the notification did not occur for more than four months. 

In reviewing data breach notifications, other enforcers have questioned the timeliness and accuracy of the notifications. As an example, the SEC brought an enforcement action based on a notification containing “misleading language suggesting that the notifications were issued much sooner than they actually were after discovery of the incidents.” In another SEC enforcement action, the SEC stated in an order that it found the company’s disclosure about cybersecurity events “negligently framed risks from cybersecurity events as hypothetical despite the company’s awareness” that “intrusions had actually happened and in fact involved unauthorized access and exfiltration of confidential and/or proprietary information.”

The handling of notifications following a breach or cybersecurity event is a key area that companies must focus on as part of their data breach response. 

Multi-Factor Authentication
MFA is no longer optional—effective authentication protocols are now required.

Section 500.12(b) requires that MFA is used “for any individual accessing the Covered Entity’s internal networks from an external network.”

As noted in the Healthplex consent order, “MFA is the first line of defense against attempts to gain unauthorized access to accounts, including through phishing emails….” The company had previously used MFA for its emails, but did not implement it after migrating to a new email system.

Note that as part of the phased-in amendment on November 1, 2025, the MFA requirement under the NYDFS Cybersecurity Regulation will increase. By that date, covered entities must ensure that MFA is implemented for all individuals accessing any covered entity’s information systems, regardless of location, user type or the nature of the data involved.

Data Retention Policies
Section 500.13 requires that companies adopt “policies and procedures for the secure disposal on a periodic basis of any Nonpublic Information … that is no longer necessary for business operations or for other legitimate business purposes.”

In this case, as it stated in the consent order, the NYDFS determined that the company “failed to have a data retention policy in place” on its email environment which resulted in “the compromised email box contained over one hundred thousand emails, all of which were accessible to the threat actor. These emails contained the private health data and NPI of tens of thousands of consumers.”

In other cases where we have assisted companies, the scope of the incident is commonly expanded by data that may be ten or more years old and no longer required for business purposes.

Annual Certification
One of the unique features of the NYDFS Cybersecurity Regulation is annual certification of compliance by April 15 each year that the company has complied with the rule, under Section 500.17(b). In this case, the company filed timely annual certifications for four calendar years for 2018 through 2021. However, NYDFS found the company’s annual certifications “attesting to its compliance with the Cybersecurity Regulation, were improper,” based on the identified violations of the NYDFS Cybersecurity Regulation.

Recommended Actions
This case shows the significant penalties that may result from determined cybersecurity violations. Companies can mitigate risk by:

• Auditing data retention practices across email and cloud platforms to remove data “that is no longer necessary for business operations or for other legitimate business purposes.”
• Reviewing current MFA tools to ensure they meet NYDFS standards.
• Updating access policies for remote workers and cloud platforms.
• Training employees on MFA procedures and phishing awareness.
• Reviewing incident response plans and processes to ensure compliance with the 72-hour notification requirement, including obtaining legal guidance on when the notification clock commences under the regulation and the accuracy of the notification.

Depending on the facts and circumstances, legal guidance may be necessary to satisfy the requirements of the NYDFS Cybersecurity Regulation.