On 14 August 2025, NYDFS announced that Healthplex, Inc., a New York licensed insurance agent and adjuster, would pay a $2 million civil penalty under 23 NYCRR Part 500. A single phishing email had reached an employee inbox, and the cybersecurity program around it failed.
The settlement order called out missing multi-factor authentication, weak access privileges, and an unrated third-party vendor list.
| Key Takeaways: NYDFS Part 500 Checklist for Small Insurance Brokers |
| The NYDFS Part 500 checklist for small insurance brokers applies to every New York licensed broker by default. Brokers can qualify for a Section 500.19(a) limited exemption if they meet any one of three caps: fewer than 20 employees, under $7.5 million in gross annual revenue, or under $15 million in year-end total assets. |
| The Second Amendment to 23 NYCRR Part 500 closed its rollout on 1 November 2025. Universal multi-factor authentication and a written asset-inventory procedure are now mandatory for every covered entity, including small brokers under 500.19(a). |
| Even limited-exemption brokers must still comply with Sections 500.02 program, 500.03 policy, 500.07 access privileges, 500.09 risk assessment, 500.11 third-party security, 500.12 MFA, and 500.17 reporting. The ‘small’ label removes only training, audit-trail, penetration-test, and CISO-reporting duties. |
| A 72-hour incident notice and a 24-hour ransom payment notice apply to brokers of every size. Healthplex, Inc., a licensed insurance agent and adjuster, paid $2 million to NYDFS on 14 August 2025 after a phishing breach exposed gaps the NYDFS Part 500 Checklist for Small Insurance would have caught. |
| Annual certification is due 15 April each year through the NYDFS portal. Brokers must keep five years of supporting evidence including the risk assessment, MFA logs, third-party reviews, training rosters, and the cybersecurity policy approved by the board or senior officer. |
| Penalties under NY Banking Law reach $2,500 per day for routine breaches, $15,000 per day for reckless conduct, and $75,000 per day for knowing or willful violations. Recent NYDFS consent orders against insurance and financial entities ranged from $1 million to $40 million. |
| The NYDFS Part 500 checklist for small insurance brokers is also the cheapest insurance against carrier appointments getting pulled. Several US carriers now require broker partners to attest annually to Part 500 compliance before renewing producer agreements, turning a regulatory minimum into a commercial gate. |
That outcome is why a NYDFS Part 500 checklist for small insurance brokers now sits at the top of every small broker compliance file in New York State. The Second Amendment to 23 NYCRR Part 500 closed its phase-in on 1 November 2025, locking in universal MFA and a written asset inventory. Annual certification arrives 15 April.
Eight core controls still apply under the limited exemption, plus the 72-hour incident notice and the annual certification filing.
Every one of them maps to a compliance risk analysis step the OCC, FINRA, SEC, and NYDFS examiners all recognize. A small New York broker can move from the Section 500.19 exemption test to a defensible NYDFS Part 500 checklist for small insurance brokers filing inside six weeks.
NYDFS Part 500 Checklist for Small Insurance Brokers: Why You Cannot Skip It
Every New York licensed insurance broker is a covered entity by default under 23 NYCRR Part 500. Section 500.19 grants a limited exemption to small brokers but never a full pass. The NYDFS Part 500 checklist for small insurance brokers is the working document an examiner opens first to confirm applicable provisions and the named owner for each control line.
NYDFS Part 500 Checklist for Small Insurance Brokers: Healthplex Sets the Benchmark
Healthplex was a small, specialty insurance agent serving roughly 4 million plan members across the New York metropolitan area. A phishing message reached one employee mailbox in November 2021. The NYDFS consent order against Healthplex cited the agent for missing MFA and for relying on a vendor list with no due diligence trail behind it.
Healthplex paid $2 million plus a remediation plan. The order is the clearest signal so far that a small agent or broker label does not lower the bar. Auditors now open the NYDFS Part 500 checklist for small insurance brokers before any policy interview begins, and a missing entry costs roughly $50 per day per control under the routine penalty band.
NYDFS Part 500 Checklist for Small Insurance: Who Counts as a Covered Entity
A covered entity is anyone operating under a license, charter, or permit from NYDFS. That sweeps in retail insurance agents, brokers, reinsurance intermediaries, public adjusters, and the corporate agencies that hold the producer license. Independent contractors writing under a covered firm rely on the firm’s program rather than filing their own NYDFS Part 500 Checklist for Small Insurance.
Insurance Law Section 2104 inactive brokers can claim a full exemption only if they hold no nonpublic information, run no information systems, and have not placed business for at least one year. The NYDFS Part 500 Checklist for Small Insurance starts with this binary test, since misclassifying a broker as inactive is the single most common filing error caught at the 15 April certification cycle.
NYDFS Part 500 Checklist for Small Insurance Brokers: Working Through Section 500.19 Limited Exemption
Section 500.19(a) sets three independent caps. Meet any one and the broker qualifies for the limited exemption, which trims about 40% of the regulation while keeping the program, policy, risk assessment, access privilege, third-party, MFA, and incident reporting duties firmly in place.
NYDFS Part 500 Checklist for Small Insurance: The Three OR-Tests for 500.19(a)
The first test counts every full-time, part-time, and independent contractor working on covered business inside New York. The cap is fewer than 20. A two-partner broker with eight licensed producers and four office staff sits comfortably inside the threshold and clears the headcount path of the NYDFS Part 500 checklist for small insurance brokers.
The second test is gross annual revenue, capped at $7.5 million across the prior three fiscal years on a rolling basis. The third test is year-end total assets, capped at $15 million. The NYDFS Cybersecurity Resource Center maintains the current FAQ on how these caps interact with parent-subsidiary structures.
NYDFS Part 500 Checklist for Small Insurance: What the Limited Exemption Drops
The 500.19(a) exemption drops the formal CISO position (500.04), the cybersecurity personnel and training expansion (500.10), the security audit trails (500.06), the encryption rules of 500.15, and the penetration testing schedule of 500.05. It does not drop the cybersecurity program, the policy, the risk assessment, or the third-party rules.
Brokers who read the exemption as a full pass have triggered every recent enforcement letter. A guide to risk and control self assessment (RCSA) is the cleanest way to confirm the surviving controls. The NYDFS Part 500 Checklist for Small Insurance makes the carve-out explicit so the broker, the carrier, and the examiner all read it the same way.
NYDFS Part 500 Checklist for Small Insurance: When the Inactive-Broker Full Exemption Applies
Section 500.19(d) grants a full exemption to inactive individual brokers under Insurance Law 2104. Eligibility hinges on three facts: no information systems, no nonpublic information, and no placed business in the prior twelve months. The NYDFS Part 500 Checklist for Small Insurance asks the broker to sign a dated attestation against each of those three facts before the inactive route is claimed.
A retired producer who still receives renewal commissions on a small book of personal lines is rarely inactive in the regulation’s sense. Commissions imply a live customer relationship, which means nonpublic information lives somewhere. The five steps of the risk management process still apply, even at a single-broker scale.
NYDFS Part 500 Checklist for Small Insurance Brokers: The Eight Core Controls That Still Apply
Figure 2. NYDFS Part 500 Checklist for Small Insurance Second Amendment phase-in. The 1 November 2025 deadline closed the universal MFA and asset inventory rollout.
A limited-exemption small broker still owes a written program (500.02), a written policy (500.03), an annual risk assessment (500.09), access privilege management (500.07), third-party security (500.11), MFA (500.12), incident response (500.16), and 72-hour reporting (500.17). Every line of the NYDFS Part 500 checklist for small insurance brokers sits underneath one of these eight sections.
NYDFS Part 500 Checklist Step 1: Written Cybersecurity Program (500.02)
The program is the broker’s written set of cybersecurity activities. It identifies internal and external risks, applies controls to those risks, detects events, responds to events, and recovers from events. A two-page document with a board signature is enough at small-broker scale. A cybersecurity risk management framework based on NIST CSF 2.0 is a defensible starting point.
NYDFS Part 500 Checklist Step 2: Written Cybersecurity Policy (500.03)
The policy translates the program into rules people follow. Required topics include information security, access controls, data governance, business continuity, capacity planning, customer privacy, vendor and third-party service-provider management, and incident response. The owner is named on the cover sheet. A single signed PDF, reviewed annually, satisfies the line in the NYDFS Part 500 checklist for small insurance brokers.
NYDFS Part 500 Checklist Step 3: Annual Risk Assessment (500.09)
The risk assessment identifies the broker’s nonpublic information, where it lives, which systems carry it, and which threats it faces. Updates are required on material change: new platform, new producer, new carrier, new state. A how to conduct a risk assessment walkthrough is the fastest path to a first version that the next NYDFS Part 500 Checklist for Small Insurance review will accept without rework.
Output of the risk assessment feeds two later steps: control selection in step 4 and the third-party prioritization in step 6. NYDFS examiners pull the risk assessment first because it tells them whether the broker actually understands the business. A boilerplate document gets the broker a control-deficiency finding before lunch on day one.
NYDFS Part 500 Checklist Step 4: Multi-Factor Authentication (500.12)
The 1 November 2025 amendment made MFA mandatory for every individual accessing the broker’s information systems. The narrowed exemption permits a small broker under 500.19(a) to scope MFA to remote access, third-party applications carrying nonpublic information, and privileged accounts. SMS-only second factors are tolerated but disfavored under the NYDFS Industry Letter on MFA.
NYDFS Part 500 Checklist Step 5: Access Privilege Management (500.07)
Access privileges should follow the principle of least authority. The broker reviews access at least annually, removes departed staff within one business day, and limits administrative rights to a named subset of users. A small broker can run the review in a spreadsheet, but the spreadsheet must carry the review date and the reviewer name on the NYDFS Part 500 checklist for small insurance brokers.
NYDFS Part 500 Checklist: Third-Party Service Provider Controls (500.11)
Figure 3. NYDFS Part 500 checklist, selected consent-order penalties. Healthplex sits squarely in the small-insurance-agent enforcement zone.
Section 500.11 makes the broker responsible for the security of nonpublic information held by every third-party service provider it uses. The NYDFS Part 500 checklist records the vendor list, the due-diligence evidence, the contract clauses, and the review date for each vendor handling NPI.
NYDFS Part 500 Checklist: Building the Vendor Inventory
Start with the carriers, agency management system, comparative rater, e-signature platform, payroll provider, accountant, and any cloud storage tied to client documents.
Each vendor goes into a single sheet with the data category they touch, the location of the data, the contract end date, and the most recent security review. The NYDFS Part 500 checklist tracks this sheet as evidence of the 500.11 program.
Vendor counts surprise small brokers. A typical New York retail agent has between 25 and 60 vendors when every commission processor, document scanner, and email marketing service is counted. The NYDFS Industry Letter on Third Parties (21 October 2025) raised the documentation bar following the cluster of 2024 supply-chain breaches.
NYDFS Part 500 Checklist: Due Diligence and Contract Clauses
Due diligence ranges from a vendor SOC 2 Type II report at the high-risk end to a one-page security questionnaire for low-risk vendors. The AICPA SOC 2 framework gives the broker a defensible template for what to ask. The NYDFS Part 500 checklist captures the SOC report date, the auditor, and the next review trigger.
Contract clauses cover encryption of data in transit and at rest, prompt notice of a vendor cybersecurity event, MFA on vendor staff access to broker data, and audit rights. A how to manage third party risk template can be adapted line-by-line. The NYDFS Part 500 checklist flags any vendor whose contract is silent on these four items as a remediation priority.
NYDFS Part 500 Checklist: Review Cadence and Risk Tiers
High-risk vendors earn a full review annually. Medium-risk vendors are refreshed every two years. Low-risk vendors fall to a passive review on contract renewal. The NYDFS Part 500 checklist records the tier and the next-review date, so the broker can hand a single page to an examiner instead of digging through five years of vendor email.
NYDFS Part 500 Checklist: 72-Hour Incident Reporting (500.17)
Figure 4. NYDFS Part 500 checklist control maturity gap. The November 2025 amendments raised the bar across every domain a small broker still owes.
Section 500.17 requires notice to NYDFS within 72 hours of determining a cybersecurity incident has occurred. A separate 24-hour notice applies when the broker has made an extortion payment. The NYDFS Part 500 checklist embeds both timers, the contact line, and the message template before any incident lands.
NYDFS Part 500 Checklist: What Counts as a Reportable Incident
The trigger is a cybersecurity event that requires reporting to any government body, has a reasonable likelihood of materially harming any part of normal operations, or involves deployment of ransomware to a material part of the information system.
A stolen laptop without active credentials may not trigger. A compromised email account inside a producer mailbox almost always does.
Brokers should not rely on a single staff judgment call. The NYDFS Part 500 checklist names a primary and a backup decision-maker for the trigger call, with a two-hour internal escalation clock. A tabletop exercise once a year keeps the muscle memory fresh and gives the incident response plan vs business continuity boundary clear in the team’s head.
NYDFS Part 500 Checklist: The 24-Hour Ransom Payment Notice
Since 1 December 2023, any covered entity that makes an extortion payment must file a Notice of Extortion Payment within 24 hours. A 30-day written report follows, explaining why the payment was necessary, what alternatives were considered, and how the broker confirmed compliance with OFAC sanctions screening. The NYDFS Part 500 checklist includes the OFAC sanctions list reference for the broker’s payment processor.
Many small brokers carry cyber insurance with a third-party negotiator on the panel. The broker still files the notice, regardless of what the negotiator does. A cyber insurance risk assessment should confirm in advance who files what, on what timeline, so the 24-hour clock does not get lost between the broker, the negotiator, and the carrier.
NYDFS Part 500 Checklist: Recordkeeping and the Post-Incident Report
Records of the incident, the response, and the notice must be kept for at least five years. The NYDFS Part 500 checklist links each record to the broker’s secure document store, with file-naming conventions that survive staff turnover. A post-incident lessons-learned memo, signed by the broker principal, closes the entry and feeds back into the next annual risk assessment update.
NYDFS Part 500 Checklist: Annual Certification and Recordkeeping
Section 500.17(b) requires a covered entity to submit a Certification of Material Compliance or an Acknowledgement of Noncompliance to NYDFS each year by 15 April. The NYDFS Part 500 checklist gathers the evidence five months before the filing window opens, so the broker is filing facts not promises.
NYDFS Part 500 Checklist: What the Certification Asks
The certification covers the prior calendar year. Material compliance is the bar, not perfection. Where a broker was not in material compliance, the alternative filing acknowledges the gap and attaches a written remediation plan, the schedule for closing it, and the responsible owner. The NYDFS Part 500 checklist holds the draft of both filings throughout the year.
Filing happens through the NYDFS Cybersecurity Portal. A single named senior officer or the highest ranking executive signs. NYDFS publishes annual statistics on filings, with about 91% submitting a full certification and 9% submitting the acknowledgement of noncompliance in the most recent reporting cycle.
NYDFS Part 500 Checklist: Five-Year Recordkeeping Rules
Every record supporting the certification must be retained for five years. That includes the risk assessment, the policy, the program description, MFA logs, vendor reviews, training rosters where applicable, and any incident notice with attachments. The NYDFS Part 500 checklist maps each evidence type to a folder location and an owner, so an examiner request can be answered the same day.
| NYDFS Part 500 Checklist Item | Evidence the broker keeps | Retention period |
| Cybersecurity program (500.02) | Program document, board or principal signature, latest review date | 5 years |
| Cybersecurity policy (500.03) | Signed policy PDF, distribution list, training acknowledgements | 5 years |
| Risk assessment (500.09) | Assessment workbook, update log, scope statement, threat list | 5 years |
| Access privileges (500.07) | Access review spreadsheet, leaver removal log, admin rights list | 5 years |
| Third-party reviews (500.11) | Vendor inventory, SOC 2 reports, questionnaire responses, contract clauses | 5 years |
| MFA logs (500.12) | Token enrollment records, exception register, MFA bypass approvals | 5 years |
| Incident notices (500.17) | Initial notice, supplemental updates, post-incident memo, OFAC check | 5 years |
| Annual certification (500.17(b)) | Filed certification or acknowledgement, supporting evidence package, signer name | 5 years |
Frequently Asked Questions on the NYDFS Part 500 Checklist
Does the NYDFS Part 500 checklist for small insurance brokers apply to brokers licensed only outside New York?
No, the NYDFS Part 500 checklist for small insurance brokers applies only to entities operating under a NYDFS license, charter, registration, or authorization. A broker licensed solely in New Jersey or Connecticut who never holds a New York producer credential sits outside Part 500. Reciprocal nonresident licenses in New York pull the broker inside Part 500.
Can a small broker satisfy the NYDFS Part 500 checklist for small insurance brokers with a free template?
A free template is a starting point, not the finish line. The NYDFS Part 500 checklist must reflect the actual systems, vendors, and people inside the broker. Generic policies that name an undefined CISO or a Chicago data center the broker does not use will fail examiner scrutiny on the first interview. Customize every field.
How long does a typical small broker need to complete the NYDFS Part 500 checklist for small insurance brokers for the first time?
Plan on six to eight weeks of part-time effort for a broker with under 20 staff. Week 1 covers exemption testing and scope. Weeks 2 and 3 build the risk assessment. Weeks 4 and 5 deploy MFA and the access review. Weeks 6 to 8 finish vendor reviews, the incident plan, and the policy package.
Does the NYDFS Part 500 checklist require a named CISO?
Not for a 500.19(a) limited-exemption broker. A senior officer or the broker principal accepts accountability for the cybersecurity program in writing. The NYDFS Part 500 checklist records that name on the cover sheet of the program and policy documents, and the same person signs the annual certification.
What happens if a broker misses the 15 April annual certification under the NYDFS Part 500 checklist?
Late filings draw an immediate inquiry letter from NYDFS, followed by a request for production. Repeated late filings escalate to a formal investigation and a consent-order conversation. The NYDFS Part 500 checklist treats 15 April as the absolute deadline, with internal sign-off targeted for 31 March to give the broker two weeks of buffer.
Are encryption rules in the NYDFS Part 500 checklist for small brokers?
Section 500.15 encryption is dropped under the 500.19(a) limited exemption, but practical risk has not disappeared. Most carriers and most cyber insurers now require encryption of nonpublic information at rest and in transit as a condition of business. The NYDFS Part 500 checklist flags encryption as recommended even where the regulation no longer compels it.
Does the NYDFS Part 500 checklist cover artificial intelligence tools used inside the broker?
Yes, the broader risk assessment under 500.09 must cover any AI tool that touches nonpublic information. A guide to information security risk management frames the AI vendor exactly the same way as any other third-party service provider. The NYDFS Industry Letter on AI Risks (October 2024) raised expectations on documentation.
NYDFS Part 500 Checklist: Common Pitfalls and How to Avoid Them
| Pitfall | Root cause | Remedy |
| Reading the 500.19(a) exemption as a full pass | Misreading the regulation text as a binary in or out | Use the NYDFS Part 500 checklist to mark each surviving section line by line |
| Treating SMS as the default MFA factor | Cost and ease of rollout drove the first deployment | Move to an authenticator app or hardware token for privileged users by next annual review |
| Skipping the vendor inventory | Brokers underestimate vendor count, often by 3x | Build the inventory from accounts payable, then enrich with email and cloud audits |
| Filing the certification without supporting evidence | Time pressure in early April | Lock evidence by 31 March; treat 15 April as a final-review window only |
| Naming a CISO the broker does not have | Copying a template that assumed full-program status | Replace with named senior officer; the limited exemption permits this |
| Logging a risk assessment once and never updating | No trigger list for material change | Add the trigger list (new system, new carrier, new state, new producer, new vendor) to the checklist |
| Tabletop the incident plan only after an event | Plans assumed to work because they exist | Run a 90-minute scenario annually with the principal and the IT vendor at the table |
| Missing the 24-hour ransom payment notice | Confusion over who files when a cyber insurer negotiates | Pre-stage the notice template with a named signer and the contact email |
NYDFS Part 500 Checklist: Looking Ahead Through 2027
The phase-in closed in November 2025, but NYDFS has not stopped writing. The regulator’s October 2025 Industry Letter on third-party risk lifted expectations on contractual notice clauses, software bill of materials, and continuous monitoring. Expect the next minor revision to land between late 2026 and early 2027, focused on AI vendors and on broker use of generative tools inside the producer workflow.
Carriers are not waiting. Several US property and casualty carriers now require Part 500 compliance attestations as a condition of producer agreement renewal. The convergence of risk oversight with strategic planning inside carriers means the broker who maintains a clean NYDFS Part 500 checklist also keeps appointments and commission flow secure.
Enforcement pace will rise. NYDFS imposed roughly $19 million in cybersecurity penalties across 2024 and early 2025, and the Healthplex order shows the regulator is comfortable working its way down the size curve into smaller insurance brokers and agents. The NYDFS Part 500 checklist becomes the cheapest form of legal insurance a small broker can carry.
Expect a federal overlay. Treasury and the FIO continue to study a national insurance cybersecurity baseline, modeled in part on the NYDFS Part 500 checklist. A small broker who has the NYDFS file in order is already positioned for whatever the federal framework requires when it lands, likely in the 2027 to 2028 window.
NYDFS Part 500 Checklist Support for Your Brokerage
Need a documented NYDFS Part 500 checklist for your brokerage by the next certification window? riskpublishing.com helps small New York insurance brokers build the program, the policy, the risk assessment, and the vendor inventory in six to eight weeks, with carrier-ready attestation packages.
Engagements run on a fixed scope and a fixed timeline, with a named owner inside the brokerage to maintain the file after handover. See riskpublishing services for the full package list, or contact Chris Ekai directly to scope a NYDFS Part 500 checklist review against your current evidence file and book of business.
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.