If a DFS exam letter
arrived tomorrow, would
your agency be ready?

Cybersecurity, IT, and 23 NYCRR 500 compliance built
for New York Insurance agencies. Your first call is with
our CEO, a DFS-approved instructor.

Book a 30 min NYCRR 500 readiness call

30 min - Confidential

No obligation

You speak with Walter directly

TRUSTED ACROSS NEW YORK’S INSURANCE COMMUNITY

WHAT IT LOOKS LIKE

This is what happens when DFS
comes knocking
We've helped agencies through the real thing. The documents
below are redacted versions of letters and questionnaires our
clients have received from the New York State Department of
Financial Services.
1
The letter arrives
An examiner sends a First Day Letter requesting documentation, evidence, and policies.
2
You have ~14 days
You must produce a written program, risk assessment, IR plan, training records, and vendor inventory.
3
Findings & consequences
Gaps lead to corrective action plans, fines, or in serious cases, license risk.

IN PLAIN ENGLISH

What DFS will expect you to
prove, not just claim.
Most agencies filed their certification. Few are prepared to prove it. These are
the controls DFS expects you to produce, document, and defend during an exam.
500.02
Written cybersecurity program
Documented policies, procedures, and controls covering your agency.
Drafted, maintained, renewed anually
500.04
CISO designation
A person responsible for overseeing the cybersecurity program.
We act as your CISO of record.
500.09
Risk assessment
Annual, documented review of risks to nonpublic information.
Annual, regulator-ready.
500.12
Multi-factor authentication
MFA on email, VPN, and privileged access.
Deployed and monitored.
500.15
Encryption of NPI
Data encrypted in transit and at rest, with key management.
Configured agency-wide.
500.16
Incident response plan
Written plan, tested, and ready to execute.
Tabletop drilled annually.
500.11
Third-party oversight
Vendor inventory, due diligence, and ongoing monitoring.
Vendor packets delivered.
500.14
Cyber awareness training
Periodic training for all personnel and management.
Our SAP with manager portal.
500.17
Annual certification
Filed each year with the Superintendent through the DFS portal.
We prep, you sign.

why motiva

Most IT firms know IT. We know
what DFS auditors actually ask for.
Three reasons NY agencies move from a generic MSP to Motiva.
DFS-approved
Walter is a DFS-approved instructor.
Few (if any) competing MSPs in New York can say this. Walter is approved by the Department of Financial Services to teach licensed insurance professionals.
Documented program
Policies, evidence, board reports. Not just controls.
We deliver the artifacts regulators ask to see: written cybersecurity program, risk assessment, board reports, audit cycles, and a multi-year maturity roadmap.
Audit-tested
100%
Audit pass rate across Motiva insurance and mortgage clients. Two-plus years. Zero fines. Zero violations.

Your first call is with Walter, not a sales rep.

For 25 years, Walter Contreras has helped New York insurance agencies, mortgage lenders, and financial firms strengthen cybersecurity, reduce operational risk, and meet 23 NYCRR 500, without confusion or overwhelm.

A graduate of Columbia Business School, a cybersecurity practitioner, and a DFS-approved instructor, Walter doesn't run sales calls. He runs working sessions.

Book a working session with Walter

What DFS auditors ask for

Can you check every box?
Regulators expect documented controls you can prove.
You must have:
Written cybersecurity policies
Written cybersecurity policies
Risk assessments and gap tracking
Risk assessments and gap tracking
Strong access controls (MFA)
Strong access controls (MFA)
Threat detection and incident response
Threat detection and incident response
Vendor and third-party oversight
Vendor and third-party oversight
Audit-ready documentation
Audit-ready documentation
Policies alone are not enough. Prove it or face the fines.
START FOR FREE

Stricter rules.
Shorter deadlines.

Recent NYDFS amendments increase expectations and enforcement, with phased deadlines through 2026.

HERE IS WHAT’S CHANGING

Stricter NYDFS requirements.
Key updates include:
- Expanded MFA requirements
- Stronger governance and oversight
expectations
- More detailed incident and ransomware
reporting
- Faster notification timelines for regulators
Stricter NYDFS requirements.
72h to report an incident
72h to report an incident.
Under NYCRR 500.17, mortgage companies must report qualifying cybersecurity events within 72
hours, and ransomware payments within 24
hours.
Miss the deadline, and you risk violations,
penalties, and reputational damage.
The clock starts ticking as soon as an incident is
confirmed.
Even temporary failures can result in serious consequences under NYDFS 23 NYCRR 500. Letting these gaps go unchecked
can put your entire business at risk.
Even temporary failures
What happens if you’re not
compliant.
Regulatory scrutiny & fines
NYDFS can issue immediate corrective actions.
Forced remediation
You may be forced to patch gaps in days, not months.
Business disruption
Security incidents can freeze operations or cause outages.
Reputational damage
Clients and partners will lose trust if you’re caught unprepared.
Compliance isn’t just required,
it’s a smart business move.
NYDFS compliance isn’t just about checking boxes, it’s how smart agencies reduce risk, protect clients, and stay competitive.
Compliance
Lower cyber exposure
Plug gaps before they’re exploited.
Stabilize daily operations
Reduce downtime, IT stress, and tech chaos.
Win customer trust
Show clients you're serious about data protection.
Ace future DFS audits
Have everything in order before they ask.
Good compliance isn't just protection.
It’s a growth advantage.

MOTIVA IS HERE TO HELP

You’ve seen what NYDFS requires and what’s at stake if you’re not ready.
Now let’s help you get clarity.

Start with a free NYDFS Compliance
Starter Pack!
Start With a Free NYDFS Compliance Starter Pack
A simple, no-pressure way to understand where you stand.
Includes:
A conversation with Walter Contreras, Founder & CEO
High-level review against NYDFS 23 NYCRR 500
Identification of key gaps and risks
Clear, prioritized next steps
Get MY free DFS compliance starter pack
Why Mortgage Companies
Trust Motiva
25+ years supporting regulated businesses.
Cybersecurity, IT, and compliance — unified.
Built specifically for NYDFS environments.
Direct guidance from the CEO, not a sales rep.

Independent cybersecurity expertise that helps organizations identify risk before it becomes a crisis.

Not Sure Where You Stand? Get Clarity.

A short conversation can help you understand your obligations, risks,
and options, before regulators or incidents force the issue.

Book a Security & Compliance Review
ABOUT US
Managed ITPrivacy PolicyTerms and ConditionsAccessibility StatementBlogs
Resources
NY DFS Compliance HubCybersecuritySolutionsStateRemote Session
Contact Us
1100 Franklin Avenue,
Garden City NY 11530 info@motiva.net (646) 374-1820
© 2026 Motiva Networks – All Rights Reserved.