According to recent studies, the financial sector remains a prime target for cyberattacks. The 2023 ENISA Threat Landscape report says the finance, banking and insurance sectors are the second most targeted by cyberattacks, with 30% of all attacks aimed at them. These sectors were mostly targeted by application attacks. What is more, according to IBM’s Cost of a Data Breach Report 2024, the financial sector has the second highest (after healthcare) cost of a data breach at USD 6.08 million.
Such statistics highlight the importance of cybersecurity measures like those mandated by the New York State Department of Financial Services (NYDFS).
The NYDFS recognizes the need to proactively decrease cyber risk in the sector and has enacted the 23 NYCRR 500 (also known as Part 500) to establish robust cybersecurity requirements for financial services companies. This regulation aims to protect consumer data and maintain the integrity of the financial system and its resilience against cyber attacks.
A key component of 23 NYCRR 500 is the requirement for regular pentest assessments. Periodic penetration testing helps organizations identify and address vulnerabilities before they can be exploited by malicious actors. This proactive measure is essential for maintaining a strong security posture and ensuring compliance with NYDFS regulations.
This article aims to educate organizations about the specific penetration testing requirements under NYDFS 23 NYCRR 500, helping them to achieve and maintain compliance effectively.
Does NYDFS require penetration testing?
The NYDFS Cybersecurity Regulation (23 NYCRR 500) mandates annual penetration testing for covered entities. According to Section 500.5 (f) of the regulation, which has been in effect since March 1, 2017, each covered entity must conduct “annual penetration testing of its Information Systems based on the Covered Entity’s Risk Assessment”.
This requirement helps financial institutions regularly identify and address vulnerabilities, improving their overall cybersecurity posture and compliance. For more details, refer to the full text of the NYDFS Cybersecurity Regulation.
NYDFS 23 NYCRR 500 – what is it all about?
The NYDFS Cybersecurity Regulation, known as 23 NYCRR 500, is a set of comprehensive cybersecurity requirements issued by the New York Department of Financial Services. Effective March 1, 2017, with the most recent update on November 1, 2023 (“Second Amendment”), this regulation mandates robust cybersecurity measures to protect consumer data and the integrity of financial services companies.
Under 23 NYCRR Part 500, a covered entity’s cybersecurity program must include several key components to effectively manage cybersecurity risks. These include:
- Cybersecurity Program: Each covered entity must establish and maintain a cybersecurity program with the intent to protect its information systems. The program should be based on periodic risk assessments and be tailored to the specific cybersecurity risks faced by the entity. The program should be based on periodic risk assessments and be tailored to the specific cybersecurity risks faced by the entity.
- Risk Assessments: Covered entities are required to conduct regular risk assessments to identify and evaluate cybersecurity risks. These assessments inform the development and implementation of the cybersecurity program.
- Penetration Testing and Vulnerability Assessments: Section 500.5 (f) mandates that covered entities conduct annual penetration testing and bi-annual vulnerability assessments. These activities help identify and mitigate vulnerabilities within the covered entity’s information systems.
- Governance and Personnel: Part 500.4 outlines the requirement for the designation of a Chief Information Security Officer (CISO), a senior officer responsible for overseeing and implementing the cybersecurity program. The CISO must “timely report” to senior governing bodies of the covered entity on any cybersecurity material issues.
- Third-Party Service Provider Security: Covered entities must implement policies and procedures to ensure the security of information systems and non-public information (NPI) that is accessible to or held by third-party service providers.
A non-exhaustive summary of Part 500’s Second Amendment
- Class A Companies (500.1(d)): Defines “Class A Companies” as those with over $20 million in annual revenue and either over 2,000 employees or $1 billion in revenue, with additional requirements.
- Audits (500.2(c)): Requires independent audits of the cybersecurity program based on the entity’s risk assessment.
- Access Monitoring (500.7(c)): Mandates monitoring privileged access activity, implementing a privileged access management solution, and automated password blocking.
- Endpoint Security (500.14(b)): Requires endpoint detection and response solutions and centralized logging for Class A Companies unless compensating controls are approved by the CISO.
- Cybersecurity Policy (500.3): Annual approval of the cybersecurity program policy by a senior officer or governing body, covering areas like data retention, remote access, and vulnerability management.
- CISO (500.4): Maintains the requirement for a CISO to oversee and implement the cybersecurity program, with timely reporting to senior management on material cybersecurity issues.
- Senior Governing Body Oversight (500.4(d)): Requires the governing body to have sufficient understanding to oversee cybersecurity and ensure the implementation and maintenance of the cybersecurity program.
- Vulnerability Management (500.5): This policy eliminates continuous monitoring and requires annual penetration testing, automated scans, manual reviews, and timely remediation of vulnerabilities.
- Access and Privilege Management (500.7): Specifies steps for managing user access and privileged accounts, including annual reviews and removal of unnecessary access.
- Password Policy (500.7): Requires a written password policy that meets industry standards.
- Application Security (500.8): Demands annual review of application security procedures, guidelines, and standards.
- Risk Assessment (500.9): Mandates annual review and updates of risk assessments, incorporating threat and vulnerability analyses.
- Multi-Factor Authentication (500.12): Requires MFA for accessing information systems, with CISO-approved compensating controls reviewed annually.
- Asset Management and Data Retention (500.13(a)): Implements policies for maintaining an accurate inventory of information systems assets and tracking key information.
- Monitoring (500.14(b)): Implements risk-based controls to protect against malicious code, including web traffic and email filtering.
- Training (500.14(a)(3)): This requirement requires annual cybersecurity training, including social engineering training.
- Encryption (500.15): This item mandates a written encryption policy meeting industry standards, removing the infeasibility exception for encryption in transit.
- Incident Response and Business Continuity (500.16): Comprehensive incident response and BCDR plans, annual testing, and relevant training are required.
- Notice of Cybersecurity Incidents and Extortion Payments (500.17(a); 500.17(c)): Mandates notification of cybersecurity incidents within 72 hours and detailed reporting on extortion payments.
- Certification (500.17(b)): Revises the certification process, allowing entities to acknowledge non-compliance with a remediation timeline signed by the highest-ranking executive and CISO.
- Enforcement (500.20): This section specifies that violations include failure to secure nonpublic information and material non-compliance with Part 500 for any 24-hour period.
Covered entities under NYDFS (23 NYCRR 500)
The regulation applies to a broad range of entities operating within the financial services industry in New York. Per the act’s definition, “Covered Entity means any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.“
These covered entities must comply with the regulation’s cybersecurity requirements to protect business-critical systems and non-public information (NPI), maintaining the integrity of their operations. Here is a non-exhaustive list of entities that are subject to 23 NYCRR 500:
- Banks and Trust Companies: Includes all banks chartered under New York State Banking Law and trust companies licensed to operate within New York.
- Insurance Companies: All insurance companies licensed to operate in New York, including life insurance, property and casualty insurance, health insurers, and other specialty insurers.
- Mortgage Brokers and Lenders: Mortgage brokers, lenders, and servicers regulated by the NYDFS.
- Licensed Lenders: All entities licensed to lend money under New York’s financial regulations.
- Credit Unions: Credit unions chartered under New York State law.
- Savings and Loan Associations: Savings and loan associations regulated by the NYDFS.
- Foreign Banks: Foreign banks licensed to operate branches or representative offices in New York.
- Service Providers: Third-party service providers that access, maintain, or process a covered entity’s information systems or nonpublic information.
- Other Financial Institutions: Any other financial services companies regulated by the NYDFS, including money transmitters and virtual currency businesses.
Exempted entities under the latest guidance
It’s important to note the regulation provides exemptions for organizations meeting specific criteria, such as:
- The covered entity and its affiliates have less than 20 employees and independent contractors in the state of New York.
- The covered entity earned less than $7,500,000 in gross annual revenue in the last three fiscal years from all its business operations—wherever located—and its affiliates’ New York business operations.
- The covered entity and its affiliates have less than $15,000,000 in year-end total assets.
For details about the exemption, please refer to the NYDFS Cybersecurity Regulation Exemption Flowchart or the text in part 500 exemptions.
The role of pentesting in NYDFS compliance
Penetration testing plays a critical role in achieving and maintaining compliance with the NYDFS Cybersecurity Regulation, more specifically with the item Vulnerability management (500.5). It is an essential part of a covered entity’s cyber risk management strategy, helping to identify and address vulnerabilities before they can be exploited by adversaries.
Under 23 NYCRR 500, covered entities are required to conduct annual penetration testing and bi-annual vulnerability assessments. These activities must be documented and reported as part of the entity’s cybersecurity compliance program. Proper documentation not only demonstrates compliance but also provides a clear audit trail for regulatory reviews.
NYDFS penetration testing requirements
NYDFS mandates that covered entities conduct annual penetration testing of their information systems. The NYDFS Cybersecurity Regulation’s 23 NYCRR 500.5 (500.5 Vulnerability Management) sets a list of requirements that also encompass penetration testing to ensure the robustness of cybersecurity programs in financial institutions, requiring covered entities to integrate regular pentesting into their cybersecurity practices to maintain and demonstrate material compliance with the regulation.
This article already covers the changes to 500.5 that became effective as of April 29, 2024.
In the latest update of NYDFS, item 500.5 Vulnerability management brings additional requirements that must be followed for penetration testing and vulnerability assessments in the realm of 23 NYCRR 500.5:
Penetration testing
- Must be conducted from both inside and outside the information systems’ boundaries
- Must be performed by a qualified internal or external party
Vulnerability scans
- Includes manual reviews of systems not covered by automated scans
- Conducted promptly after system changes
Monitoring
- Processes in place to promptly inform of new security vulnerabilities
Remediation
- Vulnerabilities must be remediated in a timely manner
Although there is no specific guidance on what constitutes a qualified external party, we have written a comprehensive article on how to choose a penetration testing provider that can help organizations select the right partner for security assessments.
Final remarks
Penetration testing is critical to maintaining compliance with item 500.5 NYDFS Cybersecurity Regulation, known as 23 NYCRR 500. By requiring covered entities to conduct regular security testing and integrate these efforts with their vulnerability management programs, the regulation ensures a proactive approach to identifying and addressing cybersecurity vulnerabilities.
Continuous monitoring and periodic assessments help financial institutions manage their cyber risks effectively, ensuring that their cybersecurity practices are robust and resilient against evolving threats. Through stringent documentation and a focus on identified risks, covered entities can demonstrate material compliance with NYDFS requirements and safeguard their critical infrastructure.