Navigating NY DFS Part 500.05: Penetration & Vulnerability Assessments

Disclaimer: The following information is generalized, not necessarily up-to-date with current laws and/or rulings, and should not be relied upon for legal purposes. The following information is not intended to be legal advice; individuals should consult an attorney in their respective jurisdiction(s) to obtain legal advice tailored to their specific needs and applicable law(s).


* Italicized terms used throughout this article refer to terms defined in 23 NYCRR § 500 (NY DFS 500). A copy of 23 NYCRR § 500 can be found here.

Section 500.05: Penetration & Vulnerability Assessments (Deadline: February 15, 2018)

This section requires a covered entity to implement monitoring and testing, based on the covered entity’s risk assessment, to assess the effectiveness of the covered entity’s cybersecurity program. The monitoring and testing should either continuously monitor or detect, on an ongoing basis, changes in information systems that may create or indicate vulnerabilities. If the covered entity does not implement monitoring and testing as described above, they must conduct:

  1. annual penetration testing of the covered entity’s information systems based on identified risks found in the covered entity’s risk assessmentsand
  2. bi-annual vulnerability assessments, including systematic scans or reviews of information systems reasonably designed to identify publicly known cybersecurity vulnerabilities in the covered entity’s information system based on the covered entity’s risk assessment.

Implementing a continuous monitoring is a daunting task, especially in a constantly evolving environment. Most organizations will likely choose to have an annual penetration test and bi-annual vulnerability assessments to satisfy this section’s requirements.