Navigating NY DFS Part 500.08: Application Security

Disclaimer: The following information is generalized, not necessarily up-to-date with current laws and/or rulings, and should not be relied upon for legal purposes. The following information is not intended to be legal advice; individuals should consult an attorney in their respective jurisdiction(s) to obtain legal advice tailored to their specific needs and applicable law(s).


* Italicized terms used throughout this article refer to terms defined in 23 NYCRR § 500 (NY DFS 500). A copy of 23 NYCRR § 500 can be found here.

Section 500.08: Application Security (Deadline: September 3, 2018)

This section requires the covered entity to:

  1.  maintain written documentation designed to ensure the use of secure development practices for in-house developed applications utilized by the covered entity, and
  2.  maintain written documentation designed to evaluate, assess, or test the security of externally developed applications utilized within the covered entity’s technical environment.

The documentation required under this section shall be periodically reviewed, assessed and updated as necessary by the CISO (or a qualified designee) of the covered entity.

The first part of this section requires the covered entity to incorporate secure development practices into their Software Development Life Cycle (SDLC) for any software applications developed in-house that are used by the covered entity. The second part requires the covered entity to establish written procedures for evaluating externally developed software applications that are utilized within the covered entity’s technology environment.