NYDFS Pentesting & Vulnerability Scanning Controls

New York’s Department of Financial Services (DFS) promulgated Cybersecurity Requirements for Financial Services Companies on March 01, 2017. Commonly referred to as NYDFS Cybersecurity Regulation, this regulation is available as Part 500 of Title 23 of the Official Compilation of Codes, Rules, and Regulations of the State of New York (23 NYCRR 500). In the introduction of this regulation, DFS has acknowledged the alarming rate at which threats are posed at information and financial systems by nation-states, independent criminal actors, and terrorist organizations. It aims to prescribe minimum standards and allows organizations to take measures as per their risk assessments and technologies available.

Applicability of NYDFS Cybersecurity Regulation

This regulation applies to any organization requiring a license, registration, certificate, permit, charter, accreditation, or any other authorization under the Insurance Law, the Banking Law, or the Financial Services Law. As per Section 500.01(c), this regulation refers to such organizations as covered entities.
Certain requirements of this regulation do not apply to your organization if:

1. There are less than ten employees located in New York for your organization, or
2. The gross annual revenue in each of the last three financial years is less than $5 million from New York operations, or
3. The valuation of total year-end assets is less than $10 million.

Section 500.19 lists out other exemptions from complying with this regulation.

This regulation defines penetration testing

Unlike many other regulations, standards, and laws that do not specifically mention penetration testing or vulnerability scanner, this regulation defines penetration testing. As given in Section 500.01(h), penetration testing means “a test methodology in which assessors attempt to circumvent or defeat the security features of an information system by attempting penetration of databases or controls from outside or inside the covered entity’s information systems.” This definition covers all variants of penetration tests, including external as well as internal tests. However, it does not define vulnerability assessment.

Penetration testing and vulnerability assessment requirements under NYDFS

As given in Section 500.02, a covered entity shall maintain a cybersecurity program for protecting the confidentiality, integrity, and availability of its information systems. This program shall be based on the organization-specific risk assessment, and it should be able to identify internal and external risks. Section 500.03 illustrates the requirements for a covered entity’s cybersecurity policy. It specifies areas such as access controls, identity management, systems, & network security, systems & network monitoring, physical security and environmental controls, and risk assessment, among others.
Section 500.05 of this regulation specifically focuses on penetration testing and vulnerability assessments. First, this section states that a covered entity’s cybersecurity program must include monitoring and testing activities for assessing the effectiveness of its cybersecurity program. These monitoring and testing activities shall consist of continuous monitoring or periodic penetration testing and vulnerability assessments. Risk assessment should be the basis for deciding the scope of monitoring and testing activities. (You can read more about the differences between continuous monitoring and penetration testing here.)
In this section itself, the regulation specifies that a covered entity must conduct penetration testing annually, while vulnerability assessments must be conducted twice a year. Though it does not define vulnerability assessments, it states that vulnerability assessments would include any systematic scans/reviews of information systems for identifying publicly known vulnerabilities in the information systems of a covered entity.
Section 500.08 pushes for secure development practices for in-house applications; however, it also mentions security testing as a prerequisite before utilizing any externally developed application. For checking the feasibility of encryption controls or their alternatives, the CISO shall review them annually.

Our recommendations and conclusions

Given that most of the requirements in NYDFS Cybersecurity Regulation are mandatory in nature, there are no workarounds, and a covered entity is bound to implement them. Ever since this regulation became effective on March 01, 2017, our experts have closely followed the developments. In March 2019, the transition period ended, and a covered entity is reasonably expected to comply with all the requirements given in the brief. In such a case, we recommend you implement continuous monitoring of your information assets along with vulnerability assessment and penetration testing at the required frequency. For more information, schedule a call with BreachLock experts today!