23 CRR-NY 500.5NY-CRR

OFFICIAL COMPILATION OF CODES, RULES AND REGULATIONS OF THE STATE OF NEW YORK
TITLE 23. FINANCIAL SERVICES
CHAPTER I. REGULATIONS OF THE SUPERINTENDENT OF FINANCIAL SERVICES
PART 500. CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES
23 CRR-NY 500.5
23 CRR-NY 500.5
500.5 Penetration testing and vulnerability assessments.
The cybersecurity program for each covered entity shall include monitoring and testing, developed in accordance with the covered entity’s risk assessment, designed to assess the effectiveness of the covered entity’s cybersecurity program. The monitoring and testing shall include continuous monitoring or periodic penetration testing and vulnerability assessments. Absent effective continuous monitoring, or other systems to detect, on an ongoing basis, changes in information systems that may create or indicate vulnerabilities, covered entities shall conduct:
(a) annual penetration testing of the covered entity’s information systems determined each given year based on relevant identified risks in accordance with the risk assessment; and
(b) bi-annual vulnerability assessments, including any systematic scans or reviews of information systems reasonably designed to identify publicly known cybersecurity vulnerabilities in the covered entity’s information systems based on the risk assessment.
23 CRR-NY 500.5
Current through November 30, 2020
End of Document