NYSDFS 23 NYCRR 500 Compliance and Application Security

Developed by the New York State Department of Financial Services (NYSDFS), 23 NYCRR 500 is a set of regulations and
a NY state law that imposes interrelated cybersecurity requirements on financial institutions
and insurance companies based in, or licensed to operate, in NY State.

New York State Department of Financial Services Cybersecurity Requirements for Financial Services Companies

Section 500.05 Penetration Testing and Vulnerability Assessments

“The cybersecurity program for each Covered Entity shall include monitoring and testing, developed in accordance with the Covered Entity’s Risk Assessment, designed to assess the effectiveness of the Covered Entity’s cybersecurity program. The monitoring and testing shall include continuous monitoring or periodic Penetration Testing and vulnerability assessments. Absent effective continuous monitoring, or other systems to detect, on an ongoing basis, changes in Information Systems that may create or indicate vulnerabilities, Covered Entities shall conduct:

(a) annual Penetration Testing of the Covered Entity’s Information Systems determined each given year based on relevant identified risks in accordance with the Risk Assessment; and

(b) bi-annual vulnerability assessments, including any systematic scans or reviews of Information Systems reasonably designed to identify publicly known cybersecurity vulnerabilities in the Covered Entity’s Information Systems based on the Risk Assessment.”

Section 500.08 Application Security

“(a) Each Covered Entity’s cybersecurity program shall include written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications utilized by the Covered Entity, and procedures for evaluating, assessing or testing the security of externally developed applications utilized by the Covered Entity within the context of the Covered Entity’s technology environment.”

ImmuniWeb® Products for NYSDFS 23 NYCRR 500 Compliance

Application security and compliance starts with visibility. You cannot protect what you don't know. Therefore, we recommend starting NYSDFS 23 NYCRR 500 with an asset discovery and inventory.

ImmuniWeb® Discovery rapidly detects your external web, mobile and cloud assets equipped with asset’s attractiveness and hackability scores. Based on Big Data and our proprietary AI technology, the entire process is rapid and non-intrusive. Once you have a comprehensive and up2date inventory of your assets, you are ready to start a well-informed and risk-based application security testing.

For one-time security testing of you web applications and APIs, we recommend using ImmuniWeb® On-Demand. For iOS and Android mobile apps and their backend (e.g. API or REST/SOAP web services) we provide all-inclusive testing with ImmuniWeb® MobileSuite.

For most critical applications that directly impact your NYSDFS 23 NYCRR 500 we offer ImmuniWeb® Continuous for incremental 24/7 testing of any new or updated code.

All ImmuniWeb® products leverage our award-winning Multilayer Application Security Testing and AI technology for intelligent automation and acceleration of Application Security Testing. Driven by human penetration testing, it rapidly detects even the most sophisticated vulnerabilities and comes with a zero false-positives SLA.

ImmuniWeb® Products for NYSDFS 23 NYCRR 500 Compliance

ImmuniWeb® Discovery
ImmuniWeb® Discovery Application Security Score Card
Web Mobile API Cloud
Freemium
ImmuniWeb® MobileSuite
ImmuniWeb® MobileSuite One-Time Mobile Audit
Mobile API Cloud
From $1,499
ImmuniWeb® On-Demand
ImmuniWeb® On-Demand One-Time Web Application Audit
Web API Cloud
From $499
ImmuniWeb Continuous
ImmuniWeb® Continuous 24/7 Web Security Testing
Web API Cloud
From $1,199 / month
Quick Start
Technology
Products
Free Trial