New York Codes, Rules and Regulations
Title 23 - FINANCIAL SERVICES
Chapter I - Regulations of the Superintendent of Financial Services
Part 500 - CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES
Section 500.5 - Vulnerability management
Universal Citation: 23 NY Comp Codes Rules and Regs ยง 500.5
Current through Register Vol. 46, No. 39, September 25, 2024
Each covered entity shall, in accordance with its risk assessment, develop and implement written policies and procedures for vulnerability management that are designed to assess and maintain the effectiveness of its cybersecurity program. These policies and procedures shall be designed to ensure that covered entities:
(a) conduct, at a minimum:
(1) penetration testing of their information
systems from both inside and outside the information systems' boundaries by a
qualified internal or external party at least annually; and
(2) automated scans of information systems,
and a manual review of systems not covered by such scans, for the purpose of
discovering, analyzing and reporting vulnerabilities at a frequency determined
by the risk assessment, and promptly after any material system
changes;
(b) are promptly informed of new security vulnerabilities by having a monitoring process in place; and
(c) timely remediate vulnerabilities, giving priority to vulnerabilities based on the risk they pose to the covered entity.
Disclaimer: These regulations may not be the most recent version. New York may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.