New York Codes, Rules and Regulations
Title 23 - FINANCIAL SERVICES
Chapter I - Regulations of the Superintendent of Financial Services
Part 500 - CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES
Section 500.5 - Vulnerability management

Current through Register Vol. 46, No. 39, September 25, 2024

Each covered entity shall, in accordance with its risk assessment, develop and implement written policies and procedures for vulnerability management that are designed to assess and maintain the effectiveness of its cybersecurity program. These policies and procedures shall be designed to ensure that covered entities:

(a) conduct, at a minimum:

(1) penetration testing of their information systems from both inside and outside the information systems' boundaries by a qualified internal or external party at least annually; and

(2) automated scans of information systems, and a manual review of systems not covered by such scans, for the purpose of discovering, analyzing and reporting vulnerabilities at a frequency determined by the risk assessment, and promptly after any material system changes;

(b) are promptly informed of new security vulnerabilities by having a monitoring process in place; and

(c) timely remediate vulnerabilities, giving priority to vulnerabilities based on the risk they pose to the covered entity.

Disclaimer: These regulations may not be the most recent version. New York may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.