New York is the financial capital of the United States, and its regulatory environment reflects that status. The New York Department of Financial Services cybersecurity regulation, 23 NYCRR 500, is one of the most prescriptive state-level cybersecurity mandates in the country. For DFS-licensed banks, insurance carriers, money transmitters, and fintech companies, penetration testing is not optional. It is a codified annual requirement with documented evidence obligations and board-level accountability.
Beyond the DFS-regulated sector, the broader New York business ecosystem faces its own security pressures. The NY SHIELD Act, the sheer concentration of high-value targets in Manhattan and across the five boroughs, and the expectations of enterprise clients and institutional investors all push NYC companies toward rigorous security testing programs. This guide covers what NYDFS actually requires, how to structure a compliant testing program, and what the city's leading industries need from their security partners.
NYDFS 23 NYCRR 500: What the Regulation Actually Requires
The NYDFS cybersecurity regulation was enacted in 2017 and significantly amended in 2023. The 2023 amendments are fully in effect and carry materially stricter requirements, particularly for larger financial institutions. Understanding the current state of the regulation is essential before scoping any compliance-driven penetration test.
Section 500.05: Penetration Testing
Section 500.05 is the provision that directly mandates penetration testing. Covered entities must conduct:
- Annual penetration testing of information systems, based on relevant identified risks in accordance with the covered entity's risk assessment
- Bi-annual vulnerability assessments, including systematic scans or reviews of information systems to identify publicly known cybersecurity vulnerabilities
- Remediation of critical vulnerabilities identified through testing, with documentation of the remediation effort
Covered entities must retain all penetration testing records, including methodology, findings, and remediation documentation, for a minimum of three years. This documentation is subject to examination by DFS examiners during routine supervisory reviews.
Class A Company Requirements
The 2023 amendments introduced the Class A company designation, which applies to covered entities with at least 2,000 employees (including affiliates) or over $1 billion in gross annual revenue averaged across the prior three fiscal years. Class A companies face enhanced obligations:
- Bi-annual penetration testing rather than annual, with at least one test conducted by an independent party
- Independent audits of the cybersecurity program at a frequency and scope determined by risk assessment
- Privileged access management controls with annual review and automated blocking of privileged access for inactive accounts
- Annual senior officer or board certification attesting to the accuracy of the cybersecurity compliance filing
For large New York financial institutions, the independent testing requirement has direct implications for vendor selection. Testing firms must operate at arm's length from the systems and personnel they are evaluating.
Section 500.09: Risk Assessment
Section 500.09 requires covered entities to conduct periodic risk assessments of information systems. The penetration testing program must be informed by and consistent with this risk assessment. In practice, this means your test scope cannot be arbitrarily narrow. If the risk assessment identifies customer-facing APIs, cloud infrastructure, or third-party integrations as material risks, those assets need to be included in the penetration test scope.
Examiner focus area: NYDFS examiners have increasingly scrutinized whether covered entities' penetration test scopes align with their documented risk assessments. A web application test that ignores internal network segments identified as high-risk in the entity's own risk assessment is a finding waiting to happen.
Section 500.11: Third-Party Service Provider Security
Covered entities must implement written policies and procedures governing the security practices of their third-party service providers. This extends the NYDFS security footprint beyond the regulated entity itself. Fintech companies providing services to DFS-licensed institutions will frequently be required to provide evidence of their own penetration testing as part of vendor due diligence. A current pentest report from a reputable firm is the most efficient way to satisfy this requirement.
The NY SHIELD Act: Security Testing Beyond the DFS Perimeter
The Stop Hacks and Improve Electronic Data Security Act applies to any business that owns or licenses private information of New York residents, regardless of where that business is headquartered. Unlike NYDFS 23 NYCRR 500, the SHIELD Act does not mandate penetration testing by name. Instead, it requires covered businesses to implement and maintain reasonable administrative, technical, and physical safeguards.
What constitutes reasonable safeguards is not exhaustively defined, which gives regulators and plaintiffs flexibility in enforcement actions. Businesses that can point to documented penetration testing, remediation of identified vulnerabilities, and an ongoing security testing cadence are in a substantially stronger position than those relying on perimeter firewalls and annual security awareness training alone.
For NYC companies outside the financial services sector, the SHIELD Act is often the primary regulatory driver for initiating a formal penetration testing program. The combination of SHIELD Act compliance obligations and the reputational consequences of a breach in a city where institutional reputation matters enormously creates a compelling case for regular testing.
Industries Driving NYC Cybersecurity Demand
Wall Street and Traditional Financial Services
Investment banks, broker-dealers, asset managers, hedge funds, and prime brokers concentrated in the Financial District and Midtown Manhattan represent the largest share of NYDFS-covered entities in the state. These firms face a specific threat profile: state-sponsored actors targeting trading systems, insider threats with access to market-sensitive data, and supply chain attacks targeting financial data vendors and clearinghouses.
Penetration testing for traditional financial services firms typically encompasses external network infrastructure, internal Active Directory environments, trading platform APIs, and employee workstation security. Firms operating under both NYDFS and SEC cybersecurity rules may need to coordinate test timing and documentation to satisfy both regulators simultaneously. See our guide on penetration testing services for a full breakdown of test types and scope options.
Fintech and Payments
New York's fintech sector is concentrated in Silicon Alley and has expanded significantly into Brooklyn and Long Island City. Companies building payment infrastructure, lending platforms, robo-advisors, and banking-as-a-service products face a layered compliance environment: NYDFS licensing requirements, PCI DSS for payment card data, and SOC 2 for enterprise client contracts.
Fintech penetration testing requires depth in API security, OAuth and authentication flows, open banking interface security, and the business logic vulnerabilities that automated scanners consistently miss. A test that surfaces only CVSS-scored infrastructure findings without examining how a malicious actor could manipulate transaction flows or escalate account privileges provides limited value for a payments company.
For fintech companies pursuing SOC 2 penetration testing alongside NYDFS compliance, scoping the test to satisfy both requirements simultaneously is straightforward and reduces cost.
Media and Ad-Tech
New York's media industry, spanning legacy publishers, streaming platforms, digital advertising exchanges, and data brokers, sits outside the NYDFS regulatory perimeter but handles consumer data at scale. Ad-tech companies processing behavioral data on New York residents carry SHIELD Act obligations and, increasingly, contractual security requirements from brand advertisers and supply-side platform partners.
The attack surface for media and ad-tech companies includes content management systems, programmatic advertising infrastructure, audience data platforms, and the APIs connecting them. Credential theft targeting editorial staff and supply chain attacks against third-party ad tags are recurring threat vectors for this sector. Penetration testing programs for media companies often emphasize web application security, API security, and phishing resistance alongside standard network testing.
Healthcare
New York City is home to some of the largest health systems in the country, including NYU Langone Health, Mount Sinai Health System, NewYork-Presbyterian, and Northwell Health. These institutions operate under HIPAA technical safeguards requirements, New York State Department of Health cybersecurity guidance, and, in some cases, NYDFS requirements for their captive insurance entities.
Healthcare penetration testing in New York requires specific expertise in EHR platform security, HL7 and FHIR API security, patient portal authentication, and medical device network segmentation. The breach consequences for healthcare organizations are severe: OCR enforcement, state AG investigations, class action litigation, and reputational harm that directly affects patient acquisition. Our healthcare security testing practice covers the full scope of clinical and administrative systems.
Enterprise SaaS
Enterprise software companies based in New York, selling to financial services, healthcare, legal, and government clients, face security requirements driven primarily by their customer contracts rather than their own direct regulatory obligations. A SaaS company selling to a DFS-covered bank will be asked for penetration test reports as a condition of the vendor due diligence process mandated by Section 500.11.
For enterprise SaaS companies, the penetration test report functions as a sales asset as much as a security document. Reports that are clear, well-structured, and cover the right scope allow sales teams to satisfy security questionnaires and accelerate enterprise procurement cycles. See our PTaaS platform for continuous testing options that keep reporting current for active sales processes.
Scoping a NYDFS-Compliant Penetration Test
The most common mistake DFS-covered entities make is scoping penetration tests too narrowly to satisfy the regulation. Section 500.05 requires testing to be based on risks identified in the risk assessment. A minimal-scope test that touches only the public-facing website while leaving internal network segments, cloud environments, and third-party integrations untested will not hold up to examiner scrutiny.
| Asset Category | NYDFS Relevance | Typical Test Type |
|---|---|---|
| External network infrastructure | Required; primary attack surface | External penetration test |
| Web and mobile applications | Required if customer-facing or handling NPI | Web application penetration test |
| Internal network / Active Directory | Required for Class A; risk-based for others | Internal penetration test |
| Cloud infrastructure (AWS, Azure, GCP) | Required if cloud hosts regulated data | Cloud security assessment |
| Third-party API integrations | Section 500.11 third-party risk | API security testing |
| Employee phishing resistance | Section 500.14 security awareness training | Social engineering assessment |
The risk assessment that informs test scope should be reviewed alongside the proposed scope before finalizing the statement of work. Where the risk assessment identifies specific systems, data flows, or threat scenarios as high priority, those elements should be explicitly reflected in the test objectives.
Methodology and Independence
NYDFS does not mandate a specific penetration testing methodology, but it expects testing to be rigorous and representative of actual threat scenarios. Manual testing by qualified practitioners, not automated scanning alone, is the expected standard. Automated vulnerability scanning satisfies the bi-annual vulnerability assessment requirement under Section 500.05(b) but does not substitute for the annual penetration test.
For Class A companies, the requirement for at least one independent penetration test per bi-annual cycle means the testing firm must have no significant business relationship with the systems or teams being tested beyond the test engagement itself. Internal red teams may supplement but cannot replace external independent testing for this purpose.
Documentation and Evidence Requirements
NYDFS examinations increasingly focus on documentation quality alongside the existence of a penetration testing program. Covered entities should ensure their testing program produces and retains the following:
- Scoping documentation showing how test scope aligns with the risk assessment
- Methodology description covering the techniques, tools, and threat scenarios evaluated
- Technical findings report with severity ratings, affected systems, evidence of exploitation, and business impact context
- Remediation tracking documenting how each finding was addressed, by whom, and within what timeframe
- Executive summary suitable for board or senior officer review as required by Section 500.04(b)
- Retest confirmation where applicable, verifying that critical findings were remediated
Retention requirement: All penetration testing documentation must be retained for a minimum of three years under NYDFS 23 NYCRR 500. This includes not only the final report but scoping agreements, methodology descriptions, and remediation records. Ensure your testing provider delivers documentation that meets this standard at the close of each engagement.
Integrating Penetration Testing with Broader NYC Compliance Obligations
Most New York financial services companies operate under multiple overlapping regulatory frameworks. Coordinating penetration testing across these requirements reduces cost and examiner friction.
NYDFS and SOC 2
SOC 2 Type II audits assess whether a service organization's controls operate effectively over time. The SOC 2 CC6 and CC7 control families require evidence of vulnerability management and security testing. A penetration test scoped to satisfy NYDFS Section 500.05 can simultaneously generate the evidence required for SOC 2 audit purposes, provided the test scope covers the in-scope systems for the SOC 2 examination period. See our detailed guide on SOC 2 penetration testing requirements for scope alignment guidance.
NYDFS and PCI DSS
Financial services companies that process payment card data must satisfy PCI DSS Requirement 11.4, which mandates internal and external penetration testing at least annually and after significant infrastructure or application changes. The PCI DSS and NYDFS testing requirements are compatible and can be satisfied in a single coordinated engagement when the scope covers both payment card data environments and the broader information systems required by NYDFS.
NYDFS and SEC Cybersecurity Rules
Investment advisers and broker-dealers registered with the SEC face cybersecurity disclosure and risk management requirements under the SEC's 2023 cybersecurity rules. These rules require policies and procedures for cybersecurity risk management, incident disclosure obligations, and annual reviews of cybersecurity programs. Penetration testing evidence supports the SEC cybersecurity program review requirement and provides a foundation for accurate risk disclosure.
Why NYC Financial Institutions Work with Lorikeet Security
New York-based financial institutions evaluating penetration testing partners should look past the pitch deck and focus on three things: the technical depth of the testing methodology, the quality of the documentation produced, and the firm's understanding of the specific regulatory context in which the client operates.
Lorikeet Security's practice covers the full range of assets that NYDFS-covered entities need tested: external network infrastructure, web and mobile applications, internal Active Directory environments, cloud deployments on AWS and Azure, and API-layer security. Our reports are structured to satisfy both examiner documentation requirements and the technical remediation needs of engineering teams.
We work with financial services companies at every stage, from Series A fintech startups completing their first NYDFS compliance gap assessment to established broker-dealers running annual independent penetration tests. Our New York financial services security practice is built around the specific regulatory and threat environment that NYC companies face.
Remote-first delivery means clients are not paying for Manhattan office overhead. The same technical team, methodology, and report quality is available at rates that reflect the actual cost of delivering the work rather than the cost of a Midtown address. Our full service catalog covers web application testing, external and internal network assessments, cloud security reviews, and compliance-aligned testing packages.
NYDFS penetration testing for New York financial services
We help DFS-covered entities satisfy 23 NYCRR 500 Section 500.05 with rigorous, well-documented penetration testing. Scope alignment with your risk assessment, examiner-ready documentation, and remediation support included.
