NYDFS 23 NYCRR 500 Penetration Testing Requirements: A Compliance Guide

If your company holds a New York banking, insurance, or financial services license, the New York Department of Financial Services cybersecurity regulation applies to you. 23 NYCRR 500, which took effect in phases starting in 2017 and was significantly tightened by amendments finalized in November 2023, is one of the most prescriptive state-level cybersecurity regulations in the United States. It explicitly requires annual penetration testing, bi-annual vulnerability assessments, and a formal cybersecurity program anchored to a risk assessment. Regulators have begun issuing substantial enforcement actions, and the era of assuming DFS examinations would be perfunctory is over.

This guide covers what the regulation actually requires, who it covers, how the 2023 amendments changed the landscape, and how to scope a penetration test that satisfies DFS requirements. If you are a CISO, compliance officer, or engineering lead at a covered entity trying to understand what you actually have to do, this is the place to start.

Who Is Covered by 23 NYCRR 500

The regulation applies to any entity operating under a license, registration, charter, certificate, permit, or similar authorization under the Banking Law, Insurance Law, or Financial Services Law of New York State. DFS refers to these organizations collectively as "Covered Entities." The category is broad and includes:

• State-chartered banks and trust companies
• Licensed mortgage companies, mortgage servicers, and mortgage bankers
• Insurance companies, health insurers, and managed care organizations licensed in New York
• Money transmitters and check cashers
• Premium finance companies and budget planners
• Foreign bank branches and agencies operating in New York
• Virtually any fintech company holding a New York money transmitter license or a BitLicense

If your company does business in the financial services or insurance sector and touches New York customers or markets, there is a strong probability that 23 NYCRR 500 applies to you. The regulation also reaches third-party service providers through mandatory contractual requirements, meaning vendors who handle nonpublic information on behalf of covered entities face compliance obligations even without a direct DFS license.

Limited Exemptions

The regulation provides limited exemptions for smaller organizations. As of the 2023 amendments, an entity is exempt from certain requirements if it has fewer than 20 employees (including affiliates), less than $7.5 million in gross annual revenue in each of the prior three years from New York business, or less than $15 million in year-end total assets (including affiliates). Exempt entities must still file a Notice of Exemption with DFS and meet basic cybersecurity requirements. The exemption is not a clean escape from the regulation; it is a reduced-obligation tier.

What 23 NYCRR 500 Actually Requires

The regulation builds a comprehensive cybersecurity program requirement. It does not simply mandate a pentest and leave the rest to you. It requires a risk-based program with specific components, each of which must be documented, implemented, and annually certified to DFS. The core requirements cover the following domains.

Cybersecurity Program (Section 500.2)

Every covered entity must establish and maintain a cybersecurity program designed to protect the confidentiality, integrity, and availability of its information systems. The program must be based on the entity's risk assessment and must include policies and procedures addressing identification of cyber risks, protection of information systems and nonpublic information, detection of cybersecurity events, response to cybersecurity events, recovery from cybersecurity events, and fulfillment of reporting obligations. This is the foundational requirement everything else builds on.

Risk Assessment (Section 500.9)

Covered entities must conduct periodic risk assessments to inform the design of their cybersecurity programs. The risk assessment must be updated as reasonably necessary to address changes in the business environment or emerging threats. Unlike HIPAA, which requires a risk analysis without specifying its format in great detail, 23 NYCRR 500 requires that the risk assessment be documented and that the cybersecurity program be calibrated to its results. DFS examiners will ask to see the risk assessment and will evaluate whether your program reflects its findings.

Penetration Testing (Section 500.5)

This is the provision that most directly concerns security teams. Section 500.5 requires covered entities to implement policies and procedures for vulnerability management, including:

• Annual penetration testing of information systems based on relevant identified risks in accordance with the risk assessment
• Bi-annual vulnerability assessments, including any systematic scans or reviews of information systems reasonably designed to identify publicly known cybersecurity vulnerabilities in the covered entity's information systems

The regulation does not specify who must conduct the penetration test. It does not require an independent third party for standard covered entities. However, for Class A companies (those with at least $20 billion in gross annual revenue, or which are part of a group with at least $20 billion in gross annual revenue), the 2023 amendments introduced a requirement for an independent penetration test. For other covered entities, internal teams can conduct the test, though DFS examiners will scrutinize the scope, methodology, and remediation processes.

The remediation requirement matters as much as the testing requirement. You must track identified risks and remediate them based on the risk they present to the organization. Conducting a penetration test and filing the report without a documented remediation plan and evidence of follow-through is a compliance failure.

Access Controls and Privileged Access (Section 500.7)

Covered entities must implement policies and procedures to manage access controls and, as part of their cybersecurity programs, must limit access to systems and data containing nonpublic information to authorized users. The 2023 amendments strengthened this requirement by adding specific provisions for privileged access management. Covered entities must now implement controls around privileged accounts including multi-factor authentication for all privileged access, a privileged access management solution for systems that contain or can access nonpublic information, and regular review and removal of unnecessary privileged access.

Multi-Factor Authentication (Section 500.12)

MFA is required for any individual accessing any information system of the covered entity from an external network. The 2023 amendments expanded this: MFA is now also required for privileged accounts regardless of whether access is from an external or internal network. DFS has issued guidance making clear that MFA is non-negotiable and that reliance on legacy authentication methods is a material compliance deficiency.

Encryption (Section 500.15)

Covered entities must implement a policy requiring the use of encryption to protect nonpublic information in transit over external networks and, to the extent feasible, at rest. Where encryption is not feasible, the covered entity must use alternative compensating controls reviewed and approved by the CISO. The 2023 amendments tightened this by requiring covered entities to maintain an encryption policy and to annually review the effectiveness of encryption controls.

Incident Response and Notification (Sections 500.16 and 500.17)

Every covered entity must have a written incident response plan. The 2023 amendments significantly expanded the notification requirements. Covered entities must now notify DFS within 72 hours of determining that a cybersecurity event has occurred that materially affects the covered entity or a New York licensee, or that meets certain other thresholds including ransomware attacks and unauthorized access to privileged accounts. The prior 72-hour notification window applied only to certain events; the amendments broadened the trigger significantly.

The 2023 Amendments: What Changed

The November 2023 amendments to 23 NYCRR 500 represented the most significant update to the regulation since its initial adoption. The amendments added requirements across nearly every section of the regulation and introduced a tiered compliance structure for large covered entities. Understanding what changed is essential for any organization that reviewed its compliance posture under the original regulation and has not revisited it since.

Class A Company Requirements

The 2023 amendments introduced a new tier called "Class A companies" defined as covered entities with at least $20 billion in gross annual revenue (including affiliates), or which are part of a consolidated group with that revenue threshold. Class A companies face additional requirements including:

• Annual independent penetration testing (third-party, not internal)
• Automated scanning of information systems based on a defined process
• Endpoint detection and response solution deployment
• Centralized logging of security event information
• Implementation of a privileged access management solution

If your organization meets the Class A threshold and has been treating 23 NYCRR 500 as a standard covered entity, you are out of compliance with requirements that became effective in phases through 2024 and 2025.

Governance and Board Accountability

The 2023 amendments elevated cybersecurity to a board-level governance matter. The senior governing body of every covered entity must now oversee the covered entity's cybersecurity program, receive regular reports on the cybersecurity posture, and approve the cybersecurity policy at least annually. This is a material change. Cybersecurity is no longer just an IT and compliance matter under 23 NYCRR 500 -- it is a board accountability issue. When DFS examines your program, they will look at board minutes and governance documentation to confirm this oversight is actually happening.

Supply Chain Security

The 2023 amendments strengthened the third-party service provider requirements in Section 500.11. Covered entities must now assess third-party cybersecurity risks as part of their overall risk assessment, include in their vendor contracts provisions requiring notice of cybersecurity events, and implement policies and procedures designed to ensure the security of systems or data accessible to third parties. This extends the practical reach of the regulation further into the supply chain.

How to Scope a 23 NYCRR 500 Compliant Penetration Test

Section 500.5 requires that penetration testing be based on relevant identified risks per the risk assessment. This means a compliant pentest is not a generic network scan or a commoditized web application test. It is a risk-driven exercise that maps to the specific systems, data flows, and threat vectors relevant to your organization. Here is how to scope one properly.

Start with the Risk Assessment

Your risk assessment should identify the systems that process, store, or transmit nonpublic information, the threat actors and attack vectors most relevant to your business, the critical business processes that depend on information systems, and the areas where existing controls may have gaps. Your pentest scope should directly reflect these findings. DFS examiners will look for the connection between your risk assessment and your penetration testing scope. A test that ignores systems identified as high-risk in the risk assessment is a compliance weakness.

Cover the Full Attack Surface

A compliant pentest for a financial services organization should address the complete attack surface, not just the most visible applications. This typically includes:

• External network and perimeter: Internet-facing systems, firewalls, VPN endpoints, publicly accessible applications, APIs, and any other network entry point. External testing should simulate an unauthenticated attacker attempting to gain initial access.
• Web and mobile applications: Customer portals, mobile banking applications, trading platforms, account management interfaces, and any application through which customers or partners interact with your systems. Application testing should cover authentication, authorization, session management, data handling, and business logic.
• Internal network: Assume breach testing that starts from an internal network position and attempts to identify what an attacker who has gained initial access can achieve. This is particularly important given DFS's focus on lateral movement and privilege escalation in recent enforcement actions.
• Privileged access paths: Given the 2023 amendments' focus on privileged access management, a compliant pentest should specifically test whether privileged accounts and paths are adequately secured. Can an attacker move from a standard user account to a privileged account? Are administrative interfaces exposed? Are privileged credentials properly protected?
• Third-party integrations: APIs and connections to payment processors, data aggregators, core banking systems, and other third parties. These integration points are frequently targeted and are explicitly within the risk surface that 23 NYCRR 500 requires you to manage.

Document Scope, Methodology, and Findings in a DFS-Ready Format

DFS examiners will ask to see your penetration test report. The report must be sufficient to demonstrate that the test was conducted in accordance with the risk assessment and that identified vulnerabilities have been tracked and remediated. At a minimum, the report should include the scope of testing, the methodology used, the dates of testing, all identified vulnerabilities with severity ratings, and remediation recommendations. Your remediation tracking documentation is equally important. The test report alone is not sufficient evidence of compliance if you cannot show what you did with the findings.

Annual Cadence and Timing

The regulation requires annual penetration testing. DFS has not specified a particular annual window, but the practical expectation is that the test occurs within a 12-month cycle. If your prior test was 14 months ago, you are out of cycle. Build the pentest into your annual compliance calendar with sufficient lead time to complete it, remediate findings, and document remediation before your DFS examination cycle. Many organizations schedule their penetration test in Q3 or Q4 to align with annual certification filings, which are due April 15 each year.

Vulnerability Assessments: The Bi-Annual Requirement

Separate from penetration testing, 23 NYCRR 500 requires bi-annual vulnerability assessments. These are distinct from penetration testing in scope and methodology. A vulnerability assessment is a systematic scan and review of information systems to identify known vulnerabilities. It does not involve active exploitation or the attacker-simulation element of a penetration test. It is, however, a mandatory compliance requirement that must occur twice per calendar year.

In practice, bi-annual vulnerability assessments should include authenticated and unauthenticated scans of all systems in scope, review of scan results against known vulnerability databases, risk rating of identified vulnerabilities, and documentation of remediation or risk acceptance decisions. Many organizations run more frequent vulnerability scans internally and use the bi-annual assessment as a formal documented checkpoint. This is acceptable as long as the formal assessment produces documented output and the findings are tracked through to remediation.

The NY SHIELD Act and Its Relationship to 23 NYCRR 500

New York's Stop Hacks and Improve Electronic Data Security Act, known as the SHIELD Act, was signed into law in 2019 and amended the state's data breach notification law. The SHIELD Act imposes reasonable cybersecurity requirements on any business that owns or licenses private information of New York residents, regardless of whether the business holds a DFS license. This makes it relevant to a far broader set of companies than 23 NYCRR 500.

Where the Frameworks Overlap

For organizations covered by both 23 NYCRR 500 and the SHIELD Act, the requirements substantially overlap but are not identical. The SHIELD Act requires reasonable administrative, technical, and physical safeguards for private information of New York residents. It does not specify annual penetration testing, specific MFA requirements, or the detailed programmatic requirements of 23 NYCRR 500. A company that is compliant with 23 NYCRR 500 will, as a general matter, satisfy the SHIELD Act's cybersecurity requirements as well, because the DFS regulation is more specific and demanding.

Where They Differ

The SHIELD Act's breach notification provisions are distinct from DFS's notification requirements and apply to any business with private information of New York residents, not just covered entities. The SHIELD Act defines private information more broadly than 23 NYCRR 500's nonpublic information definition in some respects, particularly around biometric information. Organizations should ensure their breach notification procedures address both the 72-hour DFS reporting requirement and the SHIELD Act's 30-day notification requirement to affected individuals and the New York Attorney General.

DFS Enforcement: What Regulators Are Actually Scrutinizing

DFS has moved from a posture of educational engagement to active enforcement. The agency has issued consent orders and civil money penalties against covered entities of varying sizes, and the enforcement actions provide a clear picture of what regulators find most concerning.

Notable Enforcement Actions

DFS enforcement actions have targeted failures across multiple sections of the regulation. Common themes in consent orders include failures to conduct adequate risk assessments, gaps in multi-factor authentication deployment (particularly for privileged accounts), inadequate vulnerability management programs (testing conducted but findings not remediated), third-party vendor risk management failures, and deficient incident response and notification procedures.

One of the most significant enforcement actions involved a major insurance holding company that received a civil monetary penalty exceeding $4.5 million for failures in its cybersecurity program following a credential stuffing attack. DFS cited the company's failure to maintain an adequate cybersecurity program, failure to implement multi-factor authentication, and failure to report the breach in a timely manner. The case established that DFS will hold organizations accountable not just for the existence of an attack but for the program failures that allowed the attack to succeed and go undetected.

What Examiners Focus On

Based on DFS guidance and enforcement patterns, examiners are particularly focused on:

• The connection between risk assessment and controls. Is your penetration test scope actually based on your risk assessment? Can you show the examiner a logical chain from identified risks to testing coverage to remediation?
• MFA deployment breadth. Is MFA in place for all external access and all privileged accounts? Are there exceptions? What compensating controls exist for any exceptions?
• Remediation evidence. Having a pentest report is not enough. Examiners want to see that you tracked findings, assigned remediation owners, and verified remediation through retesting.
• Third-party contracts. Do your vendor contracts include the required cybersecurity provisions? Have you actually evaluated your vendors' cybersecurity programs?
• The annual certification. The certification filed with DFS each April 15 carries personal certification by a senior officer. DFS treats a false certification as a serious matter. Examiners will look for material inconsistencies between the certification and the actual state of the program.

Practical Compliance Timeline

For organizations building or rebuilding their 23 NYCRR 500 compliance program, here is a practical approach to sequencing the work. The sequence matters because some requirements are foundational to others, and attempting to conduct a penetration test before completing a risk assessment means the test will not satisfy the regulation's requirement that it be based on identified risks.

Phase 1: Foundation (Months 1-2)

• Complete or update the comprehensive risk assessment. Document all systems processing nonpublic information, all threat vectors, and all existing controls. Assign risk ratings to identified gaps.
• Appoint or confirm a qualified CISO with appropriate authority and resources.
• Conduct a gap analysis against all sections of 23 NYCRR 500, including the 2023 amendments. Identify which requirements are met, which are partially met, and which are not addressed.
• Develop or update the written cybersecurity policy covering all required domains.
• Present cybersecurity program status and gap analysis to the senior governing body. Begin the governance documentation trail that DFS will review.

Phase 2: Core Controls (Months 2-4)

• Implement or verify MFA for all external network access and all privileged accounts. Document any exceptions and compensating controls.
• Conduct the bi-annual vulnerability assessment. Document findings and initiate remediation tracking.
• Review and update access controls. Identify and remove unnecessary privileged access. Implement a privileged access management approach appropriate to the organization's size and risk profile.
• Audit third-party vendor contracts for required cybersecurity provisions. Initiate conversations with vendors who lack adequate contractual protections.
• Review and update the incident response plan to address the 2023 amendment notification requirements.

Phase 3: Testing and Validation (Months 4-6)

• Commission and conduct the annual penetration test based on the risk assessment scope. For Class A companies, engage an independent third-party firm.
• Receive pentest findings and prioritize remediation based on risk severity.
• Remediate critical and high-severity findings. Document remediation with evidence. Schedule retesting for critical findings.
• Conduct the second bi-annual vulnerability assessment.
• Verify encryption controls across data at rest and in transit. Review and update the encryption policy.

Phase 4: Certification and Continuous Improvement (Month 6 onward)

• Prepare the annual certification for DFS filing. Ensure the certifying officer has reviewed the actual state of the program and that the certification is accurate.
• File the annual certification by April 15.
• Establish a continuous vulnerability management process between formal bi-annual assessments.
• Schedule the next annual penetration test and build it into the compliance calendar.
• Review the cybersecurity program annually with the board and update based on changes in the risk environment, regulatory guidance, and findings from testing.

Working with a Penetration Testing Firm for 23 NYCRR 500

Choosing a penetration testing partner for NYCRR 500 compliance requires more than finding a firm that can run a competent web application test. The firm needs to understand the regulatory context, scope the engagement appropriately, and produce documentation that satisfies DFS requirements. Here is what to look for.

The firm should understand financial services environments. Banks, insurance companies, and fintechs have specific technical architectures, including core banking systems, payment rails, trading platforms, and insurance policy management systems, that require testers who understand what they are looking at. A firm that primarily tests e-commerce and SaaS applications may miss financial-services-specific risks.

The engagement should be explicitly scoped to the risk assessment. Ask the firm to review your risk assessment as part of scoping. The resulting test plan should reference identified risk areas and explain how the testing addresses them. This creates the documented connection between risk assessment and testing that DFS examiners look for.

The report should be written for a compliance audience as well as a technical one. DFS examiners are not penetration testers. The report should include an executive summary that explains findings in business risk terms, a clear mapping of findings to regulatory requirements where applicable, and remediation guidance that your team can act on. A raw technical findings dump without context does not serve your compliance needs.

For organizations that need broader financial services compliance support, see our SOC 2 penetration testing guide and our full services overview. Many financial services firms pursue SOC 2 Type II alongside 23 NYCRR 500, and the testing can be scoped to address both frameworks efficiently.

Our team works with financial services clients across New York and the broader region. We understand DFS examination cycles, have experience scoping engagements that satisfy 23 NYCRR 500 requirements, and produce documentation that holds up under regulatory scrutiny. If you are preparing for an examination or building a new compliance program, start a conversation with our team.

Lorikeet Security Team

Penetration Testing & Cybersecurity Consulting

We've completed 170+ security engagements across web apps, APIs, cloud infrastructure, and AI-generated codebases. Everything we publish here comes from patterns we see in real client work.