Skip to content

NYDFS 23 NYCRR 500: What Penetration Testing Does the Regulation Actually Require?

A practical guide to the penetration testing and vulnerability assessment requirements in New York's NYDFS Cybersecurity Regulation (23 NYCRR 500) for covered financial entities.

Invadel TeamOctober 27, 20242 min read

If your company is licensed by the New York Department of Financial Services (banks, insurers, mortgage lenders, money transmitters, virtual currency businesses), you are a “covered entity” under 23 NYCRR Part 500, and the regulation has specific expectations about offensive security testing.

What Section 500.5 requires

The amended regulation requires covered entities to conduct annual penetration testing of their information systems from both inside and outside the network boundary, performed by a qualified internal or external party. It also requires automated vulnerability scanning (or a documented equivalent) at a frequency determined by your risk assessment, plus scanning after any material system change.

In practice, examiners look for three things: that testing actually happened on schedule, that the scope reflected your real attack surface rather than a token subset, and that findings were remediated and documented.

Internal and external

A common gap we see: companies test their public perimeter annually but never test from an assumed-breach position inside the network. The regulation’s language covers both perspectives, and for good reason: most serious incidents involve an attacker who is already inside, moving laterally toward sensitive systems.

Scoping it correctly

Your risk assessment drives scope. For most covered entities that means the systems that store or process nonpublic information: customer-facing web applications and APIs, the corporate network, cloud infrastructure, and remote access paths. If a system would matter in a breach report, it belongs in the test scope.

What to keep for the examiner

Retain the engagement scope, the tester’s qualifications, the full technical report, and evidence of remediation and retesting. A finding that was fixed but never verified is an open question in an examination.


Invadel performs NYDFS-aligned internal and external penetration testing for financial services companies from our office in Manhattan. Talk to us about scoping your annual test.

Written by

Invadel Team

Senior penetration testers writing from real engagements — the same team that scopes, tests, and reports for our clients. About Invadel →

Find out what an attacker sees.

Tell us what to test and see your fixed price.

Prefer the full scoping questionnaire?
Start the conversation