Skip to content

Blog

NYDFS 23 NYCRR 500: What Penetration Testing Does the Regulation Actually Require?

July 1, 2026 · Invadel Team

If your company is licensed by the New York Department of Financial Services (banks, insurers, mortgage lenders, money transmitters, virtual currency businesses), you are a “covered entity” under 23 NYCRR Part 500, and the regulation has specific expectations about offensive security testing.

What Section 500.5 requires

The amended regulation requires covered entities to conduct annual penetration testing of their information systems from both inside and outside the network boundary, performed by a qualified internal or external party. It also requires automated vulnerability scanning (or a documented equivalent) at a frequency determined by your risk assessment, plus scanning after any material system change.

In practice, examiners look for three things: that testing actually happened on schedule, that the scope reflected your real attack surface rather than a token subset, and that findings were remediated and documented.

Internal and external

A common gap we see: companies test their public perimeter annually but never test from an assumed-breach position inside the network. The regulation’s language covers both perspectives, and for good reason: most serious incidents involve an attacker who is already inside, moving laterally toward sensitive systems.

Scoping it correctly

Your risk assessment drives scope. For most covered entities that means the systems that store or process nonpublic information: customer-facing web applications and APIs, the corporate network, cloud infrastructure, and remote access paths. If a system would matter in a breach report, it belongs in the test scope.

What to keep for the examiner

Retain the engagement scope, the tester’s qualifications, the full technical report, and evidence of remediation and retesting. A finding that was fixed but never verified is an open question in an examination.


Invadel performs NYDFS-aligned internal and external penetration testing for financial services companies from our office in Manhattan. Talk to us about scoping your annual test.