Compliance · NYDFS Part 500

NYDFS raised the bar on testing.
A continuous adversary clears it.

The NYDFS cybersecurity rule asks NYDFS-regulated financial institutions for annual penetration testing and regular vulnerability assessments, based on your risk assessment. SpartanX supports that program with a continuous adversary that proves exploitability inside and out. It supports your program and complements your assessor; it does not make you compliant on its own.

The requirement

Annual penetration testing, and ongoing vulnerability assessment.

Section 500.5 of 23 NYCRR Part 500 requires covered entities to conduct penetration testing of information systems at least annually, from both inside and outside the network perimeter, and to run automated scans and manual reviews for vulnerabilities on a schedule set by risk. The amended rule tightened expectations, with heightened requirements for larger Class A companies, and continuous validation is increasingly the practical standard.

Scope

NYDFS-regulated financial institutions.

Part 500 covers entities licensed or regulated by the New York Department of Financial Services, including banks, insurers, and many financial-services firms operating in New York. Your information systems, inside and outside the perimeter, are in scope, which is exactly the ground an adversary works.

How it supports your program

Inside and outside the perimeter, on a continuous cadence.

External and internal
SpartanX tests your external surface, and through NodeX runs the same adversary inside the perimeter, matching the inside-and-outside language of 500.5. Learn about NodeX.
Continuous validation
More than an annual test: ongoing, adversary-realistic testing that keeps posture current.
Exploit-validated findings
Proof with every finding, not a severity guess.
Remediate and retest
Prioritized, fixed, and re-attacked to confirm closure.
Audit-ready evidence
Continuous, dated, NYDFS-mapped reporting for your program and your examiners.
The outcome

Examination-ready, continuously.

You get inside-and-outside testing that does not wait for the annual window, exploit-validated findings, and a live evidence trail, so a NYDFS examination finds a program that is current, not a report that has aged.

Support your NYDFS testing program with a continuous adversary.

See how SpartanX proves exploitability inside and out and hands you the evidence.