Penetration Testing Not Required For Limited Exempt Agencies
We want to reaffirm to those of you who have limited exemptions under the New York cybersecurity regulation that it does not require you to perform network penetration testing.Some members have reported to us emails sent by a cybersecurity services vendor. These messages stated that the New York State Department of Financial Services (DFS) is requiring all entities covered under the regulation, Cybersecurity Requirements for Financial Services Companies, to perform regular penetration testing of their computer networks. The vendor has said that DFS is requiring covered entitites to do this, regardless of their size. The regulation defines "covered entity" as "any individual or any non-governmental entity operating under or required…