FCI Announces Alignment with New NYDFS Cybersecurity Assessment Regulatory Requirements

LAS VEGAS, NV – January 22, 2024: FCI announces the alignment of its Cyber Safeguards and Technical Controls Assessment Services with the latest NYDFS Regulatory Requirements (Second Amendment to 23 NYCRR 500) and upcoming SEC updated regulation. In the past, regulations primarily emphasized well-known external network penetration testing and vulnerability scans. New threats have driven the need for broader penetration scans inside the walls. The new NYDFS requirements state that covered entities must conduct penetration testing at least annually from inside and outside information systems’ boundaries.


The amendments further necessitate automated scans of covered entities’ information systems, specifically designed to identify, analyze, and report vulnerabilities. These encompass a spectrum of systems such as corporate websites, portals, and cloud-based platforms.


SANS outlines that, “Part of the challenge organizations face when attempting to comply with these cybersecurity standards is understanding exactly what the requirements are asking an organization to accomplish and the definition of risk.”


To execute a thorough security risk assessment aligning with regulatory requirements, it is essential to undertake two separate projects facilitated by two distinct service organizations:


Assessment of Cyber Safeguards and Technical Controls (Offered by FCI)


  • Network & Endpoints: External and Internal Vulnerability Scans and Network Penetration Testing
  • Public Assets: Corporate Internet Attack Surface Assessment (CIASA)
  • Software: Software Penetration Testing (review of code)
  • Critical Software & Systems: Hardening Evidencing
  • Deliverables: Cyber Safeguard & Technical Control Assessment Report (with proposed remediation and enhancements)
  • Performed by: A third-party experienced technical cybersecurity team


Risk Assessments of Cyber Program Policies, Procedures, and Evidence


  • Form
    • Questionnaire
    • Review of evidence
    • Review of Cyber Safeguard & Technical Control Assessment Report
  • Deliverable: Overall Security Risk Assessment Report & POAM (Plan of Action and Milestones)
  • Performed by: Third-Party Cybersecurity Compliance Service Firm


Brian Edelman, FCI’s Founder and CEO, adds, “We work with the industry to clarify the difference across assessments. This separation of duties is critical to ensure checks and balances, leading to improved client risk management.”


FCI Invites Advisors to Booth #520 to Learn More at the 2024 T3 Technology Conference January 22-25, 2024 at the Cosmopolitan of Las Vegas.