Our Alignment

NYDFS Key Requirements

runZero supports NYDFS compliance by providing detailed asset discovery, continuous monitoring, and real-time visibility across your entire environment, supporting the development and implementation of a comprehensive cybersecurity program.

runZero supports NYDFS compliance by providing continuous, in-depth asset visibility and monitoring, allowing organizations to create informed, data-driven policies that reflect real-time cybersecurity risks.

runZero supports NYDFS compliance by offering continuous asset discovery and real-time risk insights, enabling organizations to evaluate vulnerabilities, identify emerging threats, and assess the effectiveness of their security controls on an ongoing basis.

runZero supports NYDFS compliance by providing comprehensive asset discovery, detailed vulnerability insights, and continuous monitoring, ensuring thorough and accurate identification of potential security gaps across the environment.

runZero supports NYDFS compliance by offering complete visibility into assets and user authentication methods, allowing organizations to identify gaps in MFA deployment and ensure that all access points are properly secured.

runZero supports NYDFS compliance by providing full visibility into external assets and connections, enabling organizations to monitor third-party access, assess potential risks, and create effective policies to safeguard sensitive data.

runZero supports NYDFS compliance by providing detailed asset visibility and monitoring, helping organizations identify unencrypted data flows and storage, and ensuring encryption policies are properly implemented across the entire environment.

runZero supports NYDFS compliance by delivering real-time asset monitoring and vulnerability detection, enabling organizations to quickly identify and respond to incidents while ensuring timely notification and reporting as part of a structured response strategy.

runZero supports NYDFS compliance by delivering continuous asset discovery and automated updates, providing a comprehensive, real-time view of all internal, external, IT, OT, IoT, unmanaged, and unknown assets and risks across the organization’s evolving network.

runZero supports NYDFS compliance by continuously identifying and monitoring assets, providing real-time vulnerability insights, and enabling organizations to prioritize and address risks that could jeopardize operations and business continuity.

Achieve Compliance

How runZero supports NYDFS requirements

runZero directly supports many NYDFS provisions related to asset visibility, inventory management, and vulnerability discovery, while also enabling programmatic approaches for protecting environments, detecting events, and responding to incidents. Its robust capabilities provide organizations with a single tool and source of truth across IT, OT, IoT, and external environments, ensuring compliance as operations and threats evolve.

Many NYDFS provisions require the integration of multiple security controls, programs, and policies working together to achieve compliance. runZero indirectly supports several of these provisions by supplying critical elements as part of a broader approach, contributing to compliance efforts that go beyond the specific areas it directly addresses.

Interested in a guided tour?

Support Types:

All

Direct

Indirect

3rd Party Provider Security Policy

Requirement		Support	How runZero Helps
500.11.a	Identification	Indirect	runZero helps identify assets connected to third-party service providers by mapping out all devices and their network connections. This visibility can support the risk assessment process by revealing the presence and potential risks of systems or services managed by third-party providers. However, runZero does not directly conduct risk assessments or manage third-party service provider relationships.
500.11.a.3	Due Diligence Processes	Indirect	runZero can assist in the due diligence process by identifying assets and potential vulnerabilities related to third-party service providers, helping to assess their security posture. However, it does not provide a full due diligence process or evaluate cybersecurity practices directly—it supplies data that can be used as part of these evaluations.
500.11.a.4	Periodic Assessments	Indirect	runZero can aid in ongoing assessments by continuously monitoring the assets associated with third-party providers and flagging new or unexpected changes in the environment. This information can be useful for periodic reviews of third-party risk. However, it does not directly perform these assessments or ensure compliance with the cybersecurity practices of third-party providers.
500.11.b	Policies and Procedures	Indirect	runZero can help inform the development of policies and procedures for third-party relationships by providing insights into the assets and potential risks associated with third-party connections. This data can be used to establish guidelines, but runZero does not directly create or enforce policies or contractual terms with third parties.
500.11.b.1	Policies and Procedures: Access	Indirect	runZero can identify devices and systems that may be accessed by third-party service providers, offering insights into where access controls and MFA should be applied. However, it does not directly manage or enforce access control policies or the implementation of MFA.

Access Priveleges

Requirement		Support	How runZero Helps
500.7.a.1	Limit user access privileges to information systems that provide access to nonpublic information to only those necessary to perform the user’s job	Indirect	runZero provides visibility into assets and their access points, helping organizations identify and manage access pathways. While it does not directly manage user access privileges, the insights it provides can inform decisions about limiting access to nonpublic information.
500.7.a.2	Limit the number of privileged accounts and limit the access functions of privileged accounts to only those necessary to perform the user’s job	Indirect	runZero identifies assets and tracks changes in the environment, which can help security teams understand where privileged accounts may be in use. This information can support efforts to limit privileged account access, though runZero does not directly control or manage user privileges.
500.7.a.3	Limit the use of privileged accounts to only when performing functions requiring the use of such access	Indirect	runZero provides data about where privileged access might be necessary or overused by revealing connected systems and their interactions. This helps inform decisions about the appropriate use of privileged accounts, although it does not directly enforce or monitor the use of such accounts.
500.7.a.5	Disable or securely configure all protocols that permit remote control of devices	Indirect	runZero can discover assets that use protocols allowing remote control, providing insights into where such protocols may be active. This information aids organizations in identifying and securing these protocols, but runZero does not directly disable or configure them.

Asset Management & Data Retention

Requirement		Support	How runZero Helps
500.13.a	Asset Inventory	Direct	Maintains a comprehensive and accurate asset inventory Supports discovery of a wide range of asset types, including IT, OT, IoT, internal, and external assets Extends visibility to unmanaged and unknown devices Utilizes both active and passive scanning methods to map out the entire network Employs techniques like ICMP, SNMP, and various network protocol scans to actively probe devices, collecting details about status, services, ports, software, and hardware Analyzes network traffic to detect devices without probing, ideal for environments with sensitive systems where active scanning could cause disruption Integrates with tools like vulnerability management platforms, EDR, cloud service providers, and Active Directory to import and correlate data, enriching the asset inventory
500.13.a.1 500.13.a.1.i 500.13.a.1.ii 500.13.a.1.iii 500.13.a.1.iv	Tracking	Direct	Tracks key information for each discovered asset, including IP addresses, MAC addresses, OS versions, and software details Provides detailed insights into assets that help identify ownership Infers physical or network location based on IP addresses and network topology Offers tagging capabilities to classify assets and provide visibility into asset types Identifies software versions and hardware models to track end-of-life or end-of-support dates
500.13.a.2	Tracking	Direct	Ensures the asset inventory is always up-to-date with real-time changes in the environment Allows users to configure scans at regular intervals for periodic updates and validation Automatically detects new or changed assets, reducing the need for manual updates Correlates new data with existing asset records to prevent duplication and maintain an accurate inventory

Audit Trail

Requirement		Support	How runZero Helps
500.6.a.2	Include audit trails designed to detect and respond to Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity	Indirect	runZero aids in maintaining an audit trail by providing detailed asset discovery and visibility into changes within an organization’s environment. This information can help security teams identify when new or unknown devices appear, which may indicate potential cybersecurity events. However, runZero does not directly provide an audit trail of security incidents or track event logs over time like a dedicated SIEM or logging solution would. It complements those systems by offering detailed insights into asset-related changes and exposures that can be relevant when investigating incidents.

Cybersecurity Governance

Requirement		Support	How runZero Helps
500.4.b	The CISO of each covered entity shall report in writing at least annually to the senior governing body on the covered entity’s cybersecurity program, including to the extent applicable	Indirect	runZero provides essential support for the CISO’s reporting requirements by offering comprehensive visibility into the asset landscape and potential cybersecurity risks within the Covered Entity's environment. Through its asset discovery capabilities, runZero helps assess the confidentiality of Nonpublic Information and the integrity and security of Information Systems, aiding in the evaluation of security posture and policies. By identifying unmanaged or unknown devices and highlighting vulnerabilities, runZero enables the CISO to report on material cybersecurity risks and the overall effectiveness of the cybersecurity program. Additionally, runZero's data supports post-incident analysis, helping the CISO document material cybersecurity events and develop plans for remediating any identified inadequacies. While runZero does not generate the report itself, it provides the critical data and insights that inform the CISO’s assessments and enable accurate, data-driven reporting to the senior governing body.
500.4.b.1	The confidentiality of Nonpublic Information and the integrity and security of the Covered Entity’s Information Systems	Indirect	See 500.4.b
500.4.b.2	The Covered Entity’s cybersecurity policies and procedures	Indirect	See 500.4.b
500.4.b.3	Material cybersecurity risks to the Covered Entity	Indirect	See 500.4.b
500.4.b.4	Overall effectiveness of the Covered Entity’s cybersecurity program	Indirect	See 500.4.b
500.4.b.5	Material Cybersecurity Events involving the Covered Entity during the time period addressed by the report	Indirect	See 500.4.b
500.4.b.6	Plans for remediating material inadequacies	Indirect	See 500.4.b

Cybersecurity Personnel & Intelligence

Requirement		Support	How runZero Helps
500.10.a.3	Verify that key cybersecurity personnel take steps to maintain current knowledge of changing cybersecurity threats and countermeasures	Indirect	runZero provides insights into the asset landscape, exposure points, and potential vulnerabilities, which can help cybersecurity personnel understand the organization's current security posture and areas of risk. By identifying assets that might be vulnerable to new or emerging threats, runZero helps keep key personnel informed about potential exposure points. However, it does not directly provide training or educational updates on evolving cyber threats and countermeasures. Security teams would still need to engage with threat intelligence services and ongoing professional development to maintain up-to-date knowledge of the latest cyber threats.

Cybersecurity Policy

Requirement		Support	How runZero Helps
500.3.a	Information security	Indirect	runZero provides visibility into all connected assets, aiding in the identification of potential security risks. This visibility is essential for creating and maintaining robust information security policies, though runZero itself does not directly implement or enforce these policies.
500.3.c	Asset inventory, device management, and end-of-life management	Direct	Provides a comprehensive asset inventory by identifying all devices within an environment. Supports effective device management by helping organizations track the lifecycle of assets. Ensures end-of-life devices are identified for secure decommissioning. Offers clear visibility into all assets on the network for improved management and oversight.
500.3.d	Access controls, including remote access and identity management	Indirect	runZero does not directly manage access controls, such as implementing multi-factor authentication (MFA) or managing user identities. However, it provides crucial visibility into MFA enrollment status with certain identity providers like Google Workspace, helping organizations ensure that MFA is properly implemented. Additionally, runZero can inventory remote access solutions in place, offering insights into how users are connecting to the network. This visibility into devices, their status, and potential vulnerabilities enables organizations to identify where access controls need to be strengthened and to detect unauthorized devices on the network. It also supports informed decisions around remote access policies and access control configurations.
500.3.f	Systems operations and availability concerns	Indirect	By providing a clear inventory of assets, runZero can help identify systems critical to operations. This information can be valuable in assessing availability risks and planning for system uptime, but it does not directly monitor or manage system availability.
500.3.g	Systems and network security and monitoring	Indirect	runZero identifies assets and potential security gaps, offering insights that can inform an organization’s network security strategy. It helps identify unmanaged devices, which could pose a security risk, and highlights areas of exposure. However, it is not a direct tool for managing network security measures such as firewalls, intrusion prevention systems, or continuous network monitoring, which would be needed for real-time threat detection.
500.3.j	Physical security and environmental controls	Direct	Identifies and monitors OT and IoT devices critical to physical security (e.g., security cameras, access control systems) Helps organizations gain visibility into devices that support environmental controls (e.g., HVAC systems) Provides visibility into the digital aspects of physical security and environmental control systems Aids in securing the digital infrastructure of systems integral to physical and environmental safety
500.3.k	Customer data privacy	Indirect	While runZero does not manage customer data directly, it helps organizations identify where sensitive assets may reside and whether they are exposed. This understanding can inform privacy protection efforts, but runZero does not directly manage privacy policies or procedures.
500.3.l	Vendor and third-party service provider management	Indirect	runZero can help identify assets connected to third-party services, which can be useful for assessing third-party risks. However, it does not manage vendor relationships or enforce third-party security policies directly.
500.3.m	Risk assessment	Indirect	runZero’s asset inventory and vulnerability information can be a valuable input to a risk assessment process. While it doesn’t conduct the entire risk assessment, it provides the necessary data to inform the process.
500.3.n	Incident response and notification	Indirect	runZero aids incident response by providing detailed information about assets, which can be crucial for identifying the scope of an incident and affected devices. However, it does not directly provide incident response capabilities like containment, eradication, or recovery.
500.3.o	Vulnerability management	Direct	Provides detailed information about assets, including known vulnerabilities, software versions, and configuration details Enables organizations to prioritize and address vulnerabilities based on risk and exposure Enhances vulnerability management by offering visibility into potential risks Supports a targeted and effective vulnerability management program by identifying assets and their associated risks

Cybersecurity Program

Requirement		Support	How runZero Helps
500.2.a	Each Covered Entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity, and availability of the Covered Entity’s Information Systems	Indirect	runZero is a tool for asset discovery, inventory, and exposure management. While it doesn’t directly maintain the entire cybersecurity program, it provides crucial visibility into the assets within an organization's environment, helping security teams understand their attack surface. This visibility is fundamental to maintaining a robust cybersecurity program by ensuring that all systems are accounted for and monitored.
500.2.b	The cybersecurity program shall be based on the Covered Entity’s Risk Assessment and designed to perform core cybersecurity functions	Indirect	runZero provides comprehensive asset visibility and insight into potential vulnerabilities, which can be a critical part of the risk assessment process. However, it does not perform the entire risk assessment on its own but offers data that can help inform the risk assessment process.
500.2.b.1	Identify and assess risks	Direct	Identifies all assets, including unknown or unmanaged devices, across their environment Provides visibility into asset exposure, vulnerabilities, and other risk factors to assess threats Enables organizations to understand internal and external cybersecurity risks to info systems Assists in identifying and mitigating risks that may threaten the security or integrity of non-public Information stored on covered information systems
500.2.b.2	Use defensive infrastructure and the implementation of policies and procedures to protect the Covered Entity’s Information Systems, and the Nonpublic Information stored on those Information Systems, from unauthorized access, use or other malicious acts	Indirect	runZero itself is not a defensive infrastructure tool (e.g., firewalls or intrusion prevention systems), but it aids organizations in identifying where defensive measures might be needed by highlighting gaps in asset visibility and security controls.
500.2.b.4	Respond to identified or detected Cybersecurity Events to mitigate any negative effects	Indirect	While runZero is not an incident response tool, the detailed asset data it provides can be crucial during the investigation phase of incident response. It helps teams quickly understand what assets may be involved in an incident and where vulnerabilities exist.
500.2.b.6	Fulfill applicable regulatory reporting obligations	Indirect	runZero can provide the data needed for reporting purposes, such as information on assets and vulnerabilities. However, the tool does not inherently generate the required regulatory reports or ensure compliance without additional efforts from the organization.
500.2.c	Each class A company shall design and conduct independent audits of its cybersecurity program based on its risk assessment	Indirect	runZero provides comprehensive visibility into an organization’s assets, including details about connected devices, their configurations, and potential vulnerabilities. This data can be valuable during an independent audit, as it helps auditors verify that all assets are accounted for and identify potential risks or gaps in the cybersecurity program. However, runZero does not conduct independent audits itself; it provides the necessary data and insights that auditors can use to assess the effectiveness of a cybersecurity program as part of the audit process.
500.2.e	All documentation and information relevant to the covered entity’s cybersecurity program, including the relevant and applicable provisions of a cybersecurity program maintained by an affiliate and adopted by the covered entity, shall be made available to the superintendent upon request	Indirect	runZero helps maintain comprehensive documentation of an organization’s asset inventory and potential vulnerabilities, which could be relevant during an audit. This information can be used to support an audit request, though it doesn’t directly manage audit processes or compliance documentation.

Encryption

Requirement		Support	How runZero Helps
500.15.a	Encryption Use	Indirect	runZero indirectly supports these encryption requirements by providing visibility into where Nonpublic Information is stored and transmitted, aiding in the decision-making process for implementing encryption or compensating controls. It helps inform the risk assessment and CISO reviews by supplying data about the asset environment, though it does not directly manage or enforce encryption itself.
500.15.b	Alternative Controls: In Transit	Indirect	runZero indirectly supports these encryption requirements by providing visibility into where Nonpublic Information is stored and transmitted, aiding in the decision-making process for implementing encryption or compensating controls. It helps inform the risk assessment and CISO reviews by supplying data about the asset environment, though it does not directly manage or enforce encryption itself.

Incident Response Plan

Requirement		Support	How runZero Helps
500.16.a 500.16.a.1 500.16.a.1.i 500.16.a.1.ii 500.16.a.1.iii 500.16.a.1.iv 500.16.a.1.v 500.16.a.1.vi 500.16.a.1.vii 500.16.a.1.viii 500.16.a.1.ix	As part of its cybersecurity program, each covered entity shall establish written plans that contain proactive measures to investigate and mitigate cybersecurity events and to ensure operational resilience, including but not limited to incident response, business continuity, and disaster recovery plans. Incident response plans shall be reasonably designed to enable prompt response to, and recovery from, any cybersecurity event materially affecting the confidentiality, integrity, or availability of the covered entity’s information systems or the continuing functionality of any aspect of the covered entity’s business or operations. Such plans shall address the following areas with respect to different types of cybersecurity events, including disruptive events such as ransomware incidents: the goals of the incident response plan; the internal processes for responding to a cybersecurity event; the definition of clear roles, responsibilities, and levels of decision-making authority; external and internal communications and information sharing; identification of requirements for the remediation of any identified weaknesses in information systems and associated controls; documentation and reporting regarding cybersecurity events and related incident response activities; recovery from backups; preparation of root cause analysis that describes how and why the event occurred, what business impact it had, and what will be done to prevent reoccurrence; and updating of incident response plans as necessary.	Indirect	By offering comprehensive visibility into assets and network environments, runZero helps organizations identify potential risks, vulnerabilities, and unauthorized devices that could play a role in cybersecurity incidents. This visibility aids in incident investigation, analysis, and response, providing valuable context for decision-making during response and recovery efforts. However, runZero does not directly create or manage incident response plans, define roles and processes, or handle communication, reporting, and recovery actions. Instead, it works alongside other tools and processes that are specifically designed to fulfill these functions.

MFA

Requirement		Support	How runZero Helps
500.12.a.1	Remote access to the covered entity’s information systems	Indirect	runZero can identify and map assets that allow remote access to an organization's systems, helping to ensure that MFA is applied where necessary. However, it does not directly enforce MFA for remote access.
500.12.a.2	Remote access to third-party applications, including but not limited to those that are cloud based, from which nonpublic information is accessible	Indirect	runZero provides visibility into third-party applications and cloud-based systems interacting with the covered entity’s network, assisting in identifying points where MFA should be implemented. Nonetheless, it does not directly enforce MFA on these access points.
500.12.a.3	All privileged accounts other than service accounts that prohibit interactive login	Indirect	runZero’s asset discovery and tracking capabilities can help identify where privileged accounts are in use, thus assisting in ensuring MFA is applied to those accounts. However, it does not directly control MFA implementation for such accounts.

Risk Assessment

Requirement		Support	How runZero Helps
500.9.a	Periodic Assessments	Indirect	runZero supports periodic risk assessments by providing comprehensive visibility into information systems, which informs the design of cybersecurity programs. Its continuous asset discovery and tracking capabilities enable organizations to identify changes in their IT environment, helping to trigger necessary updates to risk assessments following material changes. While runZero does not directly perform risk assessments, it assists in identifying new or unmanaged assets, aiding in the revision of controls in response to technological developments and evolving threats. Additionally, runZero’s insights help organizations understand risks related to their business operations and the protection of nonpublic information, supporting a more informed and adaptive risk assessment process.

Training & Monitoring

Requirement		Support	How runZero Helps
500.14.a.1	Activity Monitoring	Indirect	runZero provides visibility into devices and systems within an organization’s environment, aiding in identifying potential risks or anomalies in asset behavior, such as the appearance of unauthorized devices or unusual patterns in device activity. This visibility can indicate potential unauthorized access or tampering with Nonpublic Information. However, runZero does not monitor user-specific activities directly, such as tracking user actions or detecting unauthorized data access. For direct user activity monitoring, tools like SIEM or User and Entity Behavior Analytics (UEBA) are necessary.
500.14.a.2	Malicious Code	Indirect	runZero assists in identifying vulnerable or misconfigured devices that could be at risk of infection by malicious code. It can detect unauthorized devices that may introduce malware or other threats into the network. However, runZero does not perform real-time monitoring or filtering of web traffic and emails to block malicious content directly. Such capabilities would require specialized anti-malware solutions or email and web filtering tools.
500.14.b.1	Endpoint Detection & Response	Indirect	runZero can help organizations identify endpoints that may be at risk, such as those without EDR protection and/or outdated software or unusual communication patterns. This can aid in identifying devices that could be subject to lateral movement or other anomalous activities. However, it does not include the full functionality of a dedicated Endpoint Detection and Response (EDR) solution, such as real-time endpoint monitoring and detailed incident response capabilities.
500.14.b.2	Logging and Security Event Alerting	Indirect	runZero's asset discovery capabilities can provide valuable data for centralized logging systems by identifying the assets and their attributes within an organization’s environment. It can help ensure that logging and alerting tools are aware of all devices on the network. However, runZero does not itself serve as a centralized logging and alerting solution. Integrating runZero with a SIEM platform would provide a more comprehensive solution for centralized event logging and alerting.

Vulnerability Management

Requirement		Support	How runZero Helps
500.5.a.2	Scanning	Direct	Provides continuous passive and active scanning of an organization’s information systems Integrates vulnerability scanner data from existing customer tools for comprehensive analysis Discovers and analyzes devices, configurations, and vulnerabilities across the environment Ensures frequent scanning in line with the organization’s risk assessment and promptly detects changes after material system updates. Identifies OT and IoT devices not typically covered by traditional vulnerability scanners due to sensitivity or disruption risks. Offers visibility into critical assets to support both automated scans and manual reviews. Provides detailed insights to ensure no part of the environment is left unchecked in vulnerability management efforts
500.5.b	Emerging threats	Direct	Keeps organizations informed of new security vulnerabilities through continuous monitoring of the latest threat intelligence Actively searches for new and existing devices within the network that may be vulnerable Monitors both traditional and non-traditional assets, including OT and IoT devices Proactively alerts security teams to vulnerable assets, enabling swift action Ensures comprehensive protection against evolving threats by covering a wide range of assets across the environment
500.5.c	Remediation	Direct	Provides detailed asset and vulnerability information, enabling organizations to prioritize remediation based on business risk Evaluates factors like poor network segmentation, asset location, network bridges, and susceptible pathways to assess threat levels Identifies vulnerabilities that pose the greatest risk to the organization Offers clear, contextual insights to focus on high-risk vulnerabilities first Ensures timely mitigation, aligning remediation efforts with the organization's risk assessment