What does UOTech do for NY DFS Part 500 on the IT side?

We handle the IT-control half of the obligation under the New York Department of Financial Services (NY DFS) Part 500 cybersecurity regulation. We map your environment to the technical controls, run identity, encryption, and access privileges, and keep the technical evidence current and organized for the domains we manage. We do not certify compliance and we are not your auditor or law firm. Part 500 names your firm as the responsible entity, and the annual certification stays with your designated CISO.

How is nonpublic personal information (NPI) protected and encrypted?

Nonpublic personal information (NPI) is encrypted at rest and in transit on the systems we manage, which supports the §500.15 encryption domain. We document key custody so the control is provable, not assumed. Multi-factor authentication is enforced on every privileged account, with FIDO2 keys on the highest-risk roles.

How do you handle IT vendor risk?

We keep a live inventory of your IT vendors with a risk tier, last review date, and §500.11 attestations attached to each one. The reviews run annually so the third-party service provider evidence is ready before the audit call instead of assembled in a panic. The scope is IT vendor risk; contract and legal review stays with your firm.

Do you work with RIAs, brokers, and advisors specifically?

Yes. We support registered investment advisers (RIAs), brokers, advisors, and family offices, sized from a solo RIA through 50-seat advisory shops. We have direct IT-side support experience with the advisor stack underneath: Black Diamond, Orion, Tamarac, Schwab Advisor, and the custodian feeds, covering connectivity, identity, and endpoints. The advisory work is yours and vendor support stays with the vendor; the infrastructure it runs on is ours.

Can UOTech stop a fraudulent wire?

No. The callback and the wire decision stay with your firm. Our job is the IT layer that gives a business email compromise message every chance to fail first: SPF, DKIM, and DMARC enforced and monitored, banner injection on external senders, and multi-factor authentication on the approver. We also provide IT-side input for the 72-hour event reporting runbook and annual certification, tested before you need it.

Finance

Finance IT,
built for Part 500.

Managed IT for advisors, brokers, RIAs, and family offices. The infrastructure NY DFS Part 500 expects you to have under control: identity, encryption, IT vendor risk, event response. Optional virtual CISO coverage on top, and the technical evidence behind your annual certification.

See the wire defense Book a Part 500 review

Wire fraud kill chain Inbound · 2:08pm Live

From "Steve Park" <[email protected]>

URGENT: updated wire instructions for closing

New external domain
Display-name spoof
Pressure language

01 Inbound New external sender
02 Email auth DKIM mismatch
03 Banner injected "External sender" warning
04 MFA challenge Approver prompted
05 Manual approval Callback failed · BLOCKED

Outcome $487,200 wire blocked · client notified · ticket #4412

The IT layers under wire decisions

One convincing email,
layered IT controls
in front of it.

Business email compromise is the dominant loss vector in financial services. We will not stop the wire; your firm's callback procedure does that. Our job is the IT layer that gives the bad email every chance to fail before it reaches the person with the authority to move money.

Email authentication tuned: SPF, DKIM, and DMARC enforced and monitored, not set and forgotten.
Banner injection on every external sender, with extra warnings on lookalike domains and new contacts.
MFA on the approver and identity controls behind the callback. The procedure stays in the firm's hands; the IT controls back it up.

Walk us through your wire flow

The IT side of Part 500

The IT evidence,
ready before April.

Part 500 names the firm as the responsible entity. Our scope is the IT half of the obligation: we map your environment to the technical controls on day one, keep the evidence current, and have it organized when your designated CISO is ready to certify.

A virtual CISO (vCISO) available to carry the §500.04 designation when the firm needs an outside designee, with the IT-side program work behind it.
IT controls that support a wire-fraud defense: email authentication, banner injection, and MFA on approvers. The callback and the wire decision stay with your firm.
Encryption of nonpublic information at rest and in transit on the systems we manage, with key custody documented.
Vendor IT risk reviews handled annually, with the §500.11 evidence ready before the call.
IT-side support for annual cybersecurity event reporting and the 72-hour notification runbook, tested before you need it.

Get a Part 500 readiness review

23 NYCRR 500 · Readiness Last reviewed · Designated CISO · 2 days ago

94 / 100

§500.02 Cybersecurity Program

100%
§500.03 Cybersecurity Policy

100%
§500.04 Designated CISO

100%
§500.07 Access Privileges

92%
§500.09 Risk Assessment

100%
§500.11 Third-Party Service Provider

84%
§500.14 Awareness Training

100%
§500.15 Encryption of NPI

100%

Annual cert · April 15 Evidence pack · ready

What we run

Six pieces of the
infrastructure stack.

The same IT program everywhere, sized for your firm. Solo RIA through 50-seat advisory shops. The advisory work is yours; the infrastructure it runs on is ours.

01
Virtual CISO Coverage

An external virtual CISO available to take the §500.04 designation, attend board meetings, and sign the cybersecurity policy on a defensible cadence, when that fits the firm.
02
BEC & Wire-Fraud Controls

Email authentication, banner injection, MFA on the approver, and the IT side of a callback procedure. The wire decision is the firm's; the IT controls make the bad email easier to spot.
03
Advisor Stack Infrastructure

Direct support experience for Black Diamond, Orion, Tamarac, Schwab Advisor, and the custodian feeds underneath, on the IT side: connectivity, identity, endpoints. Vendor support stays with the vendor.
04
Encryption & Identity

NPI encrypted at rest and in transit on systems we manage. MFA on every privileged account. FIDO2 keys for the highest-risk roles.
05
IT Vendor Inventory

A live inventory of IT vendors with risk tier, last review date, and §500.11 attestations attached. No spreadsheet panic at audit.
06
Regulator Reporting Support

IT-side input for annual certification, the 72-hour event reporting runbook, and the technical evidence a regulator actually opens.

Common questions

What buyers usually
want to know.

What does UOTech do for NY DFS Part 500 on the IT side?

We handle the IT-control half of the obligation under the New York Department of Financial Services (NY DFS) Part 500 cybersecurity regulation. We map your environment to the technical controls, run identity, encryption, and access privileges, and keep the technical evidence current and organized for the domains we manage. We do not certify compliance and we are not your auditor or law firm. Part 500 names your firm as the responsible entity, and the annual certification stays with your designated CISO.
How is nonpublic personal information (NPI) protected and encrypted?

Nonpublic personal information (NPI) is encrypted at rest and in transit on the systems we manage, which supports the §500.15 encryption domain. We document key custody so the control is provable, not assumed. Multi-factor authentication is enforced on every privileged account, with FIDO2 keys on the highest-risk roles.
How do you handle IT vendor risk?

We keep a live inventory of your IT vendors with a risk tier, last review date, and §500.11 attestations attached to each one. The reviews run annually so the third-party service provider evidence is ready before the audit call instead of assembled in a panic. The scope is IT vendor risk; contract and legal review stays with your firm.
Do you work with RIAs, brokers, and advisors specifically?

Yes. We support registered investment advisers (RIAs), brokers, advisors, and family offices, sized from a solo RIA through 50-seat advisory shops. We have direct IT-side support experience with the advisor stack underneath: Black Diamond, Orion, Tamarac, Schwab Advisor, and the custodian feeds, covering connectivity, identity, and endpoints. The advisory work is yours and vendor support stays with the vendor; the infrastructure it runs on is ours.
Can UOTech stop a fraudulent wire?

No. The callback and the wire decision stay with your firm. Our job is the IT layer that gives a business email compromise message every chance to fail first: SPF, DKIM, and DMARC enforced and monitored, banner injection on external senders, and multi-factor authentication on the approver. We also provide IT-side input for the 72-hour event reporting runbook and annual certification, tested before you need it.

Start a conversation

Ready for IT that
the regulator respects?

Tell us about the firm. We will listen for the custodian, the AUM, the staff size, and where Part 500 currently stands, and come back with a straight read on what we would do.

No sales script. A real conversation with someone who gets it.
A 30 minute call, an honest read on your current setup.
Straight pricing. No surprise invoices.

Or call directly (516) 500-7789

Finance IT, built for Part 500.

One convincing email,layered IT controlsin front of it.

The IT evidence,ready before April.

Six pieces of theinfrastructure stack.

Virtual CISO Coverage

BEC & Wire-Fraud Controls

Advisor Stack Infrastructure

Encryption & Identity

IT Vendor Inventory

Regulator Reporting Support

What buyers usuallywant to know.