Skip to main content

Simplify Compliance for NY DFS Cybersecurity Requirements (23 NYCRR 500)

The New York State Department of Financial Services (DFS) announced 23 NYCRR 500 effective on 1 March 2018 after a period of comments. Also known by the name “Cybersecurity -Requirements for Financial Services Companies,” the New York state regulations address concerns that financial firms face an escalating volume and sophistication of cyberthreats.

NYDFS cybersecurity regulation 23 NYCRR 500 intends to establish minimum regulatory standards to promote the protection of customer information as well as protect the information technology systems of regulated entities. To meet these new NYDFS cybersecurity regulations, each financial firm must first assess its risk profile and then design a program that addresses its risks. The requirements are broad, and range from general guidance to specifics such as maintaining an audit trail.

Arctic Wolf® helps you meet many of the 23 NYCRR 500 requirements with a turnkey security operations solution.

Who Is Affected

NY DFS 23 NYCRR 500 affects any entity covered under the New York State Banking Law, the New York State Insurance Law, or the New York State Financial Services Law. This includes state-chartered banks, licensed lenders, trust companies, mortgage companies, foreign banks licensed to operate in New York, and insurance companies doing business in New York.

How Arctic Wolf Helps Meet Requirements of New York 23 NYCRR 500

The columns below map the requirements in 23 NYCRR 500 to the functionality provided by the Arctic Wolf Managed Detection and Response (MDR) and Arctic Wolf Managed Risk services.


23 NYCRR 500 Requirement Arctic Wolf Capability
Section 500.02 Cybersecurity Program

Maintain a cybersecurity program based on a risk assessment that identifies internal and external cybersecurity risks; implement policies and procedures that detect cybersecurity events, and respond and recover.
Arctic Wolf continuously monitors on- premise and cloud resources and displays a rating of the financial institution’s security posture in a customer portal, including vulnerability management status, outstanding security incidents, and network activity.
23 NYCRR 500 Requirement Arctic Wolf Capability
Section 500.05 Penetration Testing and Vulnerability Assessments

Maintain a program to continuously monitor and assess the environment; periodically perform penetration testing and vulnerability assessments. This includes annual penetration testing and bi-annual vulnerability assessments.
Arctic Wolf Managed Risk continuously scans internal and internet-facing systems for vulnerabilities. Arctic Wolf Managed Detection and Response sensors continuously monitor a customer’s environment, and the Arctic Wolf Concierge Security Team™ performs monthly vulnerability assessments for externally exposed systems.
Section 500.06 Audit Trail

Securely maintain systems, including audit trails, to detect and respond to cybersecurity events. Maintain cybersecurity event records for three years (five years for material financial transactions).
Arctic Wolf Managed Detection and Response maintains audit trail records for three or more years (default is 90 days).
Section 500.07 Access Privileges

Limit user access privileges to information systems, periodically review access privileges.
Arctic Wolf Managed Detection and Response audits changes to Active Directory (AD), group policies, and Exchange and file servers, and flags unauthorized actions, which enables development/enhancement of the required policies and procedures. Arctic Wolf Managed Detection and Response monitors failed/successful logins/logoffs and all password changes to prevent excessive help desk calls.
Section 500.09 Risk Assessment

Conduct a periodic risk assessment of information systems.
With Arctic Wolf Managed Detection and Response and Managed Risk solutions, the Arctic Wolf Concierge Security Team (CST) provides continuous scanning of externally-connected systems for vulnerabilities, and continually monitors network traffic, computers, servers, and log files for potential compromise.
Section 500.10 Cybersecurity Personnel and Intelligence

Utilize qualified cybersecurity personnel or a qualified “affiliate or a third-party service provider” to manage the organization’s risks and perform or oversee the performance of the core cybersecurity functions.
Arctic Wolf’s CST is comprised of security experts and acts as a trusted security advisor for your financial institution’s internal IT team. The CST proactively hunts for hidden threats, conducts risk analysis, performs remote forensics analysis of incidents, and provides actionable insights to help remediate incidents.
Section 500.11 Third-Party Service Provider Security Policy

Third-party service providers shall implement written policies and procedures to ensure security of information systems and non-public information. This includes periodic assessment of third-party service provider risk and adequacy of cybersecurity practices.
Arctic Wolf facilitates compliance by maintaining written policies based on a risk assessment consistent with our SOC 2 Type 2 compliance certification. Arctic Wolf has strict security policies in place to prevent unauthorized access to SOC tools. Log data and endpoint telemetry is encrypted both in transit and at rest.

Arctic Wolf Managed Detection and Response also monitors third-party cloud applications including SaaS applications (Office 365, G Suite, Box, Salesforce) as well as IaaS platforms (AWS, Azure) to minimize third-party cybersecurity risk.
23 NYCRR 500 Requirement Arctic Wolf Capability
Section 500.13 Limitations on Data Retention

Support periodic secure disposal of non-public information except when required to be retained by law or regulation.
Arctic Wolf supports auto purging of data in retention settings. When combined with a Concierge Security Team’s active involvement, this assures that data is securely disposed of when it outlives its need.
Section 500.14 Training and Monitoring

Support the monitoring of authorized users, and detect unauthorized use of data and assets. Additionally, provide regular risk assessment reporting to reflect identified risks and their respective actions.
The Arctic Wolf Concierge Security Team provides regular risk assessment reporting on events and identified risks on a monthly and quarterly basis, including meantime-to- resolution and actions taken to close events.
Section 500.15 Encryption of Nonpublic Information

Implement controls that include encryption of information held or transmitted over external networks and at rest.
Arctic Wolf has strict security policies in place that govern the transmission and holding of non-public information— encrypting data observed and transmitting it securely over SSL.
Section 500.16 Incident Response Plan

Establish a written incident response plan for responding to and recovering from cybersecurity events.
Arctic Wolf facilitates incident response plans through the Concierge Security Team that can make recommendations on how to rapidly respond to a set of cyberthreats while also addressing regulatory requirements.

About Arctic Wolf

Arctic Wolf® is the market leader in security operations. Using the cloud-native Arctic Wolf® Platform, we provide security operations as a concierge service. Highly trained Concierge Security® experts work as an extension of your team to provide 24x7 monitoring, detection, and response, as well as ongoing risk management to proactively protect systems and data while continually strengthening your security posture. For more information about Arctic Wolf, visit