The rules, in the works since 2014, followed a series of high-profile data breaches that resulted in losses of hundreds of millions of dollars to U.S. companies, including Target Corp , Home Depot Inc and Anthem Inc.
They lay out unprecedented requirements on steps financial firms must take to protect their networks and customer data from hackers and disclose cyber events to state regulators.
"These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place" to protect businesses and clients "from the serious economic harm caused by these devastating cyber-crimes," Governor Andrew Cuomo said in a statement.
The state in December delayed implementation of the rules by two months and loosened some requirements after financial firms complained they were onerous and said they would need more time to comply.
The new rules call for banks and insurers to scrutinize security at third-party vendors that provide them goods and services. In 2015, the New York Department of Financial Services found that a third of 40 banks polled did not require outside vendors to notify them of breaches that could compromise data.
