New York state on Thursday announced final regulations requiring banks and insurers to meet minimum cyber-security standards and report breaches to regulators as part of an effort to combat a surge in cyber crime and limit damages to consumers.
The rules, in the works since 2014, followed a series of high-profile data breaches that resulted in losses of hundreds of millions of dollars to U.S. companies, including Target (tgt), Home Depot (hd), and Anthem (antm).
They lay out unprecedented requirements on steps financial firms must take to protect their networks and customer data from hackers and disclose cyber events to state regulators.
“These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place” to protect businesses and clients “from the serious economic harm caused by these devastating cyber-crimes,” Governor Andrew Cuomo said in a statement.
The state in December delayed implementation of the rules by two months and loosened some requirements after financial firms complained they were onerous and said they would need more time to comply.
The new rules call for banks and insurers to scrutinize security at third-party vendors that provide them goods and services. In 2005, the New York Department of Financial Services found that a third of 40 banks polled did not require outside vendors to notify them of breaches that could compromise data.
Get Data Sheet, Fortune’s technology newsletter.
The revised rule requires firms to perform risk assessments in order to design a program particular to them, and gives them at least a year-and-a-half to comply with the requirements. The final rule took into account the burden on smaller companies, a spokeswoman for the agency said.
Covered entities must annually certify compliance.
Institutions subject to the regulation include state-chartered banks, as well as foreign banks licensed to operate in the state, along with any insurer that does business in New York.
A task force of U.S. state insurance regulators is also developing a model cybersecurity law, which individual state legislatures could ultimately choose to adopt.