The rules established in March were tweaked after public comment from industry officials. They require banks and insurance companies regulated by the Department of Financial Services to have state-approved plans to deter cyberattacks, and report any attacks within 72 hours of when they occur.

Debate continues as to whether the regulations are too restrictive.

Related: Insurance 2017: Priorities for innovation, automation and transformation

The state law is expected to have national and global impact because it affects financial services companies that do business in the state regardless of where they are located via regulatory, rather than legislative action as well as the law firms that represent them.

Mark Krotoski, a partner at Morgan, Lewis & Bockius who advises clients on cybersecurity and privacy issues, said many of the requirements established by the department are already in place at banking and insurance companies, such as having a chief information security officer and incident response plans.

"Cybersecurity, by definition is a tailored response to protect data from potential risks. There is no one size fits all, and how you tailor that does vary from each organization" he said in a phone interview. "By mandating a number of requirements that either are already being done, or that may take away resources or redirect cost to comply with regulations rather than tailoring cybersecurity programs to whatever the organization needs, this is more a proscriptive regulation when you compare it with other regulations that are in other states," he said.

Krotoski also said that the 72-hour reporting requirement may not allow businesses to determine "a full picture" of the scope of the cyberattack. Oftentimes it may take weeks to assess what data was affected or what individuals were impacted by the attack, he added.

On the other hand, F. Paul Greene, a partner and chair of the privacy and data security practice group at Rochester business law firm Harter Secrest & Emery, told the New York Law Journal that organizations affected by the new regulations shouldn't have to "recreate the wheel" because they're likely doing what the regulations mandate already requires.

"Anecdotally, what we've seen in the industry is that although these regulations are a big move, organizations have looked at their current compliance practices and determined that they are in large measure compliant with the current requirements of DFS," Greene said.

With the reporting requirement set to begin Monday, banking and insurance companies should do a risk assessment and prioritize their assets, said Steven Grossman, the vice president of strategy at Bay Dynamics, a cybersecurity company that recently relocated from San Francisco to New York.

"Management is really the key first step. If you don't know what your assets are you really don't know what you're protecting. From there, once you know what your assets are its understanding the key aspects of risk — that is the threat and vulnerability and the probability of the two of them meeting to impact the system," Grossman said.

As part of the regulations, companies will also be required to re-evaluate and upgrade their security systems annually and require that boards of insurance companies or banks certify that they are in compliance with the security requirements by Feb. 15, a much more daunting deadline.

See also:

3 wise cybersecurity solutions for 2017

5 trends and factors that continue to impact cybersecurity in 2017