With the ever-growing threat posed to the financial services industry by nation-states, terrorist organizations and independent criminal actors, earlier this month New York Governor Andrew Cuomo announced a proposed regulation that would require financial institutions to develop and implement cybersecurity programs to prevent and mitigate cyber attacks. After a 45-day comment period, following the upcoming publication in the New York State Register on September 28, the regulation is set to become effective January 1, 2017. “Even though the rules are not final, regulated financial institutions should begin considering how to comply today,” Orrick partner and cybersecurity & data privacy team co-chair Aravind Swaminathan told the Cybersecurity Law Report. In this article, we outline what companies need to do to be compliant with the new proposed regulation. See also “How the Financial Services Industry Can Manage Cyber Risk” (Jul. 20, 2016).