The new regulations aim to protect consumers and the financial data of banks and insurance companies from cyber threats, the department said Wednesday.
The policies require financial institutions to conduct periodic risk assessments of cybersecurity programs, encrypt non-public information and develop an incident response plan.
Financial institutions will also need to appoint a chief information security officer and hold third-party security providers accountable for security programs.
DFS adjusted the plan after gathering public comments for 45 days ended in November and the final regulations will take effect on March 1, 2017.