Financial institutions regulated by New York’s Department of Financial Services (DFS) can breathe a sigh of relief, at least temporarily. Two years after DFS’s “Cybersecurity Requirements for Financial Institutions” took effect, and more than three years after the cybersecurity regulation was announced, the final provision of the law became effective on March 1 of this year.

But the celebrations must be short. DFS got it right when describing its then-new regulation as the “first in the nation.” Like the federal Sarbanes-Oxley Act of 2002, financial institutions will have to certify annually that their internal controls and cybersecurity practices remain up to snuff. And now that the transitional periods for implementing the cyber regulation have passed, covered institutions will need to certify that they have complied with each provision.