By Allissa Kline, originally published in Buffalo Business First on May 31, 2017, 6:41pm EDT.

Call it a case of good timing.

About a year ago, Evans Bancorp Inc. conducted an internal review  of its cybersecurity policies. The process revealed areas in need of  improvement.

So when the New York State Department of Financial Services  announced a proposed series of groundbreaking cybersecurity  regulations last fall, Evans found itself in a good position.

“Maybe we had good luck or dumb luck, but most of the  regulations were areas we’d already identified or areas we’d  already started to improve,” said Howard Martin Jr., senior vice  president and chief information officer at the Angola-based  financial company. “So we were in pretty good shape.”

But that’s not the case for everyone. Attorneys and other business consultants said some banks,  insurance agencies and other financial institutions regulated by New York state are scrambling to  understand and comply with the new rules.

The law has been in place since March 1 but there is a 180-day transitional period that ends Aug. 28. Then
the first wave of regulations takes effect.

And it’s not just financial institutions themselves that must comply. Eventually, third-party vendors that  work for the financial institutions must show that they, too, meet guidelines.

Buffalo attorney Jennifer Beckage leads the data security and privacy team at Phillips Lytle LLP. She was  part of a recent panel on the new rules.

Beckage said companies should act quickly to put some kind of cybersecurity policy in place. That’s one  of the first requirements to be met in August.

“Unfortunately for smaller organizations, they may not have policies in place yet,” Beckage said. “But you  can always amend or perfect them later.”

The new regulations are intended to protect the financial services industry and consumers, according to  Gov. Andrew Cuomo. In February, he hailed the rules as the first such cybersecurity guidelines in the  nation.

Larry Ponemon, founder of the Ponemon Institute in Michigan, is an expert in privacy, data protection  and information security practices. He participated in the same panel at which Beckage spoke,  presenting  survey results about how prepared the state’s financial institutions think they are in terms of  complying with the new regulations.

The bottom line: Companies think the requirements will be hard to follow.

Among the various guidelines, formal incident-response plans are required. Evans is working on that and  expects its plan to cover the banking subsidiary Evans Bank N.A. and its insurance business, The Evans  Agency LLC.

Martin anticipates challenges when it comes to making sure third-party vendors are compliant. He said  the company works with 20 to 25 vendors. Expense-wise, Martin said Evans is likely to spend more in  2018 and 2019 to make sure it meets the requirements. He did not offer specifics about the anticipated  costs.

He’s mainly frustrated with having to comply with different sets of rules, saying, “There’s no real  downside to these regulations, and I get where DFS is coming from. I just wish state regulators and  federal regulators would work in conjunction so that we don’t have to navigate different sets of rules.”