By Robert Hackett
September 24, 2016

You knew this was coming. After a steady series of hacking debacles, regulators are stepping in and ordering companies to tighten up. Soon companies in the financial sector — banks, brokerages, and insurance firms — will have to comply with cybersecurity rules that include encrypting sensitive information and appointing a security chief.

The rules come from New York’s Department of Financial Services, and are scheduled to go into effect in 2018. While they apply only to New York, they will have an outsize impact given the state’s central role in the financial sector and influence on other state and federal government entities to follow suit.

While agencies have offered guidelines, this is the first time regulators have introduced a real stick to make companies clean up their cyber-game. According to Judy Selby, a managing director with the consultancy firm BDO, the rules include enforcement provisions and will put senior executives on the line by requiring them to sign off on cyber compliance.

Selby says the rules won’t be a burden for big banks since many of them have already been heading down this path on their own accord. But it could be a challenge for smaller companies that are less prepared for cyber-compliance, and she says it would also be a heavy lift for the regulators too. Overall, Selby thinks the effort is worth it.

“I think it was necessary for them to do something because the stakes are so high. It’s an economic threat and a national security issue,” she said.

Selby’s probably right — though lets also hope the government doesn’t forget the carrot part of the equation. At least one congressman is thinking this way: Rep. Kevin Perlmutter (D-Colo) has a bill to give a 15% tax credit to companies that buy cyber-insurance. Good idea.

Finally, you’ve probably heard about the Yahoo hack that disclosed 500 million users accounts. What a mess. Here’s a Q&A about what we know, plus a look at the legal liability Yahoo faces for what is shaping up to be the biggest cyber breach to date. The New York cyber regulations wouldn’t apply to a company like Yahoo, which isn’t a financial firm, but perhaps they should.

Thanks for reading — and if you haven’t done so, go change the password on those old Yahoo email and fantasy sports accounts.

Jeff Roberts

@jeffjohnroberts

jeff.roberts@fortune.com

Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach me via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.

SPONSORED FINANCIAL CONTENT

You May Like