You knew this was coming. After a steady series of hacking debacles, regulators are stepping in and ordering companies to tighten up. Soon companies in the financial sector — banks, brokerages, and insurance firms — will have to comply with cybersecurity rules that include encrypting sensitive information and appointing a security chief.

The rules come from New York’s Department of Financial Services, and are scheduled to go into effect in 2018. While they apply only to New York, they will have an outsize impact given the state’s central role in the financial sector. We can expect other state and federal government entities to follow suit.

While agencies have offered guidelines, this is the first time regulators have introduced a real stick to make companies clean up their cyber-game. According to Judy Selby, a managing director with the consultancy firm BDO, the rules include enforcement provisions and will put senior executives on the line by requiring them to sign off on cyber compliance.

Other requirements under the proposed regulations include quarterly vulnerability assessments, annual penetration testing and an audit trail system. The plan will be subject to a 45 day comment period starting September 28.

Selby says the rules won’t be a burden for big banks since many of them have already been heading down this path on their own accord. But it could be a challenge for smaller companies that are less prepared for cyber-compliance, and she says it would also be a heavy lift for the regulators too. Overall, Selby thinks the effort is worth it.

“I think it was necessary for them to do something because the stakes are so high. It’s an economic threat and a national security issue,” she said.

Selby’s probably right — though lets also hope the government doesn’t forget the carrot part of the equation. At least one congressman is thinking this way: Rep. Kevin Perlmutter (D-Colo) has a bill to give a 15% tax credit to companies that buy cyber-insurance and implement a security framework. Good idea.