Until now, regulators have treated hacking incidents much like an act of God: unfortunate, but not really anyone’s fault. That changes today in New York, where a new set of rules just went into effect that require certain companies to tighten up their cyber defenses.
While the long-awaited rules are the law of one state—and apply only to the finance industry—they are nonetheless going to affect a wide variety of companies, including ones outside New York. To understand what’s in store, I spoke with Judy Selby and John Riggi, two executives at the accounting firm BDO, who have been tracking this closely. Here’s a plain English run-down of what you need to know.
What do these regulations require companies to do?
Companies are now required to have a cyber-security plan in place. This includes things like network penetration testing, establishing cyber audit trails, and restricting access to customer data. Firms must also have a senior security officer and submit an annual compliance certificate.
“The days of saying, ‘I have a great IT guy’ are now over,” says Selby, adding board members will now off to sign off on cybersecurity issues.
There are also new rules related to third-party vendors, which have been the source of some of the biggest corporate cyber disasters. Firms are now going to have take a closer look at any other company that has even indirect access to their networks.
Who has to comply with these rules?
Any banking, insurance, or brokerage firm that uses a license to operate in New York will have to comply with the certification requirements. But there are some exceptions, including for firms with fewer than 10 employees and those that do less than $5 million worth of business in the state.
Once again, though, it’s important to note the rules will affect third-party vendors because many of the financial firms are likely to expect such vendors—anyone from point-of-sale to payroll providers—to have cyber programs of their own.
Get Data Sheet, Fortune’s technology newsletter.
When does this go into effect?
The rules took effect on March 1, but the law provides 180 days for companies to get their cyber compliance programs in place. Firms have to submit their first statement saying they are following the rules by February 15, 2018.
Some of the rules don’t go into effect, however, for 18 months. And the rules on third-party vendors don’t go into place for two years.
What happens if a firm doesn’t comply?
Good question. While New York state has a general power to fine firms that don’t comply with financial regulations, the regulations don’t specify any specific penalty. Also, the final version of the rules require firms to develop programs based on their particular risk profile (rather than a hard check list), so it won’t always be clear if firm is in compliance.
Selby of BDO also notes the regulators will have their hands full overseeing the new rules so widespread audits are probably unlikely. But if a firm does incur a data breach, and it turns out the firm didn’t have the right program in place, that would likely spell big trouble.
