Equifax agreed to a number of data security rules under a consent order with eight state financial regulators that was announced on Wednesday, the latest regulatory response to the breach that allowed hackers to steal sensitive personal information on more than 147 million people.

The order describes specific steps the credit bureau must take, including conducting security audits at least once a year, developing written data protection policies and guides, more closely monitoring its outside technology vendors, and improving its software patch management controls. Equifax has said that the attackers gained access to its systems last year through a known software flaw that was inadvertently left unfixed for months.

If Equifax falls short on any of its new promises, regulators in the states — Alabama, California, Georgia, Maine, Massachusetts, New York, North Carolina and Texas — will be able to take punitive action.

Equifax said that “a good number” of the measures it agreed to in the order had already been completed.