Equifax's disclosure of the cyber attack in September 2017, one of the largest to date, prompted the ouster of top executives. Former Chief Executive Richard Smith in October told U.S. lawmakers that hackers got into its network by exploiting a known software vulnerability that the company had failed to patch.

Equifax must perform a detailed assessment of cyber threats, boost board oversight of cyber security and improve processes for patching known security vulnerabilities, according to the terms of the agreement. The consent decree was approved by regulators in Alabama, California, Georgia, Maine, Massachusetts, New York, North Carolina and Texas.

Equifax, which collects information on over 800 million individuals and more than 88 million businesses worldwide, said in a statement it had already completed "a good number" of the required actions.

"The findings, with a very few exceptions, are not new findings and are already part of our remediation plans," the statement said. "We expect to meet or exceed all the commitments made under the Consent Order."

The state regulators acted because federal agencies have so far failed to sanction Equifax for the breach, Maria T. Vullo, head of the New York Department of Financial Services, said in a statement.

"In an era of weakened federal government oversight, strong state regulation is essential," she said.

One consumer advocate said the lack of a financial penalty set a bad precedent.

"Companies don't change their practices unless they suffer financial consequences," said Jamie Court, president of the Foundation for Taxpayer and Consumer Rights. "The fact that Equifax is not required to pay any fines is sending the wrong message."

(Reporting By Patrick Rucker in Washington and Angela Moon in New York; Additional reporting by Karen Freifeld; Editing by Jim Finkle, David Gregorio and Richard Chang)

By Patrick Rucker and Angela Moon