Legislation Strengthens Cybersecurity Across New York

Governor Kathy Hochul today announced legislation S.7672A/A.6769A, a measure aimed at enhancing the cybersecurity and resilience across New York, is now in effect. First announced in Governor Hochul’s 2025 State of the State address, this legislation requires all municipal corporations and public authorities to report cybersecurity incidents within 72 hours and ransomware payments within 24 hours to the New York State Division of Homeland Security and Emergency Services (DHSES). Within 30 days of making a ransomware payment, the victim must provide the payment amount, a justification for why it was necessary and an explanation of the diligence performed to ensure the payment was lawful. This information will improve the State’s ability to address cybersecurity threats, safeguard critical infrastructure, and tackle the scourge of ransomware.

“Here in New York, we are keeping up with technology’s fast-paced evolution and are resilient in the face of cybersecurity threats,” Governor Hochul said. “This legislation strengthens our response and provides our state’s Department of Homeland Security and Emergency Services the necessary information to handle reports of attacks and keep New Yorkers safe.”

New York State Division of Homeland Security and Emergency Services Commissioner Jackie Bray said, “New York State is leading the way in cybersecurity threat and ransomware reporting. Now that the system is operational, our teams will be better armed to protect important infrastructure and address ransomware attacks.”

Municipal corporations and public authorities may report cybersecurity incidents, notice of ransomware payments, and justification for ransomware payments to DHSES through a web portal.

Local governments, non-executive agencies and state authorities should still call the DHSES Cyber Incident Response Team hotline at 1-844-OCT-CIRT (1-844-628-2478) if they need immediate cyber incident response support.

Governor Hochul signed this legislation on June 27 after virtually convening local government officials to discuss ongoing security efforts. The legislation also mandates annual cybersecurity awareness training for government employees across New York and sets data protection standards for State-maintained information systems.

New York State Chief Cyber Officer Colin Ahern said, “With the operationalization of this landmark legislation, New York is making a clear statement that we are stronger together, enabling coordinated response and information sharing, and serving as a blueprint for the nation. I applaud DHSES and their state partners for developing an intuitive system that will expand our statewide threat picture and improve our ability to proactively safeguard critical infrastructure.”

New York State Chief Information Officer and Director of the Office of Information Technology Services Dru Rai said, “Under Governor Hochul’s leadership, New York is showing the rest of the nation how to skillfully and thoroughly enhance the cybersecurity posture of state agencies, local governments, corporations and public authorities, and keep its residents safe from a vast array of evolving cyber threats. It’s simple: Whole of state means whole of state, and every entity must have access to the tools and the knowledge to help themselves in this fight. I am proud that under this new law, ITS will now offer the kind of first-class cybersecurity awareness training to local government employees that we already provide to our New York State workforce.”

State Senator Monica R. Martinez said, “Protecting the public is government’s most important responsibility, but attacks on critical infrastructure put essential services and the people who rely on them at risk. This bill gives municipalities the structure, support, and accountability they need to protect residents and taxpayers from prolonged disruption in the event of a cyberattack. I thank Governor Hochul and my colleagues in the Legislature for recognizing the cost of inaction and for advancing this important legislation.”

State Senator Kristen Gonzalez said, “In our increasingly digital world, our data is constantly at risk. As emerging technologies make it easier for hackers to access our data, readiness isn't just an option for our government; it's our imperative. I thank the sponsor for introducing this bill and am glad that, after the Governor signed it into law, it is now in effect. This smart measure will improve municipal cybersecurity posture and threat intelligence sharing within the state. I look forward to more legislation on cybersecurity being considered so we can make New York as technologically safe as possible.”

Assemblymember Billy D. Jones said, “This piece of legislation is vital for our ever-changing technological state. The unique threats digital attackers pose to our municipalities requires a strong and direct response, and this bill will allow our local and state leaders to do just that. Cybersecurity is an increasingly important topic across all sectors of the state, and ensuring our government offices and agencies are able to respond to threats is critical.”

Assemblymember Steve Otis, Chair of the Assembly Science and Technology Committee, said, “Since the August 2023 release of Governor Hochul’s NYS Cybersecurity Strategy, New York has steadily increased cybersecurity assistance to local governments. This important legislation continues that commitment by requiring prompt reporting of cyberattacks and ransom payments and cybersecurity training of government employees. Full knowledge of cyberattacks statewide will allow state cyber agencies to better advise local governments and school districts about the evolving threat environment. This new law is another example of Governor Hochul and the Legislature working together to expand our resilience to these threats.”