Legislation Builds on Previous Actions and Investments To Build a More Resilient and Secure Digital Environment
A new law governing how the New York’s alw Enforcment responds to Cybersecurity threats took effect earlier this week. First announced in Governor Hochul’s 2025 State of the State address, this legislation requires all municipal corporations and public authorities to report cybersecurity incidents within 72 hours and ransomware payments within 24 hours to the New York State Division of Homeland Security and Emergency Services (DHSES). Within 30 days of making a ransomware payment, the victim must provide the payment amount, a justification for why it was necessary and an explanation of the diligence performed to ensure the payment was lawful. This information will improve the State’s ability to address cybersecurity threats, safeguard critical infrastructure, and tackle the scourge of ransomware.
“Here in New York, we are keeping up with technology’s fast-paced evolution and are resilient in the face of cybersecurity threats,” Governor Hochul said. “This legislation strengthens our response and provides our state’s Department of Homeland Security and Emergency Services the necessary information to handle reports of attacks and keep New Yorkers safe.”
New York State Division of Homeland Security and Emergency Services Commissioner Jackie Bray said, “New York State is leading the way in cybersecurity threat and ransomware reporting. Now that the system is operational, our teams will be better armed to protect important infrastructure and address ransomware attacks.”
Municipal corporations and public authorities may report cybersecurity incidents, notice of ransomware payments, and justification for ransomware payments to DHSES through a web portal.
Local governments, non-executive agencies and state authorities should still call the DHSES Cyber Incident Response Team hotline at 1-844-OCT-CIRT (1-844-628-2478) if they need immediate cyber incident response support.
Governor Hochul signed this legislation on June 27 after virtually convening local government officials to discuss ongoing security efforts. The legislation also mandates annual cybersecurity awareness training for government employees across New York and sets data protection standards for State-maintained information systems.
New York State Chief Cyber Officer Colin Ahern said, “With the operationalization of this landmark legislation, New York is making a clear statement that we are stronger together, enabling coordinated response and information sharing, and serving as a blueprint for the nation. I applaud DHSES and their state partners for developing an intuitive system that will expand our statewide threat picture and improve our ability to proactively safeguard critical infrastructure.”
