Hochul signs bill to strengthen cybersecurity in NY municipalities

ALBANY — A new state law is aimed at “enhancing the cybersecurity and resilience” of state and local-government networks across New York. First announced in Gov. Kathy Hochul’s 2025 State of the State, this legislation will improve the state’s ability to respond to threats, safeguard critical infrastructure, and reduce statewide cybersecurity risks, Hochul’s office contended in a June 27 announcement. Hochul signed the bill and made the announcement that day, following a meeting with city, county, town and village officials from across the state to discuss current security efforts in response to the ongoing conflict in the Middle East. “My top priority as Governor is the security and safety of all New Yorkers, and with this legislation we’re strengthening our ability to respond to and ultimately prevent cyber threats all across our state,” Hochul said. “As global conflicts escalate and cyber threats evolve, so must our response, and we are taking a whole of government approach in doing so. Requiring timely incident reporting and providing annual cybersecurity training for government employees will build a stronger digital shield for every community across the State and ensure they get the support they need when it matters most.”  The legislation mandates that all municipal corporations and public authorities promptly report cybersecurity incidents and ransom payments to the New York State Division of Homeland Security and Emergency Services (DHSES), fortifying the statewide defense against digital threats, per Hochul’s office. Under the new law, municipalities and public authorities are required to report cybersecurity incidents within 72 hours to DHSES and provide notice of payment of a ransom within 24 hours. The legislation also mandates annual cybersecurity-awareness training for government employees across New York and sets data-protection standards for state-maintained information systems. “The cyber threats that municipalities face have never been more numerous, more sophisticated, or more dangerous, and coordinated whole-of-government information sharing is more important than ever to tackle these threats,” Colin Ahern, New York State chief cyber officer, said in the announcement. “This legislation will enable New York State to build situational awareness of statewide cyber threat activity and create a comprehensive threat picture that can protect all New Yorkers. Ensuring that state and local government employees complete annual cybersecurity awareness training adds another line of cyber defense and empowers government employees statewide to recognize and respond to cyber threats.”   State and local governments are on the front lines of a growing wave of cyberattacks that threaten essential services and public data. As attackers become more sophisticated and aggressive, municipalities face “mounting risks with limited support and rapidly evolving threats,” Hochul’s office said.   Recent ransomware incidents across the country have underscored the urgent need for coordinated, statewide action to help local agencies respond swiftly and protect the communities they serve. The 72-hour reporting requirement will give New York State critical visibility into threats, allowing for faster response, better coordination and damage limitation, the state contends. “The enactment of this legislation marks a critical step forward in strengthening our collective defense against digital threats to the State and its local governments,” Barbara Van Epps, executive director of the New York State Conference of Mayors, said in the announcement. “By requiring prompt incident reporting, ransomware disclosures and annual cybersecurity training, the Governor is sending a clear message: cybersecurity is not just an IT issue — it’s a core public safety priority that demands coordination, vigilance and shared responsibility.” “Almost everything that counties and local governments do today rely on some type of information technology system, and we know that these systems are under threat,” Stephen Acquario, executive director of the New York State Association of Counties said. “This new law is designed to raise the baseline of understanding of cybersecurity for all local leaders and employees so we can all better defend the information systems and data we all rely on to operate government and serve residents.”