New state law requires quick reporting of cybersecurity, ransomware incidents

ALBANY, N.Y. — A new state law is now effect that requires all municipal corporations and public authorities to report cybersecurity incidents within 72 hours and ransomware payments within 24 hours to the New York State Division of Homeland Security and Emergency Services (DHSES). Within 30 days of making a ransomware payment, the victim organization must provide the payment amount, a justification for why it was necessary, and an explanation of the diligence performed to ensure the payment was lawful. The information will improve the state’s ability to address cybersecurity threats, safeguard critical infrastructure, and “tackle the scourge of ransomware,” the office of Gov. Kathy Hochul said. Hochul first announced the proposed legislation during her 2025 State of the State address. The governor signed the bill into law on June 27 after virtually convening local-government officials to discuss ongoing security efforts. The legislation also mandates annual cybersecurity-awareness training for government employees across New York state and sets data-protection standards for state-maintained information systems. On July 28, Hochul announced the law was in effect. “This legislation strengthens our response and provides our state’s Department of Homeland Security and Emergency Services the necessary information to handle reports of attacks and keep New Yorkers safe,” the governor said in the announcement. Municipal corporations and public authorities may report cybersecurity incidents, notice of ransomware payments, and justification for ransomware payments to DHSES through a web portal available at: https://www.dhses.ny.gov/. Local governments, non-executive agencies, and state authorities should still call the DHSES Cyber Incident Response Team hotline at 1-844-OCT-CIRT (1-844-628-2478) if they need immediate cyber-incident response support. “New York State is leading the way in cybersecurity threat and ransomware reporting,” Jackie Bray, commissioner of the New York State Division of Homeland Security and Emergency Services, said. “Now that the system is operational, our teams will be better armed to protect important infrastructure and address ransomware attacks.” “With the operationalization of this landmark legislation, New York is making a clear statement that we are stronger together, enabling coordinated response and information sharing, and serving as a blueprint for the nation,” Colin Ahern, chief cyber officer of New York State, said.