For optimal browsing, we recommend Chrome, Firefox or Safari browsers.
Local governments in New York state face new cybersecurity reporting requirements — a change that comes as the nation examines a massive recent hacking attack in Minnesota’s capital city.
New York Gov. Kathy Hochul has announced that those requirements, recently approved by lawmakers, have kicked in.
The new law says that “all municipal corporations and public authorities” must report any “cybersecurity incidents” within 72 hours, according to a statement from the governor’s office.
Any ransomware payment has to be reported within 24 hours to the New York State Division of Homeland Security and Emergency Services, or DHSES.
Within 30 days of such payments, victims have to detail the payment amount, a justification for the payment and information about the “diligence performed to ensure the payment was lawful,” according to the statement.
The governor’s office expects that reporting such info will help state officials better deal with cybersecurity threats and set up defenses.
Reporting can happen via the DHSES web portal.
The statement, though, directed those in need of immediate “cyber instance response support” to call the DHSES Cyber Incident Response Team hotline at 1-844-OCT-CIRT (1-844-628-2478).
“Here in New York, we are keeping up with technology’s fast-paced evolution and are resilient in the face of cybersecurity threats,” Hochul said in the statement. “This legislation strengthens our response and provides our state’s Department of Homeland Security and Emergency Services the necessary information to handle reports of attacks and keep New Yorkers safe.”
The new law also requires that government employees across the state take annual cybersecurity awareness training.
New York is hardly the only state to make rules regarding public-sector cybersecurity.
A recent example comes from Ohio, where officials — spurred on by recent cyber attacks that targeted local governments — have told cities and towns and other local public agencies to craft cybersecurity policies. Training and more transparency around ransomware payments also are part of the new law.
Never miss a story with the GovTech Today newsletter.
Copyright 2025 Remote Security. All Rights Reserved
