Key Takeaways:

• Governor Hochul has signed a new law requiring all local governments and public authorities in New York to report cyber incidents within 72 hours and ransomware payments within 24 hours.
• The legislation mandates annual cybersecurity training for public employees and codifies baseline data protection standards.
• The move empowers the Division of Homeland Security and Emergency Services (DHSES) to coordinate incident response statewide.
• Local leaders and state officials frame the law as a proactive, unified defense strategy against escalating digital threats.
• The law builds on existing state cybersecurity initiatives, including the Joint Security Operations Center and infrastructure protections.

Governor Kathy Hochul has signed sweeping new legislation designed to standardize and strengthen cybersecurity protections across New York's public sector. The law, passed unanimously in both legislative chambers, applies to every municipal government and public authority in the state. It marks a pivotal moment in how local governments are expected to prepare for, respond to, and report cyber incidents.

Under the new requirements, any cyberattack affecting a municipal system must be reported to the state within 72 hours. If a ransomware payment is made, that must be reported within 24 hours. The goal is to ensure that the state has a clear, timely picture of cyber threats and can coordinate incident response across jurisdictions in real time.

In addition to the reporting requirements, the law mandates that all public employees undergo annual cybersecurity training. It also formally establishes data protection standards for public sector systems, bringing consistency to how local and state entities safeguard information and infrastructure.

“This is about protecting New Yorkers where they live, work, and receive services,” said Governor Hochul during the bill signing. “Cybersecurity is no longer optional. It’s a core function of government, and this legislation ensures we’re treating it as such.”

Colin Ahern, New York’s Chief Cyber Officer, noted that local governments increasingly face attacks that are more frequent and more sophisticated than ever before. Without centralized reporting and state-level coordination, he explained, bad actors gain the advantage. The new law is intended to change that.

The measure was championed by State Senator Monica Martinez and Assemblymember Steve Otis. Both lawmakers emphasized the need for systemic readiness and accountability. Martinez highlighted that municipalities now have both the tools and responsibilities to protect vital services, while Otis pointed out that the training and reporting requirements would elevate response readiness statewide.

This legislation is the latest in a series of cyber initiatives under Hochul’s administration. It complements previous efforts such as the launch of the Joint Security Operations Center (JSOC), increased cyber funding for law enforcement, and heightened protections for critical infrastructure including the power grid and transportation systems.

As cyber threats grow in complexity—driven by both criminal enterprises and nation-state actors—New York’s move sets a high bar for proactive, cross-government defense. With this law, the state aims not only to protect data and systems but to build a unified cybersecurity culture across all levels of public service.

Apex Technology Services, a leading provider of managed cybersecurity and IT services in the Northeast, works closely with municipalities, schools, and public agencies to implement proactive defenses aligned with evolving state requirements. With deep experience in incident response, compliance, and employee training, Apex helps local governments meet the new reporting deadlines and security standards outlined in New York’s cybersecurity legislation, ensuring communities remain resilient in the face of escalating digital threats. The management team suggests that an amendment to this bill should focus on dark web monitoring of government employee credentials, as this information can be used as an attack vector. When performing these scans, the team at Apex has seen an alarming amount of company credentials listed - often with passwords.