New York Upgrades Its Firewall Against Cyberattacks

The frequency and sophistication of cybersecurity attacks on state and local governments across the United States are on the rise, but now New York state has enacted legislation to ensure public entities' responses to these incidents won’t glitch. Earlier this summer, Gov. Kathy Hochul signed S.7672A/A.6769A, sponsored by state Sen. Monica R. Martinez, to strengthen how New York’s municipalities prevent, report and recover from cyber incidents.

The law requires all municipal corporations and public authorities to report cybersecurity incidents to the New York State Division of Homeland Security and Emergency Services within 72 hours and to provide notice of any ransomware payment within 24 hours. If a ransom is paid, the law directs a follow-up submission within 30 days identifying the amount paid, the reason for payment and the steps taken to confirm the payment complied with applicable laws.  The measure also mandates annual cybersecurity awareness training for government employees, requires reviews following significant incidents and establishes data protection and cybersecurity standards for state-maintained information systems.  To protect sensitive security information, incident reports submitted under the law are exempt from disclosure under the state’s Freedom of Information Law.

“Protecting the public is government's most important responsibility, but attacks on critical infrastructure put essential services and the people who rely on them at risk,” Sen. Martinez said.  “This bill gives municipalities the structure, support and accountability they need to protect residents and taxpayers from prolonged disruption in the event of a cyberattack.  I thank Governor Hochul and my colleagues in the Legislature for recognizing the cost of inaction and for advancing this important legislation.”

Cyberattacks on government networks often result in devastating consequences for the public.  In September 2022, New York’s Suffolk County was hit by a ransomware attack linked to the BlackCat hacker group that crippled core services, shut down systems for weeks and exposed personal information belonging to hundreds of thousands of residents and employees.  Stolen data later surfaced on the dark web, and the cost of the county’s recovery efforts from the incident is believed to be in excess of $25 million

Under the law, municipalities and public authorities must report cybersecurity incidents and ransomware payments using the Division of Homeland Security and Emergency Services’ secure online portal at https://www.dhses.ny.gov/.  If a ransom is paid, a follow-up report is also required with details about the payment and the steps taken to confirm it was lawful.  Local governments, non-executive agencies and state authorities in need of immediate assistance should continue to call the DHSES Cyber Incident Response Team hotline at 1-844-OCT-CIRT (1-844-628-2478).