On July 28, 2025, a NYS law took effect requiring municipalities and public authorities to report cybersecurity incidents within 72 hours and ransomware payments within 24 hours to the NYS Division of Homeland Security and Emergency Services (DHSES).  This new law also requires annual cybersecurity awareness training for government employees, prescribes standards for data protection contained in state-maintained information systems, and mandates a review following significant incidents.  These requirements reinforce the need for a strong internal control system. Internal Control Officers should consider evaluating their organization’s current policies, practices, reporting procedures, and effectiveness of their controls to determine if proper preventative measures are in place, resilience strategies are being implemented, and procedures for reporting are compliant with the new requirements.

Sources:

• Op-Ed | NY municipalities, public authorities must report cybersecurity incidents | amNewYork
• NY State Senate Bill 2025-S7672A
• Governor Hochul Signs Landmark Legislation to Strengthen Cybersecurity Across New York’s Municipalities | Governor Kathy Hochul
• Governor Hochul Announces Legislation Now in Effect to Strengthen Cybersecurity Across New York | Governor Kathy Hochul)