Overview
Legislation
On June 26, 2025, New York State Governor Kathy Hochul signed the CYBERSECURITY INCIDENT REPORTING REQUIREMENTS FOR MUNICIPAL CORPORATIONS AND PUBLIC AUTHORITIES LAW (Article 19-c of the General Municipal Law).
The law requires all New York State municipal corporations and public authorities to report to the New York State Division of Homeland Security and Emergency Services:
- Any cybersecurity incident and/or any demand for ransom within 72 hours after reasonably identifying a cybersecurity incident has occurred.
- A ransom payment within 24 hours of payment.
- A ransom payment explanation within 30 days of payment.
Instructions
- Please review all definitions before completing any form.
- Each form must be completed and submitted in one session. Information cannot be saved and submitted at a later time.
- The cybersecurity incident reporting form must be completed before reporting a ransom payment or ransom explanation.
- After submitting a form, an acknowledgement email will be sent from [email protected]. It will include a numerical unique identifier, which will serve as proof the form was submitted and help link any subsequent reporting that may be necessary.
- Pursuant to General Municipal Law Section 995-b(3), any cybersecurity incident report and any records related to a ransom payment submitted to DHSES are exempt from disclosure under Article 6 of the Public Officers Law.
NYS DHSES Cyber Incident Response Team (CIRT) provides both cyber incident response and proactive cybersecurity services to local governments, non-Executive state agencies, and public authorities.
If there are any issues related to reporting, please contact [email protected]
Reporting Forms
File a Report