Cybersecurity Incident and Ransom Payment Reporting

Legislation

On June 26, 2025, New York State Governor Kathy Hochul signed the CYBERSECURITY INCIDENT REPORTING REQUIREMENTS FOR MUNICIPAL CORPORATIONS AND PUBLIC AUTHORITIES LAW (Article 19-c of the General Municipal Law).

The law requires all New York State municipal corporations and public authorities to report to the New York State Division of Homeland Security and Emergency Services:

1. Any cybersecurity incident and/or any demand for ransom within 72 hours after reasonably identifying a cybersecurity incident has occurred.
2. A ransom payment within 24 hours of payment.
3. A ransom payment explanation within 30 days of payment. 

Reporting Instructions and Guidance

• Review all Definitions before completing any form
• Review Examples of Incidents to Report before completing any form
• Review Key Elements Required in a Narrative Statement before completing any form

Important Notes

• The Cybersecurity Incident Reporting Form must be completed before reporting a ransom payment or ransom payment explanation.
• After clicking on the Cybersecurity Incident Reporting Form, there will be an option to report to multiple agencies (NYS DHSES, NYS DOH, NYS DEC) at one time. If applicable to your incident, select the agencies where you want to report and you will only have to answer the questions once. If you choose to report to the agencies separately, then you will be directed to answer all the same questions each time.
• You must answer each question fully without referencing other answers. Do not respond to a question with “see above" or “see below” as not all agencies selected to receive your report, receive all answers upon submission. Each form must be completed and submitted in one session. To protect sensitive information, information cannot be saved and submitted at a later time and there is no way to edit the report after submission.
• After submitting a form, an acknowledgement email will be sent from [email protected]. It will include a numerical unique identifier, which will serve as proof the form was submitted and help link any subsequent reporting that may be necessary.
• Even if advice/assistance is not requested, the DHSES Cyber Incident Response Team (CIRT) may contact you to obtain additional details or to provide additional recommendations. If any compromise is determined to pose a risk to NYS resources, NYS may take actions that include, but are not limited to, following up with the submitter and resetting any related accounts or network connections. The submitter will be notified in advance of any changes that may impact their organization.
• Pursuant to General Municipal Law Section 995-b(3), any cybersecurity incident report and any records related to a ransom payment submitted to DHSES are exempt from disclosure under Article 6 of the Public Officers Law.

File a Report

REPORT A CYBERSECURITY INCIDENT  REPORT A RANSOM PAYMENT  REPORT A RANSOM EXPLANATION

If there are any issues related to reporting, please contact [email protected]

The DHSES Cyber Incident Response Team (CIRT) provides cyber incident response support and additional proactive cybersecurity services to local governments, non-Executive state agencies, special districts, public schools/BOCES, and public authorities at no cost.