New York’s Cybersecurity Overhaul: What Municipalities and Nonprofits Need to Know
In a digital world, cybersecurity isn’t just an IT concern—it’s a governance responsibility. New legislation from New York State, introduced in April 2025, is reshaping how municipal and public entities prepare for and respond to cyber threats. Here’s what you need to know.
Cyberattacks Aren’t Optional—Reporting Now Isn’t Either
Municipalities, public authorities, and related organizations must now report any cybersecurity incidents—including ransom demands—within 72 hours. If a ransom is paid, notification must happen within 24 hours, and a full report is due within 30 days.
These reports will be confidential but are crucial for tracking threats and safeguarding statewide infrastructure.
Help Is Available—If You Ask
When reporting, organizations can request technical help from the Division of Homeland Security and Emergency Services. The agency will review every report and offer support where possible, including analyzing trends and sharing defensive strategies.
Training Isn’t a Luxury, It’s the Law
Starting in 2026, any public employee using technology in their job must complete annual cybersecurity training. The state will offer free training tools for local governments—but alternative programs can also be used.
State Agencies Face Even Higher Standards
In addition to the above, state agencies must:
- Implement data protection protocols.
- Inventory their information systems by 2027.
- Develop incident response plans and run annual breach simulations starting in 2028.
Again, these records remain confidential to protect sensitive systems.
What This Means for You
Whether you’re a local government leader, nonprofit manager, or public authority executive, this new law reinforces a core message: cybersecurity is a shared responsibility. Having reporting protocols, training plans, and data protection standards in place isn’t just best practice—it’s now the law.
If your organization isn’t prepared, now is the time to act.