A state law requiring municipalities and public authorities to report cybersecurity incidents within 72 hours and ransomware payments within 24 hours compels New York governments to ensure they have protocols in place to collect and report the required information.
The law, which took effect July 28, requires municipalities and districts to report both cybersecurity incidents and ransomware payments to the New York State Division of Homeland Security and Emergency Services (DHSES). New York City is exempted from this regulation.
Gov. Kathy Hochul said collecting this information will improve New York’s ability to address cybersecurity threats, safeguard critical infrastructure and tackle the scourge of ransomware.
“Here in New York, we are keeping up with technology’s fast-paced evolution and are resilient in the face of cybersecurity threats,” Governor Hochul said in a public statement. “This legislation strengthens our response and provides our state’s Department of Homeland Security and Emergency Services the necessary information to handle reports of attacks and keep New Yorkers safe.”
Incidents, defined as events occurring on a computer network which actually or imminently jeopardize the confidentiality, integrity or availability of computers, information, communication systems, networks or physical or virtual infrastructure, must be reported within 72 hours and the government must indicate whether it is accepting or declining assistance from DHSES.
Ransomware payments must be reported within 24 hours of the payment and, within 30 days, a report must be filed outlining why the payment was necessary, the amount and means of payment, any alternatives available and the thoroughness to find these alternatives to payment, along with the diligence to comply with federal laws.
The Division of Homeland Security and Emergency Services has established a portal to report incidents. Many districts and municipalities are pre-populated in the form and there is an option to create a new one if yours is not listed. The portal seeks information about the nature of the event and risk and drives the reporting entity to reach out to DHSES’ Cyber Incident Response team.
The form includes much of the same information one might find as a part of an incident log. It is worth reviewing the form to ensure all the information is captured by either your internal technology teams or a vendor, if cybersecurity services are outsourced. The information provided in the form is exempted from FOIL disclosure, but it is still a good idea to have an attorney review the proposed responses and rationales about ransomware decisions prior to filing.
If your municipality or district is covered by this law, you should review your incident response plan and incident log template to ensure all issues required for disclosure under this new law are addressed and the rationale for the relevant decisions are recorded and fully justified.
