New York cyber reporting law alert! In a major shift that sets the tone for national cybersecurity policy, New York State has passed legislation requiring all local governments and public authorities to report cyberattacks within 72 hours and disclose ransomware payments within just 24 hours. This groundbreaking law—signed by Governor Kathy Hochul on June 26, 2025—represents a growing recognition of the urgent need for cyber transparency, resilience, and coordinated response.

New York Senate Bill S7672 2025 the legislation requiring municipalities to report cyber incidents within 72 hours

Why This Law Matters

Cyberattacks against municipalities have surged in recent years, often exploiting weak infrastructure, outdated systems, and underfunded security programs. With local governments controlling critical infrastructure—from public schools and utilities to transit and healthcare systems—the risk of disruption has never been greater.

By mandating strict disclosure timelines, New York is effectively forcing a culture shift in how organizations prepare for, detect, and recover from attacks. In particular, this law shines a spotlight on ransomware—a tactic that continues to dominate headlines and cost millions in recovery and downtime.

What Organizations Need to Do

If your business or partners work with or alongside public agencies in New York, this law may affect your operations directly or indirectly. Organizations should:

  • Ensure cyber incidents are identified and escalated within hours—not days.
  • Have clearly documented disaster recovery and incident response plans.
  • Prepare executives and legal teams to handle ransomware payment disclosures within 24 hours.
  • Deploy advanced detection systems such as endpoint protection and network monitoring.
  • Regularly test and update policies with simulated tabletop exercises.

Implications Beyond Public Sector

While the law targets public entities, it sets a precedent that private businesses would be wise to follow voluntarily. Regulatory bodies at the federal level are likely to mirror these expectations in future legislation. Cyber insurance underwriters may also start to weigh reporting preparedness more heavily in risk models.

From a supply chain perspective, failure to rapidly disclose or respond to a breach could impact vendor relationships, insurance coverage, and customer trust. Organizations of all sizes should view this law as a benchmark—not a boundary.

How Cost+ Helps You Stay Compliant and Resilient

At Cost+, we support businesses in building strong cyber foundations through a layered and affordable approach. Our Recovery+, Security+, and Compliance+ services are designed to help you prevent attacks, prepare for the worst, and respond with confidence if an incident occurs.

We also offer free assessments, including:

Final Thoughts

New York’s new cyber reporting law isn’t just about compliance—it’s about preparedness. In a world where ransomware groups move faster than legislation, every hour counts. The organizations that succeed won’t be the ones who scramble after an incident—they’ll be the ones who plan before it happens.

Now is the time to align your security posture with tomorrow’s regulations—before they become mandates.

Cost+ is local to New York City and we’re happy to stop by in person to help with all aspects of IT. From support to cyber security. Offices located in New Jersey, Florida and Arizona. To schedule a consultation or learn more, contact Cost+ today.

By Thomas McDonald
Vice President