Broad Scope, Big Impact: NY Mandates Cyber Rules for Public Sector
By Patrick Miller
New York's new cybersecurity law, Chapter 177 of 2025 (S.7672A / A.6769A), introduces mandatory incident reporting, ransom payment disclosures, annual training, and data protection requirements for public-sector entities. Its broad definitions suggest applicability to both IT and OT systems, signaling a significant expansion in cybersecurity oversight for municipalities and public authorities.
Overview
New York’s latest cybersecurity legislation—S.7672A / A.6769A, now signed into law as Chapter 177 (Laws of 2025), is being billed as a public-sector cyber reporting law. But read the fine print, and you’ll realize it’s broader than it appears.
With expansive definitions and no carve-outs, this law could apply to both IT and OT systems, potentially pulling municipal infrastructure, digital control systems, and public authorities into the regulatory cybersecurity spotlight, many for the first time.
What the Law Now Requires
Effective January 1, 2026, all municipal corporations and public authorities in New York must comply with new requirements around cyber incident reporting, ransomware transparency, employee training, and data protection.
1. Cybersecurity Incident Reporting (72 hours)
Must report any cybersecurity incident to the Division of Homeland Security and Emergency Services (DHSES) within 72 hours.
“Incident” is defined to include events that jeopardize the integrity, confidentiality, or availability of any information system or infrastructure controlled by computers or networks.
2. Ransom Payment Reporting (24 hours + 30 days)
If a ransom is paid, it must be reported within 24 hours, and followed by a detailed report within 30 days including:
Rationale for payment,
Method and amount,
Diligence conducted,
Compliance with federal rules (e.g., OFAC).
3. Ransomware Events Included
“Ransomware attack” is explicitly defined as an event involving malicious code or digital disruption used to extort payment.
4. Annual Cybersecurity Awareness Training
All state employees who use technology in their job must complete annual cybersecurity training starting in 2026.
Training will be overseen by the Office of Information Technology Services (ITS).
5. Confidentiality of Reports
All incident reports and ransom disclosures submitted to DHSES are exempt from Freedom of Information Law (FOIL) requests, encouraging transparency without fear of public exposure.
What Systems Are in Scope?
While the legislation doesn’t use the term “Operational Technology” or explicitly define IT vs. OT, it does refer to:
“Information systems” as any organized resources for processing, storing, or disseminating information, and
“Infrastructure controlled by computers or information systems.”
This suggests the law may encompass more than just business IT, including connected physical infrastructure or control systems often associated with OT.
Side-by-Side with New York PSC 25-M-0302
This new law parallels the PSC’s pending utility regulation (Case 25-M-0302), which targets investor-owned utilities and cable providers. Together, they form a regulatory pincer movement, covering both public and private critical infrastructure.
| Topic | PSC 25-M-0302 (Utilities) | S.7672A/A.6769A (Public Entities) |
|---|---|---|
| Applies to OT? | Yes, explicitly (via IT/OT convergence) | Possibly (based on broad language) |
| Incident Reporting | 72-hour to PSC | 72-hour to DHSES |
| Ransom Disclosure | Not currently required | 24-hour + 30-day requirement |
| Employee Training | Required under cybersecurity program | Required for all state employees |
| FOIL Protection | Limited to CIP-type data | Full exemption for incident reports |
| Enforcement | Regulatory compliance path | Legal obligation under state law |
What This Means for Municipal Infrastructure Operators
Many local entities aren’t prepared for this. And to be fair, most weren’t expected to be, until now. The law raises the bar for cybersecurity governance across the public sector.
Municipal and quasi-public operators should:
Review incident response and reporting workflows
Establish or update ransom response policies
Assign training responsibility and compliance tracking
Assess which systems qualify as "information systems"
Evaluate digital exposure of infrastructure and control systems
Future Considerations for Utility Organizations
As New York pushes forward with both PSC 25-M-0302 and Chapter 177 of 2025, utility organizations, both within and beyond state lines, should start preparing for what may follow:
IT and OT Convergence: Expect cybersecurity expectations to increasingly cover both IT and OT environments, even when not explicitly named.
Mandatory Reporting Becomes the Norm: Align internal response processes to accommodate state, federal, and sector-specific reporting timeframes.
Ransom Response Planning: Develop clear internal policies for responding to ransomware, including if/how to pay and how to document.
Asset Visibility and Classification: Build complete inventories that include operational technologies and smart infrastructure.
State-Level Fragmentation: Monitor other states for similar moves and plan for varying jurisdictional requirements.
Executive Oversight: Treat cybersecurity as a board-level issue with strategic implications.
Final Thoughts
These parallel efforts—PSC 25-M-0302 and Chapter 177—mark a regulatory turning point in State cybersecurity regulation. New York isn’t just responding to increased cyber threats; it’s recalibrating what counts as critical, reportable, and protected. From municipal water systems to large-scale utilities, the message is clear: security isn’t optional, and accountability is expanding.
What’s particularly notable is that these state-level initiatives are emerging amid a broader federal shift. President Trump’s 2025 Executive Orders (April 8 & April 9, 2025) prioritize grid reliability and energy deregulation, emphasizing emergency generation and reliability standards—while placing less emphasis on new regulatory burdens. In that vacuum, states like New York are taking decisive action on cybersecurity.
Additionally, the NARUC–DOE Cybersecurity Baselines for Electric Distribution and DER provide a national playbook for how state commissions can implement practical, non-prescriptive cybersecurity controls. New York is demonstrating this momentum. Others will likely follow.
Utilities and public-sector organizations should take this moment to modernize, align, and harden their cybersecurity postures, before they’re forced to react under the pressure of compliance deadlines or breaches.
