A New Era for Municipal Cybersecurity: New York’s Chapter 177 Mandate
New York State has taken a decisive step to strengthen its digital defenses with the enactment of Chapter 177 of the Laws of 2025. This legislation addresses the impact of ransomware attacks that have increasingly targeted local governments. For municipal leaders and IT professionals, this law is a clear signal that cybersecurity is becoming a core responsibility of public service.
New Reporting Rules for Municipalities
Chapter 177 mandates that all New York municipal corporations and public authorities must report cybersecurity incidents and demands for ransom payments to the Division of Homeland Security and Emergency Services (DHSES). The law establishes specific reporting timelines to ensure a swift, coordinated cybersecurity incident response effort.
If a municipality receives a ransom demand, it must provide notice to DHSES within 24 hours, and provide a written explanation detailing why the payment was necessary, the amount, and the method of payment. Municipal requests for technical assistance or advice must be acknowledged by DHSES within 48 hours.
The reports are generally exempt from Freedom of Information requirements to ensure that sensitive incident details remain protected. This is a crucial feature that encourages transparency without compromising security.
A Mandate for Proactive Defense
Beyond the reporting requirements, this new municipal cybersecurity law also mandates cybersecurity training for all municipal and state employees. Local government entities are required to adhere to robust cybersecurity protection and data protection standards. These standards cover essential practices like secure data backup, information system recovery, and vulnerability management. By requiring standardized practices and centralized reporting, New York aims to improve the overall defense of its public infrastructure.
Learn more about municipal cyber-attacks here.
Implications for Private Businesses
While this law directly applies to municipalities, its influence also extends to the private sector, particularly for businesses that contract with or provide services to public entities. Because municipalities are now subject to strict reporting obligations, they will likely demand a higher cybersecurity posture from their vendors and contractors.
Private companies that provide IT services, software, or other critical infrastructure to New York municipalities should be aware that their own cybersecurity practices may come under scrutiny as part of a municipality’s due diligence. This could lead to new contractual clauses and heightened expectations for security standards. The focus on reporting ransom payments may also impact cyber insurance policies, as insurers may begin to require proof of compliance with these new mandates as a condition for coverage or claims processing.
For private businesses, this is an opportunity to get ahead of the curve. Implementing a strong cybersecurity incident response plan, conducting regular employee training, and ensuring compliance with industry best practices are becoming de facto necessities for engaging in public contracts.
Bleakley Platt & Schmidt, LLP has deep experience in information technology & cybersecurity law, helping both public and private sector clients navigate complex legal and regulatory landscapes. We can assist municipalities in understanding and complying with this new law and guide private businesses in preparing for its ripple effects.