Mandatory Cyberattack Reporting for Local Governments Goes Live in New York: What It Means and Why It Matters

In late July, New York Municipal Cybersecurity Incident Reporting and Training Law (S.7672A/A.6769A), which redefines how local governments must prepare for and respond to cybersecurity threats, went into effect. Signed by Governor Kathy Hochul in June, the law requires every municipality and public authority to report cyber incidents to the Division of Homeland Security and Emergency Services (DHSES) within 72 hours of discovery and any ransom payments within 24 hours, with a detailed follow-up required within 30 days. It also mandates annual cybersecurity training for all public employees and establishes baseline data protection standards for state-managed systems. Framed by Governor Hochul as part of a “whole-of-government” cyber strategy, the legislation is both a direct response to escalating threats and a signal of a broader structural shift in how cyber governance is changing at the state and local government level. We expect other states to follow suit with similar legislation aimed at bringing cybersecurity incidents into the open and hardening municipal cybersecurity posture across the country.

This new policy does not exist in a vacuum. Just weeks before its passage, a federal executive order, officially titled “Sustaining Select Efforts To Strengthen The Nation’s Cybersecurity And Amending Executive Order 13694 And Executive Order 14144,” marked a sharp shift in federal cyber priorities. Issued on June 6, 2025, the order scaled back Biden-era cybersecurity mandates by eliminating compliance-heavy software attestations, halting digital identity pilots, narrowing the role of AI in cybersecurity to risk management, and streamlining the post-quantum cryptography roadmap.  At the same time, the loss of federal funding for key MS-ISAC services, including stakeholder engagement, cyber threat intelligence and incident response, has further fragmented the landscape. Many local governments now carry greater responsibility for cybersecurity as shared infrastructure recedes. As Tim Harper, a senior advisor at the Center for Democracy and Technology, put it, “Losing that coordination leaves towns and counties to fight nation-state hackers on their own.”

New York’s legislation functions as both a defensive shield and a structural scaffold. It creates visibility into threat activity across the state and sets expectations that push local governments toward faster detection, clearer escalation pathways, and more resilient practices. That clarity is urgently needed. In 2023 alone, ransomware attacks on public-sector agencies rose more than 50%, frequently disrupting critical services like courts, schools, utilities, and emergency operations. Financial losses tell only part of the story, public safety and operational continuity are often the first casualties of cyber-attacks. Meanwhile, most local agencies operate with limited resources. More than 80% of state and local entities report having fewer than five full-time cybersecurity staff, and many have none at all. These teams are responsible for everything from network maintenance and patching to compliance, user support, and threat response. A 2024 NASCIO survey found that more than 60% of governments continue to face challenges recruiting cybersecurity talent, particularly in areas like threat detection, risk governance, and incident planning.

But this law does not simply ask municipalities to report, it also assumes a level of real-time detection and escalation capacity that many municipalities don’t yet possess. That is why implementation is likely to hinge less on intent than on capability. While the state will provide no-cost training and technical assistance, meeting the requirements will demand more than guidance. It will require operational maturity: embedded processes, cross-functional coordination, and a security posture that isn’t treated as a compliance checkbox but as a core part of institutional resilience.

Training is central to that shift. Human behavior remains one of the most common points of failure in cybersecurity. Phishing, credential theft, and social engineering are still leading causes of breach activity. But one-time awareness modules won’t meaningfully reduce that risk. For training to work, it needs to be embedded in daily workflows, reinforced through practice, informed by local context, and connected to response procedures that employees understand and can act on. The law’s annual training requirement acknowledges this, but it’s the implementation, especially in small, resource-constrained agencies, which will determine whether awareness becomes readiness.

In our work with public-sector organizations/state and local governments, we have seen that municipalities need more than just training content. They need help translating that content into practice. That includes building policies that can be followed under stress, simulations that mirror real threats, and staff support that connect front-line users to escalation paths. It’s not about overengineering. It’s about operational realism.

Worklyn’s platform companies, Harbor IT and Quadrant Security, offer cybersecurity awareness training and other critical security tooling, but also take responsibility for risk, technology, and operations so that our clients, many of which are local government entities and educational institutions, can focus on their core missions. In fact, we are purpose-built for organizations that lack the internal resources to stand up and sustain secure infrastructure on their own. The Harbor IT managed security and risk model turns essential governance tasks, like compliance visibility, employee training, and tech debt tracking, into managed functions, embedded in daily operations. And Quadrant layers on top of Harbor IT to deliver enterprise-grade security analytics, with log and packet analysis, monitoring, behavioral threat detection on a 24x7 basis, acting as the eyes and ears for local municipalities, transit centers, and school districts. Our high-touch MDR model puts the “R” in MDR (managed detection and response), not just signaling risk but helping remediate it. Together, Harbor IT and Quadrant offer more than service coverage. They offer operational assurance, a combination of frontline defense and back-office enablement that allows agencies to meet regulatory mandates without overextending internal teams. As more states adopt more prescriptive cybersecurity regulations, this kind of partnership model will only become more critical.

At Worklyn, we see this as a national inflection point. We don’t just back companies like Harbor IT and Quadrant Security, we operate them, shaping both their daily execution and their long-term direction. They reflect where the market is going: away from plug-and-play security products, and toward mission-aligned, capability-driven partnerships. Our experts are already helping public agencies evolve from fragmented services to resilient, self-reinforcing operations. And we stand ready to enable more local municipalities and public authorities to go from compliance readiness to operational resilience, at a time when that distinction matters most.