Per new law, all New York agencies required to take cyber awareness training
Starting next year, anyone who touches a keyboard while working for a state, city, county or district government office in New York will be required to take annual cybersecurity awareness training. The training, which will be administered by the state technology office free of charge, is one of several new requirements included in cybersecurity legislation Gov. Kathy Hochul signed into law last Friday.
Also bundled in the new measure is a requirement that all government offices in the state report to the state’s homeland security office all cybersecurity incidents within 72 hours and ransomware payments within 24 hours. It also requires the state to set new data protection standards for information systems it maintains and to conduct routine inventories of its technology systems.
In the state’s press materials, Hochul said the legislation represents her state’s effort to apply a “whole of government approach” to cybersecurity, an increasingly popular model adopted by states in recent years that blurs the lines of responsibility separating state and local government agencies. State and local agencies both face a constant barrage of cyberattacks, but it’s the smaller, less-resourced local agencies that find themselves least prepared to defend themselves.
The $1 billion in grant funding offered by the State and Local Cybersecurity Grant Program chiefly targets the cybersecurity governance deficiency seen in many local governments, as states are permitted to accept just 20% of the funding and funnel the rest to their municipalities. That requirement has prompted a mass rejiggering in how states think about administering cybersecurity and technology services more generally. Local governments, though mostly not under the legal purview of their state technology offices, can now at least avail themselves of a greater number of cybersecurity services should they choose.
New York’s legislation is notable, though, for not only offering training to its state and local agencies, but requiring it. Colin Ahern, the state’s chief cyber officer, noted in the press materials the prodigious threat his state faces and the welcome “situational awareness” the new law bestows. Dru Rai, New York’s chief information officer, in the press materials called out the law’s training and awareness provision as “a key component” of the state’s cybersecurity strategy.
“Cyber threat actors will continue to change their tactics in an attempt to find even the slightest vulnerability, but as a State we will continue to adapt, evolve, educate and strengthen our over all defenses to aggressively and proactively meet this challenge,” Rai said.
