Ransomware negotiator talks tales, threats, and New York’s new ransom payment disclosure law
July 8, 2025 – Published on Cybernews
Signed by New York State Governor Kathy Hochul on Friday, S.7672A/A.6769A0 is the first of its kind in the nation to require state and local authorities to disclose ransomware payments, which, as with private sector ransomware victims, is routinely kept close to the chest for myriad reasons.
Aimed at strengthening cybersecurity across state municipalities, the “landmark legislation” mandates that all municipal corporations and public authorities promptly report cybersecurity incidents and ransom payments to the New York State Division of Homeland Security and Emergency Services (DHSES).
According to the law, public entities will have just 72 hours to report a cybersecurity incident to the DHSES, and only 24 hours to disclose if they have paid a ransom demand.
To talk about the nuances of the bill and delve more into the ransomware negotiations process, Cybernews sat down with Mark Lance, Vice President of Digital Forensics and Incident Response (DFIR) & Threat Intelligence at GuidePoint Security.
“Historically, there has been a lot of direction based on the vertical or the area you work in,” Lance said, citing SEC requirements for the financial sector. “This is more of a blanket way of providing, first, minimum security and compliance requirements, and second, reporting requirements across everybody.”
Lance says the benefit would be normalizing standards across all verticals and all organizations, pointing out that every state has its own requirements. “I think what they’re [New York] trying to do is align with what we’re seeing federally.”
Read More HERE.