New York Cybersecurity Statistics and Incident Data

New York generates some of the most closely tracked cybersecurity incident data in the United States, reflecting the state's concentration of financial institutions, healthcare networks, government agencies, and critical infrastructure. This page maps the primary data sources, reporting frameworks, and statistical categories that define the New York cyber incident landscape. Understanding how incident data is collected, classified, and published is essential for compliance professionals, policy researchers, and security practitioners operating within New York jurisdiction.

Definition and scope

New York cybersecurity statistics encompass quantified incident reports, breach notifications, enforcement actions, and threat intelligence gathered from entities operating under New York State law and regulation. The primary statutory frameworks generating this data include the New York SHIELD Act (General Business Law § 899-aa and § 899-bb), the New York Department of Financial Services (NYDFS) Cybersecurity Regulation (23 NYCRR 500), and federal frameworks that intersect with state-level reporting obligations.

The New York Office of the Attorney General (OAG) is the principal public publisher of breach notification data. Under New York's breach notification law, covered businesses must notify the OAG when a breach affects New York residents, creating a structured data trail from which aggregate statistics are drawn. The NYDFS separately tracks incidents reported by covered entities — including banks, insurance companies, and licensed financial services firms — through its own notification and examination infrastructure.

Scope and coverage limitations: This page addresses data and statistics pertaining specifically to cybersecurity incidents within New York State jurisdiction. It does not cover federal breach reporting obligations under frameworks such as the FTC Safeguards Rule, SEC cyber disclosure rules, or HIPAA's breach notification requirements as standalone subjects — those intersect with but are distinct from New York's state-level data infrastructure. Incidents involving entities not subject to New York law, or incidents with no New York nexus, fall outside this scope. For the broader regulatory architecture, see Regulatory Context for New York Cybersecurity.

How it works

New York incident statistics are generated through a multi-channel reporting pipeline involving mandatory notification, regulatory examination, law enforcement intake, and periodic published reports.

1. Breach notification intake (OAG): Entities experiencing a security breach affecting New York residents submit notifications to the OAG under General Business Law § 899-aa. The OAG publishes annual summary data including the number of notifications received, sectors affected, and types of personal information exposed.

2. NYDFS cyber event reporting: Covered entities under 23 NYCRR 500 must notify the NYDFS within 72 hours of a material cybersecurity event. The NYDFS incorporates this data into supervisory reporting and periodic industry analyses.

3. Internet Crime Complaint Center (IC3): The FBI's IC3 publishes state-level breakdowns in its annual Internet Crime Report. New York consistently ranks among the top five states by total reported cybercrime losses and complaint volume. In 2022, the IC3 Internet Crime Report identified New York as the state with the third-highest reported cybercrime losses, exceeding $775 million in victim losses for that year (FBI IC3 2022 Internet Crime Report).

4. Cyber incident reporting to law enforcement: The New York State Police and the New York City Cyber Command (NYC3) receive incident reports from municipal entities and private sector organizations. NYC3 coordinates cyber threat intelligence across the five boroughs and contributes to the city-specific incident data pool.

5. Healthcare sector reporting: New York healthcare entities subject to HIPAA report breaches to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), which maintains a public breach portal. New York healthcare organizations represent a significant share of entries on the HHS OCR Breach Portal.

The New York Cybersecurity Incident Response framework structures how these reporting channels interact during an active incident, distinguishing between notification obligations and operational response activities.

Common scenarios

New York's incident data clusters around identifiable attack categories and sector-specific patterns. The following breakdown reflects patterns documented in NYDFS examination findings, OAG enforcement records, and IC3 state-level data.

Ransomware against public and healthcare entities: Ransomware incidents involving municipal governments, school districts, and hospital networks generate the largest individual-incident cost figures in New York data. The New York Ransomware Risks and Response landscape includes incidents affecting Albany County, the Monroe College network disruption, and a string of school district encryption events across Long Island.

Business Email Compromise (BEC): BEC schemes consistently account for the highest financial losses reported to IC3 by New York businesses. The FBI's IC3 tracks BEC as a distinct complaint category separate from phishing or malware events.

Third-party vendor breaches: A significant portion of breach notifications received by the OAG originate from incidents at third-party service providers rather than the notifying entity itself. This pattern is documented in OAG enforcement reports and intersects directly with NYDFS requirements for third-party vendor cybersecurity risk management under 23 NYCRR 500.11.

Credential theft and identity fraud: New York breach notifications disproportionately involve exposed credentials — usernames, passwords, and Social Security numbers — consistent with the state's concentration of financial account holders. The New York Identity Theft Cybersecurity data stream is one of the most active sub-categories in OAG notification records.

Financial sector intrusions: NYDFS-regulated entities report unauthorized access attempts and system intrusions at volumes reflecting the sector's density in New York City. The New York Financial Sector Cybersecurity reporting pipeline under 23 NYCRR 500 produces the most granular regulated-sector dataset available at the state level.

Decision boundaries

Professionals and researchers working with New York cybersecurity statistics encounter several classification distinctions that affect how data is interpreted and compared.

Notification vs. incident: A breach notification filed with the OAG represents a defined legal event — unauthorized access to private information — not every cybersecurity incident. Phishing attempts, failed intrusions, and malware detections that do not result in unauthorized access to personal information typically do not generate OAG notification data, producing an undercounting effect relative to total incident volume.

NYDFS covered entity vs. general business: Statistics from NYDFS-supervised entities (banks, insurers, mortgage servicers) are tracked under a different regulatory schema than general business breach notifications. Comparing NYDFS-sourced data to OAG notification data requires accounting for the distinct triggering thresholds and entity populations.

State-only data vs. federal intersection: New York incident statistics represent a subset of total incident activity. HIPAA-reportable breaches, SEC-reportable cyber incidents affecting public companies, and TSA pipeline security directives generate parallel data streams that may not appear in state-level tallies. The New York Cybersecurity Laws and Compliance framework maps where these obligations overlap.

Reported vs. actual losses: IC3 figures capture only complaints voluntarily filed. The FBI consistently notes in its annual reports that IC3 data represents a fraction of actual cybercrime activity, with the gap particularly wide for small business and individual victims. Researchers using IC3 state-level data should treat figures as minimum bounds rather than total loss estimates.

The New York Security Authority homepage provides access to the full landscape of subject areas covered within New York's cybersecurity regulatory and incident environment, including sector-specific data discussions for healthcare, government, and critical infrastructure operators.

References

• New York SHIELD Act — General Business Law § 899-aa and § 899-bb
• NYDFS Cybersecurity Regulation — 23 NYCRR 500
• New York Office of the Attorney General — Data Security
• FBI Internet Crime Complaint Center (IC3) — Annual Reports
• FBI IC3 2022 Internet Crime Report
• HHS Office for Civil Rights — Breach Reporting Portal
• New York City Cyber Command (NYC3)
• NIST Cybersecurity Framework (CSF)