NY S09005

Requires the director of state technology to promulgate regulations within one year establishing standards for malware/ransomware protection, immutable data backups in segmented environments, information system recovery procedures, and annual workforce training.

Mandates state entities conduct monthly vulnerability assessments of mission-critical systems starting January 1, 2023, with full information system testing by independent third parties beginning December 1, 2023, with reports due to the office within 45 days.

Requires each state entity to create or update inventories of data and information systems within one year, including identification of mission-critical systems, personal information sources and age, and immutable backup protection status.

Requires state entities to develop incident response plans within 18 months for ransomware and malware incidents, including procedures for recovery using immutable backups stored on segmented devices, with annual testing exercises beginning January 1, 2025.

Establishes that the act creates no private right of action.