“We’re Not Waiting Around:” New York Cyber Chief on Regulation, Harmonization, and Urgency

Image

In 2022, Colin Ahern was appointed by Governor Kathy Hochul to become New York State’s first Chief Cyber Officer. Since then, his office has been responsible for some of the most ambitious cyber regulatory efforts in the country.

The SIPA Cyber Regulations Watch sat down with Ahern to discuss how New York State approaches cybersecurity regulation, what it takes to harmonize requirements across agencies and jurisdictions, and why the state isn’t waiting on Washington to act.

This interview was conducted on July 31, 2025 and edited for length and clarity.

SIPA: Before we get into the latest developments around cybersecurity regulations in New York and the federal government, I wanted to start with your personal experience. You come from more of an operational background. So when you began working on cyber policy with New York City Cyber Command back in 2016—almost a decade ago now—how familiar were you with cybersecurity regulations at the time? And how did you come to understand their practical implications?

Colin Ahern: My first interaction with cyber regulation was actually when I was in the Army. The Department of Defense and the entity formerly known as the Defense Information Systems Agency (DISA) exercised a range of regulatory and semi-regulatory roles over subordinate service cyber operations, as well as cyber defense operations. So that was my first exposure to internal government cyber regulatory regimes.

There are also various federal laws in that space—the Federal Information Security Modernization Act (FISMA) and others you’re likely familiar with. Then, after I left the Army, I got my MBA, which gave me a deep look at the business perspective on regulation, especially how it helps correct information asymmetries and address tragedies of the commons—concepts you [SIPA] study and write about often.

My first job post-MBA was in finance at a company then known as First Data, a payments processor that was a systemically important financial institution. I worked on the company’s cyber posture and encountered regulations from the Federal Financial Institutions Examination Council (FFIEC) and similar entities. So I’ve seen this space from the regulated entity perspective.

Later, at New York City Cyber Command, the city was subject to a range of federal regulations, a key one being IRS 1075. New York City, being one of the few local jurisdictions with an income tax, has to comply with IRS regulations. There’s also the Health Insurance Portability and Accountability Act (HIPAA), and a range of payment card industry standards that apply to any entity involved in the financial system.

So I’ve approached cyber regulation from multiple vantage points—inside government, outside government, in the military, and in the private sector—for over almost 20 years now.

We’ve seen cyber regulations evolve quite a bit since then. The regulatory environment today is far more active than when you started in the Army or even at New York City Cyber Command. How has that evolution shaped how you see regulation?

I think it helps to have a historical perspective. A lot of the early cyber regulations, particularly around data breaches, were shaped by the idea that a data spill is like pollution. There are harms to individuals whose data is leaked but also systemic harms to the marketplace and society. The legal theory back then was that if a certain number of records were lost, that multiplied into a quantifiable harm. HIPAA is a good example—calculating fines based on the number of breached records.

But things have changed, especially with the rise of ransomware over the past seven or eight years. We’ve come to understand that the systems themselves—not just the data—are targets. Information systems have direct operational impacts. That’s why financial services were the first to grasp this: the data is sensitive, yes, but it’s also operationally essential.

Take account numbers—they’re both personal data and the functional keys to banking operations. The financial sector didn’t need much convincing that securing systems was essential to both their customers’ trust and their own continuity. That’s one reason New York State’s Department of Financial Services (DFS) led early with cyber regulations almost a decade ago.

Now we’re applying that logic to other critical sectors like hospitals, energy distribution utilities, and water infrastructure. These new regulations are less about data privacy alone and more about operational resilience. Foreign adversaries—Russia, China, Iran—have demonstrated they want to hold these systems at risk, create disruption, panic, and potentially harm the public. Our job is to preempt that by focusing on resilience.

We’ve seen that New York [State]’s latest wave of cyber regulations—especially those enacted in the last few months—put a distinct emphasis on harmonizing requirements across state agencies, and sometimes even aligning with upcoming federal rules like Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). When did it become clear that harmonization should be a strategic priority, and what were the specific frictions that led you in that direction?

There’s always been an inchoate desire to harmonize regulations—it’s easy to say, hard to do. The governor’s framework is that regulations must be threat-informed, risk-centric, and cost-balanced.

The threats have evolved—destructive malware, operational interruptions, and state actors trying to cause disruption. That risk must be balanced with cost, especially for critical infrastructure, where the burden often falls on the public. That’s why each new regulation has been paired with shared services or grant programs. For example, with hospitals, we tied the regulations to a multi-hundred-million-dollar capital grant program. For water and wastewater, we’ve launched a technical assistance and grant program through the Environmental Facilities Corporation.

One of the major costs of regulation is administration—for both the government and the regulated entities. So, harmonization helps reduce compliance costs while still enhancing resilience and security. That said, federal and state regulatory authorities are fundamentally different. In energy, for example, generation and transmission are federally regulated, while distribution is a state responsibility. Harmonization requires a high level of policy expertise, which is why the governor has made significant investments in human capital and regulatory capacity.

We’ve said publicly that federal agencies need strong leadership and an executive branch willing to drive action on short timelines. When the governor came into office, one of the first things she did was sign legislation giving the Public Service Commission the authority to regulate cyber as a hazard, just like storm hazards. That was a critical step.

But you also need people—specialized legal and policy experts who can write regulations, supervise implementation, and engage the public. This doesn’t happen overnight.

New York [State] is often seen as leading the way in cyber regulation. But how do you avoid exacerbating regulatory disparities with other states that don’t regulate as aggressively? Do you coordinate closely with them?

Short answer—yes. Long answer—definitely. We work through several forums, like the National Governors Association, and with neighboring states like Connecticut and New Jersey. For example, we share a National Guard cyber protection team with New Jersey.

New York has long recognized that regulation can support private sector growth by providing certainty and a level playing field. Our financial regulators are considered premier, and that’s part of why businesses choose to be here. It’s like a chicken and egg—you can’t always tell if New York is the center of global commerce because of its regulators, or vice versa. But we know that being regulated by New York means you’re prepared to operate anywhere.

And how about coordination with federal regulators? When you enacted something like the DFS regulation, how much consultation was there with federal agencies?

A lot. There’s day-to-day interaction between state and federal agencies—Treasury, OCC, and others. At the governor’s level, we also have regular meetings with federal officials across administrations.

We want a federal government that is effective in cyber, national security, and counterterrorism. We’ve voiced concerns with some of what we’ve seen from Washington, but we still work closely with them. We can only succeed together—or fail separately; there is no middle ground. As an example, we cited cybersecurity performance goals developed by both the Environmental Protection Agency (EPA) and the Cybersecurity and Infrastructure Security Agency (CISA) in our water regulations.

There are several legislative proposals in Congress aimed at harmonizing cybersecurity regulations—most notably the Streamlining Federal Cybersecurity Regulations Act. Do you hope these will help reduce the burden on New York entities? How closely do you follow what’s happening in Congress?

We follow congressional developments very closely—this includes Senator Gary Peters’s bill, but also the broader landscape. We regularly engage with Minority Leader Schumer, Senator Gillibrand, and House members like Representative Garbarino, who was recently elevated to Chair of the Homeland Security Committee, and Pat Ryan from the Hudson Valley.

That said, we’re not waiting for the federal government to act. When the governor directed agencies to draft cybersecurity regulations for water and wastewater systems, we harmonized those rules across three different state agencies over an intensive, multi-month period. We put our money where our mouth is and took immediate action because we see this as urgent.

We are absolutely ready to continue working with Congress and federal regulators—but we don’t have a “wait and see” posture. As the governor has said, we are on the clock. We need bold moves from Washington to make Americans—and New Yorkers—safer, both by increasing deterrence and improving cybersecurity. But we’re not holding off on our end just because the federal side is slow to move.

What’s next for New York State in terms of cyber regulation?

What’s next is really focusing on the public comment process for the water and wastewater cybersecurity regulations. That’s the most recent initiative, and we’re proud to be the first entity to propose regulations like these.

They’re prescriptive but risk-based—not 900-page tomes. We’re talking 12 to 17 pages, depending on the agency. They ask the fundamental questions: Do you have a risk assessment? Do you have an incident response plan? Do you use multi-factor authentication?

Frankly, most people would be surprised that their bank is subject to more stringent cybersecurity rules than their local water utility. But as I’ve said, we’re not waiting for someone else to do the job if we can do it ourselves.

Over the summer, we’ll be analyzing public comments and engaging stakeholders like we’re doing with this interview. Once that’s complete, we’ll move toward finalizing the rules after a thorough review.

So, no new sector coming just yet?

For now, the focus is on getting this right. But we’ll keep listening, learning, and pushing forward.

Subscribe to the SIPA Cyber Regulations Watch newsletter for more news from the SIPA’s Cyber Program in your inbox.