The New York Public Service Commission Takes Steps to Protect Critical Energy Infrastructure and Utility Customers from Growing Cybersecurity Threats and Imposes Significant Regulatory Obligations on Regulated Public Service Companies

Alert
A Hodgson Russ Cybersecurity & Energy Alert

On June 13, 2025, the New York State Public Service Commission (PSC or Commission) issued an Order Instituting Proceeding to Establish Cybersecurity for Information Technology (Cybersecurity Proceeding) in Case 25-M-0302, which includes the presentation of draft regulations for stakeholder comment.  The impetus for the proceeding is a recognition that the utility sector is a significant target of ever increasing and changing cybersecurity threats, spurred by the amendment of the Public Service Law in 2023 requiring gas and electric corporations to develop tools to protect consumer privacy, and the Governor’s call to strengthen cybersecurity regulations for the State’s water resources.  A significant focus of the draft regulation is the protection of Information Technologies (IT), including Personally Identifiable Information (PII), and Operational Technologies (OT). The goal is to create a dynamic set of “mandatory, minimum, enforceable standards” that are strong and agile enough to meet today’s threats, as well as those that are expected in the future.  According to the Commission, the proposed draft regulations are a “first step” that will focus on IT and PII, with later proceedings to focus on OT.  

Notably, the PSC has anchored its legal authority in the longstanding requirement that public utilities provide safe and adequate service at just and reasonable rates, together with the Commission's general supervisory authority as well as its power to order reasonable improvements to the management and operations of public utilities “as will best promote the public interest.” By doing so, the Commission has intrinsically and explicitly recognized that “adequate cybersecurity is now an intrinsic part of safe and adequate service.” The obligation, therefore, applies intrinsically to gas and electric corporations, water-works corporations, steam corporations, telephone corporations, and cable television companies.  Through the draft regulations, however, the Commission has seen fit to exempt municipal corporations and regulated entities generally serving less than 50,000 customers.  

With this intrinsic obligation in mind, the Commission’s draft regulations focus on the need for regulated entities to proactively identify risks and threats to their systems, to take reasonable action to mitigate such risks and remain vigilant, and to plan for recovery and the restoration of normal operations in a safe and timely manner. Accordingly, the draft regulations would obligate covered entities to adopt sound, risk-based cybersecurity practices that are designed to actively protect their respective IT systems and ensure the safety of PII. At a minimum, covered entities would be obligated to designate a qualified Chief Information Security Officer and provide annual certification by senior management confirming compliance. 

In addition to a range of definitions, notable requirements included in the draft regulations include:

  • The creation and maintenance of a Cybersecurity Program (Section 1200.2)
  • Written Cybersecurity Policies (Section 1200.3)
  • A Chief Information Security Officer (Section 1200.4)
  • Continuous Monitoring (Section 1200.5)
  • Written procedures and guidelines (Section 1200.8)
  • Annual Risk Assessment (Section 1200.9)
  • Department and Third-Party Audits (Sections 1200.17 and 18)
  • An Incidental Response Plan (Section 1200.19)
  • Credit Monitoring relationships and Notice obligations (Sections 1200.20 and 21)

The draft regulations are expected to become effective on January 1, 2026, and interested parties are directed to file comments no later than September 15, 2025.

Hodgson Russ Take

While the proposed regulations are directed primarily at service providers, the means and methods employed by such entities will impact the full universe of utility customers and entities that engage with these covered entities.  As an essential element of safe and adequate service, compliance programs will inevitably touch upon all aspects of a covered entity's business, including rules, requirements, and obligations of those entities that, by necessity, must access or use customer data, or similar information collected by these regulated entities.

For further information, please contact William McLaughlin or any other member of the Hodgson Russ Energy Practice.

Disclaimer: This client alert is a form of attorney advertising. Hodgson Russ LLP provides this information as a service to its clients and other readers for educational purposes only. Nothing in this client alert should be construed as, or relied upon, as legal advice or as creating a lawyer-client relationship.

Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.