Adopts Cybersecurity Regulations for Major Electric, Gas, Steam, and Water Utilities

April 16, 2026 Albany

PSC Adopts Nation’s Most Aggressive Cybersecurity Regulations for Major Electric, Gas, Steam, and Water Utilities

Toughest Information Technology Measures Will Help Better Protect Consumers Commission Action Will Help Prevent Foreign Terrorists from Targeting New York’s Energy Infrastructure ALBANY — The New York State Public Service Commission (Commission) today adopted the nation’s most aggressive Information Technology (IT) cybersecurity regulations for regulated electric, gas, steam, and water utilities. The new regulations will require these utilities to assess their specific risk profiles and to design a cybersecurity program to address risks in a robust fashion. Utilities will be required to protect their IT systems using generally accepted access controls and authentication practices and take affirmative steps to detect network intrusions. The new regulations are enforceable and require utilities to plan both to respond to and recover from cyber incidents.

“Cybersecurity threats to critical infrastructure are growing in number, intensity, and sophistication,” said Commission Chair Rory M. Christian. “Breach of IT cybersecurity can result in the dissemination of private customer data as well as substantial financial losses to companies. Protection of ratepayers from cybercriminals is a key reason to pursue stringent IT security for regulated utilities that interact with the public, specifically gas, electric, steam, and water providers. Today’s action is even more important now given that foreign actors abroad are beginning to target our energy infrastructure with a goal to cause economic havoc and hardship.”

Broadly defined, IT is any set of electronic systems used for the collection, processing, maintenance, use, sharing, dissemination, or disposition of electronic information. This includes systems as varied as billing systems, human resource management systems, and company websites. Information Technology systems are utilized across all electric, gas, steam and water entities regulated by the Commission.

The Public Service Law specifically requires the Commission to promulgate rules and regulations directing gas or electric corporations to develop and implement tools to monitor and protect customer privacy; these regulations will fulfill that mandate. The Commission continues to review whether the telecommunications industry should be included in the regulations, and it reserves its ability to possibly add that industry at a later date, if needed.

After the order is issued, the Secretary to the Commission will submit a Notice of Adoption to the Department of State and the regulations will take effect on June 1, 2026. Commission staff intend to begin the process of promulgating Operational Technology regulations for individual industries in the near future. In addition, staff will consider any additional regulations to address cybersecurity of the telecommunication industry within the confines of the Commission's authority.

Today’s decision may be obtained by going to the Commission Documents section of the Commission’s website at www.dps.ny.gov and entering Case Number 25-M-0302 in the input box labeled "Search for Case/Matter Number". Many libraries offer free Internet access. Commission documents may also be obtained from the Commission’s Files Office, 14th floor, Three Empire State Plaza, Albany, NY 12223 (518-474-2500). If you have difficulty understanding English, please call us at 1-800-342-3377 for free language assistance services regarding this press release.

-30-

26041/25-M-0302

Contact Kim Mashke

Contact us by phone:

Phone 518-474-7080

Contact us by email:

[email protected]

Map Directions:

3 Empire State Plaza
Albany NY, 12223