Cyber Security in New York

6/4/2018 6:50:42 PM -


On May 31, the New York Department of Public Service Staff hosted a meeting to discuss recently proposed Data Security Agreements (DSA) and Vendor Risk Assessments (VRA).  All parties (ESCOs and 3rd parties) with direct or indirect access to Utility systems must meet the new requirements.  These new regulations are a source of conflict in the industry, and all parties should decide where they stand on the topic and take immediate action as a result.

At this meeting, the Joint Utilities presented their case as to why these new measures were necessary and stressed the importance of moving forward quickly.  The ESCO and EDI Provider community countered that this needed to be a collaborative effort between them and the Utilities to best address the risk. The NY DPS Staff supported the Utilities’ authority to implement these new requirements and also supported continued dialogue to implement in the best way.  However, The Staff made it clear that this will not be rolled out via a lengthy back and forth discussion over several months, but in an urgent manner.

Key Takeaways

  • The Utilities will work to standardize their VRAs as much as possible in the next few weeks to reduce unnecessary redundancy of ESCO efforts
  • The Utilities have agreed to a 3 week comment period (ending June 22) during which ESCOs and EDI Providers are allowed to submit their official objections, concerns, and suggestions
  • The Utilities will listen to process oriented concerns only, and deem any discussion of the following as non-negotiable:
    • $10M Cyber Insurance requirement
    • Periodic VRAs to ensure compliance
    • Indemnification in the DSA
    • Acceptance of Liability in the DSA
  • The Staff will distribute specific instructions for how ESCOs can submit VRA information in a secure manner to each Utility as well as where to submit official comments for the Utilities
  • The Staff will schedule another meeting soon after the comments period to discuss further

The meeting has made it clear that these new requirements will definitely be implemented.  ESCOs and EDI Providers are roughly halfway through their original 60 day timeframe allowed by the Utilities.  It’s possible that the deadline may be extended, but there are no guarantees at this point, and it likely won’t be extended for long.  If your business has not been following this topic and taking action to complete the DSA and VRA, then we suggest you take action quickly!