Is Verizon first among equals? New York exempts the company and other telecoms from following cybersecurity rules

Published: 24 February 2026
Last updated: 25 February 2026
verizon_logo_screen_lincoln_deals
Abraham Lincoln advertisement across from a Verizon store in New York. Michael Nagle/Bloomberg/Getty

Telecom companies, including Verizon and Optimum, have successfully pushed New York state regulators to exclude them from new cybersecurity rules. Experts are raising red flags, warning that this will leave the state unable to monitor and ensure the security of sensitive customer information. But how did the tech giants pull this off?

Key takeaways:
  • Verizon and other phone companies successfully lobbied to be excluded from New York's proposed cybersecurity standards, citing lack of state authority over them.
  • Verizon spent nearly $1M on lobbying and donated $400K to Democratic campaigns in 2025, with multiple meetings at the governor's office and PSC.
  • Telecoms argued federal rules make state requirements redundant and costly, claiming compliance efforts would divert resources from actual security work.
  • Experts warn the exemption leaves New York unable to oversee how telecoms protect sensitive customer data at a time when cyberattacks on these networks are surging.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.

In June 2025, the state Public Service Commission proposed a series of cybersecurity standards that required companies to follow a certain list of rules, such as:

ADVERTISEMENT
  • reporting incidents within three days
  • undergoing regular third-party audits
  • investigating and addressing vulnerabilities in their networks

At first, these rules were intended to be adopted by utility companies, such as gas, electricity, and water providers. However, the commission later considered extending the rules to telecommunications and broadcast TV companies as well.

electricity_lines_wires_winter_road
A worker for Wallingford Electric Division looks over lines along Route 5 in Wallingford. Dave Zajac/Connecticut Post via Getty

The rules were proposed in the light of growing cyber threats.

Cybernews has reported on FBI data that revealed Americans lost over $16 billion to cybercrime in 2024 alone. That’s a 33% increase from the previous year.

Moreover, both utilities and telecom networks have been a target of foreign adversaries and online criminal groups – a trend that is sounding alarm bells not only in the Americas, but in Europe, too.

Examples include Viasat’s breach by the Chinese-backed espionage group Salt Typhoon and a cyberattack that nearly caused a major blackout, carried out by a Russian state-linked hacking group called Electrum.

viasat black sign on glass wall reflecting blue sjy and trees
Logo of Viasat, on May 6, 2024, in Dublin, Ireland. NurPhoto/Contributor/Getty
ADVERTISEMENT

New York regulators decided to act on the potential threats, and Verizon, along with other telecoms, wasn’t happy.

As reported by Ezra Bitterman of the Times Union, the company argued that the state of New York lacked legal authority to impose these requirements on telecommunications networks and managed to dodge them.

Verizon pointed out that New York’s statutes explicitly oversee electric and gas utilities, but not phone or broadcast networks.

The company also argued that some requirements – such as conducting annual audits or needing to report incidents within 3 days – were redundant, as they were already covered by federal standards.

verizon_orange_man_phone_night
Photographer: Michael Nagle/Bloomberg via Getty Images

For example, the Cybersecurity and Infrastructure Security Agency (CISA) already mandates that incidents involving critical infrastructure be reported within 3 days.

Other companies had a similar approach to downplay New York’s proposed security standards. For example, USTelecom said that they were unreasonable and cited rules in power in California.

The Golden State allows large businesses to conduct annual internal audits and submit results to regulators, rather than requiring expensive third-party audits.

“Duplicative audits add cost without improving security. Companies want to be compliant, but efficiency matters too,” Paul Eisler, vice president of cybersecurity at USTelecom, said.

Verizon claimed that agreeing with New York regulators’ proposal would divert resources away from actual cyber defense work.

ADVERTISEMENT

Lobbyists rolled up their sleeves, and the money started flowing

According to lobbying records examined by the Times Union, Verizon and Optimum met with the governor’s office multiple times between July and December last year.

Verizon representatives met with Public Service Commission (PSC) staff at least 8 times between September and November.

Moreover, Verizon contributed $400,000 to state Democratic campaign committees and spent almost $1 million on state lobbying in 2025.

The PSC initially stated that the industry’s legal objections were “considered but rejected,” although the final updated rules removed phone and broadcast TV companies from the regulations.

Officials said the exemption was granted to allow for better review of the companies’ feedback. In contrast, critics claim that extensive lobbying determined the decision in favour of the telecoms companies.

Unlock more exclusive Cybernews content on YouTube.

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
Nadella scoffs at AI giants as Microsoft may host China’s DeepSeek
Cruel cyber training in Canada: testing if exhausted employees would fall for a 'day off' scam
Cloudflare gives AI agents temporary accounts to deploy websites without human logins
Developers giving attackers a free ride after hundreds of iPhone AI apps found exposing credentials
This tiny European country is pioneering digital ID for AI agents
Canadian lender TD tells some employees it will use software to monitor their work
ADVERTISEMENT