Board To Investigate NS Power Cybersecurity Incident | Nova Scotia Energy and Regulatory Boards Tribunal

October 1, 2025 – Today, Nova Scotia Power submitted its second Monthly Update on the cybersecurity incident. Read the update HERE.

The next Monthly Update is due November 1, 2025. A full Incident Report is due by December 31, 2025.

Other documents related to this matter are publicly available by searching "M12273" in our database HERE.

September 18, 2025 — Yesterday, the Board issued a letter to Nova Scotia Power addressing two items: the utility's first Monthly Update and confidentiality issues related to the filling of public documents in the cybersecurity investigation.

Monthly Update #1

The Board found the initial Monthly Update lacking in detail, noting it repeated information that was previously provided and in the public domain. The Board expected a clearer explanation of how the cybersecurity incident is affecting business systems, customers, and regulatory proceedings. Future updates must include a summary of impacts of the cybersecurity incident, actions taken, and timelines for resolution.
The next update is due October 1, 2025, and continuing the first day of each month thereafter, without any delays.

Confidentiality

The Board recognizes NS Power’s concerns about the sensitivity of information to be provided and understands that it will seek Board approval to provide information confidentially. If those requests are challenged, the utility will need to further explain why it is necessary to hold the designated information in confidence.
Consistent with the Board's practice, some or all of the information that will be filed confidentially may be accessed by formal intervenors in the proceeding under appropriate confidentiality undertakings.

Additionally, the Board noted that NS Power submitted responses to the Board's information requests, focused on frequently raised concerns and questions from customers, on September 5, 2025. The Board is currently reviewing these responses and will address them separately.

Read the full letter HERE.

July 14, 2025 — Today, the Board issued a letter to NS Power, requesting a report from the utility about the cybersecurity incident. A copy of that letter, indicating what should be included in the incident report, is available HERE.

The Board expects NS Power to file its report by the end of this year. However, it has given NS Power the option to propose an alternative date if the utility believes the deadline is not achievable.

Until the report is filed, NS Power must submit monthly updates on its response to the cybersecurity incident and progress in preparing the report. The first update is due no later than August 1, 2025.

Once the report is filed, the Board will launch a public process to review both the report and NS Power's planning for and response to the incident. Stephen T. McGrath, K.C., (Board Chair); Roland A. Deveau, K.C., (Board Vice Chair); and Richard J. Melanson, LL.B., (Board Member) are leading the Board's investigation and will oversee the public process.

The Board continues to work with MNP Digital, which is independently assessing the cybersecurity incident on behalf of Board Counsel and staff. NS Power has provided a high-level briefing about the incident to MNP, Board Counsel, and staff. The Board recognizes that NS Power’s response to this incident and its own investigations are ongoing.

Finally, the Board has received numerous Letters of Comment from NS Power customers regarding the cybersecurity incident. The Letters have been entered as part of the Board's proceeding and Board staff have prepared information requests for NS Power that touch on concerns and questions from customers. Those information requests will be issued to NS Power shortly, with responses due three weeks later.

The Board is committed to conducting a thorough and transparent proceeding. Every effort will be made to ensure the process is open and accessible to the public. However, some information may be withheld to protect security, personal privacy, and other confidential matters. This balance is necessary to maintain both accountability and safety.

Documents related to this matter are available by searching "M12273" in our database HERE.

June 12, 2025 — Over the past few weeks, the Board has been assembling its team and working to define the scope of the investigation. We have engaged MNP to provide cybersecurity expertise.

The next step is for NS Power to give MNP an initial briefing. Once that briefing has occurred, the Board will determine the rest of the process for the proceeding.

Documents related to this matter are publicly available. To access them, search "M12273" in our database HERE.

May 15, 2025 — The Nova Scotia Energy Board has opened a formal proceeding to investigate the Nova Scotia Power cybersecurity incident. We are currently in discussions with cybersecurity experts to engage them in the matter.

We recognize that Nova Scotia Power is currently focused on recovery and mitigation efforts. Our process is not intended to interfere with that critical work. Our role is to ensure regulatory oversight and accountability while allowing the utility to concentrate on restoring systems and supporting impacted customers.

We take this matter very seriously and are committed to a thorough and transparent process.