How we protect the work you trust us with
Security & Privacy
Clients trust NewGen with rate cases, testimony drafts, customer and meter data, and regulatory strategy. Our security program is designed to protect this confidentiality.
How we protect the work you trust us with
Clients trust NewGen with rate cases, testimony drafts, customer and meter data, and regulatory strategy. Our security program is designed to protect this confidentiality.
We handle highly sensitive utility information, including load forecasts, customer billing data, draft testimony, regulatory positioning, and competitive rate strategy. A data leak can alter the outcome of a rate case, undermine a CCA’s competitive position, or compromise a regulatory filing.
Every NewGen consultant operates within a controlled environment. Devices, identities, and data are managed according to standards maintained and reviewed by our IT team.
Access to systems containing client data requires more than a password. Each consultant verifies their identity with a second factor before accessing sensitive information.
Company-issued laptops use full-disk encryption. Client data stored in our cloud environments is encrypted at rest, preventing exposure if devices are lost or stolen.
Consultants receive access to highly confidential work only if they are approved for the project. Access is removed promptly through a documented offboarding process when a project ends or a team member leaves.
We do not subcontract client work without written consent. Vendors with access to client data are held to the same standards as our internal team.
NewGen maintains cyber liability insurance. Certificates of insurance, including named-insured language when required, are available upon request during procurement.
Our network filters outbound traffic to block known-malicious destinations. This prevents accidental clicks on phishing links from resulting in a connection, providing a protective layer of defense.
Passive defenses are not sufficient. Our environment is continuously monitored by a managed detection and response provider, with vulnerabilities triaged and remediated through a documented program. If an incident occurs, we respond from a written plan.
A third-party security operations team continuously monitors our environment and can investigate and contain incidents at any time.
We routinely assess our systems for security weaknesses. Findings are prioritized by exposure and impact, then remediated through a documented program reviewed by IT leadership.
Our written incident response plan outlines how we identify, contain, and recover from security events, including communication protocols with affected clients in accordance with engagement terms.
We use email filtering and anti-phishing controls, and authenticate outbound mail (SPF, DKIM, DMARC) to reduce the risk of domain impersonation.
We continuously monitor underground forums and credential dumps for exposed NewGen email addresses or passwords. If credentials are found, we rotate them and investigate before they can be used against client data.
Our domain’s SPF, DKIM, and DMARC records are public DNS records. Any procurement or security team can independently verify them — no NDA required.
All consultants participate in recurring security awareness training that covers phishing, social engineering, and the practical habits that keep client data safe.
Personnel with access to client data are subject to background checks consistent with applicable law and the requirements of the engagement.
A designated IT lead is responsible for the security program. Policies are reviewed annually, and any changes to our security infrastructure prompt a review of these public commitments.
Even the most advanced control can fail if a consultant clicks a malicious link. We invest in training our team to recognize threats, ask critical questions, and escalate issues promptly, as your engagement team is the first line of defense for your data.
We ensure transparency by mapping each commitment on this page to a documented control that our IT team can provide during procurement. We update this page as controls change.
Our internal security program follows industry-recognized frameworks, including the NIST Cybersecurity Framework and CIS Controls, and is tracked through a centralized control catalog reviewed annually. If a client requires alignment with a specific standard or contractual security exhibit, we work with their team during onboarding.
Our program is organized around the lifecycle of identify, protect, detect, respond, and recover.
We use practical, prioritized safeguards to evaluate the maturity of each control area.
Our master services agreement includes a security exhibit covering data handling, breach notification, and audit rights.
Available where your contracting or compliance team requires a separate DPA for client data.
This public page is intentionally concise. Detailed controls, vendor information, and scoped attestations are included in a separate security packet, which we share with your procurement and security teams under your standard terms.
For procurement teams
We respond promptly. Please contact us, and we will provide the materials your security and procurement teams need to complete vendor onboarding.