Energy Choice
                            

Matters

New York Utilities Oppose "Delay" In New Data Security Agreements, Liability Insurance For ESCOs

June 11, 2018

Email This Story
Copyright 2010-17 EnergyChoiceMatters.com
Reporting by Paul Ring • ring@energychoicematters.com

The following story is brought free of charge to readers by EC Infosystems, the exclusive EDI provider of EnergyChoiceMatters.com

The joint New York utilities have urged the New York PSC to not delay the ongoing expedited process for entering new Data Security Agreements (DSAs) and Vendor Risk Assessments (VRAs) with ESCOs and EDI vendors by imposing new timelines or proceedings that delay, "this vital effort."

As previously reported, the Retail Energy Supply Association had asked the PSC to open a formal process to address the changes sought by the utilities

The utilities noted that the UBP permits each utility to discontinue an ESCO’s participation in the retail access program where, "Failure to act that is likely to cause, or has caused, a significant risk or condition that compromises ... system security, or operational reliability of the distribution utility's system."

"A recent cyber event made clear that absent a DSA with appropriate protections including a vendor risk assessment, liability assurance, indemnification and cyber insurance, utility systems and customer information are at risk," the utilities said

"In response to the specific request in RESA’s letter to establish a new proceeding with modified timelines, the Utilities do not believe such a proceeding is required or appropriate, since this would unnecessarily prolong the period during which utilities and their customers are at risk from ESCOs and EDI vendors interacting with utility systems without more comprehensive cyber protections and agreements in place. The Utilities note that a process, accessible forum for comments, and reasonable timeline to gather stakeholder comments on the VRA and DSA have already been established. The timelines built into the existing process are already closely aligned with the timelines proposed by RESA. The accessible forum for comments and collaboration utilizes the existing EDI working group website. Access to this platform and working group is available to all interested stakeholders, and is already being used to share documents and promote collaboration for EDI and the Joint Utilities’ DSA and VRA efforts," the utilities said

"Further, if RESA disagrees with the proposed process it has an available remedy under the UBP’s dispute resolution process. The UBP’s dispute resolution process is a 65 day process that provides for submission to the Commission if resolution is not reached within that time period and allows for an expedited process in an emergency situation where, as in this instance there is a threat to utility systems and/or a significant financial risk. RESA’s proposal would needlessly prolong the process, and therefore, the risk to customers and utilities," the utilities said

"Though not mentioned in the RESA Letter, there is an urgent need to close potential gaps in cyber protection and to take immediate action to limit the period during which the utilities and their customers have exposure to risks associated with ESCO and EDI vendor interactions. The need for expediency has already driven the Utilities to provide uniform DSA and VRA terms, promote use of the existing EDI working group website, and push for prompt and reasonable timelines for entering into DSAs. At the request of ESCOs and other stakeholders, the Utilities have already agreed to extend the timeframe for entering DSAs, in some cases greater than 60 days. However, utility systems are at risk now, as demonstrated by the recent cyber-incident, and any action that delays efforts to close this gap only prolongs the period that utilities and their customers are unprotected," the utilities said

"Finally, the need for utilities to require insurance to mitigate utility and customer risk is not new or unique to cyber protection. It is customary for the Commission to expect utilities to seek insurance from vendors and suppliers for risks posed by the work they perform. Insuring for Cyber security risk is no different than insuring for environmental site investigation and remediation risks from vendors. It is especially important in this case, particularly for EDI providers who have no direct relationship with the Joint Utilities," the utilities said

ADVERTISEMENT
NEW Jobs on RetailEnergyJobs.com:
• NEW! -- Commercial Accounts Support Specialist -- Retail Supplier
• NEW! -- Sales Executive
• NEW! -- Direct Sales -- Retail Supplier
• NEW! -- Channel Sales - Associate -- Retail Supplier
• NEW! -- Operations Analyst -- Retail Supplier
• NEW! -- Sr. Business Development Manager -- Retail Supplier
• NEW! -- Sales Support Specialist -- Retail Supplier