NEM Requests New York PSC Issues Guidance On ESCO Cyber Security Issues, Seeks Modification Of Procedural Schedule
August 22, 2018 Email This Story Copyright 2010-17 EnergyChoiceMatters.com
Reporting by Paul Ring • firstname.lastname@example.org
The following story is brought free of charge to readers byEC Infosystems, the exclusive EDI provider of EnergyChoiceMatters.com
The National Energy Marketers Association (NEM) submitted a petition to the New York PSC for commission guidance and a related request for a modification to the procedural schedule Case 18-M-0376, energy market cyber security protocols, and associated business-to-business process that has been utilized by the joint utilities and ESCOs.
NEM said in its filing that the petition, "is warranted in view of the precedential effect that the proposed Data Security Agreement (DSA) and Self Attestation form have in establishing cybersecurity policy for the retail energy marketplace in the State of New York and also in effectively amending UBP Section 4 and UBP DER Section 2.C. Commission guidance is also warranted to resolve areas of disagreement identified in the business-to-business process. This petition and related request for schedule modification is submitted to facilitate prudent, reasonable and cost-effective compliance by ESCOs. The current date established by the Joint Utilities for ESCOs to execute the proposed Self Attestation form is August 24th and the current date established by the Joint Utilities for ESCOs to execute the proposed Data Service Agreement (DSA) is August 31st."
NEM noted in its petition that the order instituting Case 18-M-0376, the PSC directed that Staff’s Report to the Commission on the status of the business-to-business process undertaken to address cyber security issues be due August 31st as well.
"For the reasons set forth herein, NEM requests that the deadlines for ESCOs to execute the Self Attestation and DSA be extended for a reasonable period after Staff’s submission of its Report, an opportunity for stakeholder comment on the Report and a Commission decision providing guidance on the policy to be incorporated in the final versions of the DSA and Self-Attestation," NEM said in its petition
NEM said in its petition that, "NEM supports the development of reasonable cybersecurity standards for the retail energy marketplace. This Commission is yet again demonstrating its leadership in the development of competitive retail energy policy by engaging stakeholders on this issue now. ESCO cybersecurity standards should be tailored to ESCOs role as provider of energy commodity as well as value-added services. Many ESCOs and other third-party entities currently provide or intend to provide distributed energy resource products and services to consumers. Cybersecurity standards should be developed in a manner that do not unnecessarily restrict or inhibit these entities from accessing and analyzing customer data, obtained with customer consent, in order to deliver on the REV vision of providing DER products to engaged consumers. Cyber standards should also reflect the realities of ESCO business operations and the nature and extent of ESCO interactions with the utilities’ systems. ESCOs should not be subject to utility-scale cybersecurity standards. Utilities are responsible for reliably maintaining and protecting delivery infrastructure from cyber incidents as well as physical attacks in their roles as Distributed System Platform Providers. ESCOs do not perform that function and do not own, operate or maintain delivery assets."
NEM said in its petition that, "The ESCO community has been participating in good faith in a business-to-business process with the Joint Utilities, including in-person meetings and conference calls to discuss policy, legal and IT issues associated with the proposed Data Security Agreement (DSA) and Self Attestation form. NEM and its members appreciate the opportunity to have participated in the business-to-business process with the Joint Utilities. It was invaluable to gaining a better understanding of the proposed Data Security Agreement and Self Attestation form. An on-going cybersecurity workgroup was proposed during the July all parties meeting. NEM agrees that this would be an excellent way to permit stakeholders to continue the dialogue that has been established and to respond to ever-evolving challenges in this sphere."
NEM said in its petition that, "As a result of the business-to-business dialogue, the Joint Utilities have made some modifications to the proposed DSA and Self Attestation form that reflect certain ESCO recommendations and concerns, which we recognize and appreciate. Revised versions of the proposed Self-Attestation form and DSA were circulated by the Joint Utilities on August 2nd and August 16th, respectively. Notwithstanding the good faith efforts of the ESCO community and Joint Utilities to work through issues in the DSA and Self Attestation, areas of substantive disagreement remain. There are also provisions that continue to remain unclear from a compliance perspective. Indeed, ESCOs are still examining the new language in the documents to understand its meaning and impact. It is expected that Staff’s Report will identify these areas of disagreement, with recommendations for resolution, to the Commission."
NEM said in its petition that, "The current date established by the Joint Utilities for ESCOs to execute the proposed Self Attestation is August 24th and the current date established by the Joint Utilities to execute the proposed DSA is August 31st. As per the Order Instituting Proceeding that established the instant matter, Staff was directed to file a Report to the Commission on August 31st as well. Staff’s Report is 'to review the issues being addressed in the current business-to-business process between the Joint Utilities and energy service entities, and ensure that any issues that cannot be properly resolved in that forum are addressed in this proceeding.'"
NEM said in its petition that, "To NEM’s knowledge, to date, neither the DSA nor the Self Attestation have been filed by the Joint Utilities in the instant cybersecurity proceeding, in the UBP or UBP DER proceedings, or as a proposed utility tariff or in any other appropriate venue. As such, the Commission has not reviewed or approved the terms of the DSA or Self Attestation that ESCOs are being required to sign."
NEM said in its petition that, "Requiring ESCOs to sign the DSA and Self Attestation forms will have the effect of establishing these documents as regulatory mandates on New York cybersecurity policy for the retail energy marketplace. No such Commission cybersecurity policy has heretofore existed. No such cybersecurity policy has been subject to Commission review and received approval. The documents also effectively amend UBP Section 4 and UBP DER Section 2.C., which establish the practices for the release of customer information by the utilities to ESCOs and DER providers, respectively, using EDI. Simply stated, requiring ESCOs to sign the DSA and Self Attestation forms prior to the Commission having had the benefit of receiving and reviewing Staff’s report, receiving stakeholder comment on the Report, and evaluating the actual terms would be putting the cart before the proverbial horse. It is possible that the Commission may direct that further changes to the proposed DSA and/or Self Attestation are necessary. The Joint Utilities have also expressed that these documents are for the purposes of this year, raising the implication that the documents will require further revision and improvement, with commensurate changes in ESCO compliance obligations. It would be unreasonable and unnecessarily burdensome for ESCO compliance obligations to be subject to such a disjointed process. New York State cybersecurity policy for the retail energy marketplace cannot be adopted in this fashion, nor can amendments to the UBP and UBP DER. Because it is anticipated that these agreements will be applied to DER providers, these entities should be engaged in the review process as well and sooner rather than later."
NEM said in its petition that, "This petition and related request for modification of the schedule is made with the assurance that ESCOs are committed to adopting reasonable cybersecurity standards. We merely ask that the process for doing so allow ESCOs to have regulatory certainty that the standards that they implement reflect deliberate, well-reasoned Commission policy, after having received advice and recommendations from the Staff Report and stakeholder comment on the Report. In the interim, continued business-to-business dialogue on cybersecurity standards would continue to be helpful. The Commission can also be assured that ESCOs have implemented data protection measures on their own. For example, many ESCOs are already PCI DSS compliant. Also, New York law already prescribes how personally identifiable information of ESCO customers must be protected, and the UBP and UBP DER direct how EDI data transfers must occur."
NEM said in its petition that, "The compliance requirements associated with the proposed DSA and Self Attestation will effectively adopt cybersecurity policy for the retail energy marketplace in New York where none has existed before. The business-to-business process has been useful in allowing the parties to better understand the ramifications, costs, and burdens of the proposed requirements and reasonable modifications that will facilitate compliance without compromising data security. However, given the precedent-setting impact of the DSA and Self-Attestation for ESCOs, EDI vendors, other third-party representatives, and DER providers in the State of New York and nationwide, the use of a reasoned, deliberate approach by the Commission is critically important. The proposed DSA and Self Attestation also effectively amend UBP Section 4 and UBP Section 2.C. pertaining to the provision of customer information via EDI by requiring a regime for data access, use, storage and destruction far more prescriptive than the Commission has ever considered or required."
NEM said in its petition that, "It also apparent that provisions of the proposed DSA and Self Attestation bear directly on the achievement of the Commission’s goals for the REV proceeding. This will be an inflection point for REV. If ESCOs and other DER providers are prevented from accessing, utilizing and analyzing customer data that they have been authorized by the consumer to receive, it will frustrate the purposes of REV. Relatedly, it will prevent the realization of the value of AMI investments that have and will be deployed to consumers."
NEM said in its petition that there are many provisions and terms in the proposed DSA and Self Attestation that would have the effect of setting cybersecurity policy and precedent and also have the effect of amending the UBP and UBP DER, listing in particular Customer Data (Confidential Utility Information), Third-Party Representatives, Cyber Insurance, Restrictions on Locations for Processing and Storage of Information, Utility Audit Rights of ESCO Operations, Return and Destruction of Information, Data Security Incident, and Self-Attestation Form Requirements.
NEM also noted that the DSA for community choice aggregation and the proposed DSA in the instant matter, "are materially different."
NEM noted that the Commission rejected the utilities' proposal to require $10 million in cybersecurity insurance by municipal aggregators and their third-party representatives in the CCA case. In the instant case, NEM noted that the joint utilities are proposing that ESCOs maintain $5 million in cybersecurity insurance
NEM noted that the Commission rejected the utilities' proposal to include provisions on Data Access Controls and a required Information Security Program in the DSA for CCAs because the provisions were "overly prescriptive." In the instant case, NEM said that the Self Attestation form would require ESCOs to implement an extensive regime of data access controls and an information security program that are at least as prescriptive.
Regarding its request to modify the procedural schedule, NEM said in its petition, "Moreover, the Staff Report may take positions and make recommendations on issues that are different than both the positions of the Joint Utilities and the ESCOs. Requiring ESCOs to implement practices and programs to comply with the proposed DSA and Self Attestation now, when different or conflicting cybersecurity policy requirements may be recommended by Staff and ultimately adopted by the Commission is not reasonable. The Joint Utilities also expressed that the proposed DSA and Self Attestation form are for the purposes of this year, raising the implication that the documents will require further revision and improvement, with commensurate changes in ESCO compliance obligations. A reasoned, prudent approach to the adoption of cybersecurity policy and UBP/UBP DER modification that allows ESCOs to make targeted and cost-effective investments to implement compliance obligations should be utilized. This argues in favor of modifying the Procedural Schedule so that the deadlines for ESCOs to execute the Self Attestation and DSA are extended for a reasonable period after Staff’s submission of its Report, stakeholder comment on the Report and a Commission decision providing guidance on the policy to be incorporated in the final versions of the DSA and Self-Attestation."