New York PSC Secretary Denies Extension Of Cyber Security ESCO Self-Attestation, Data Security Agreement Deadline
August 27, 2018 Email This Story Copyright 2010-17 EnergyChoiceMatters.com
Reporting by Paul Ring • firstname.lastname@example.org
The following story is brought free of charge to readers byEC Infosystems, the exclusive EDI provider of EnergyChoiceMatters.com
The Secretary of the New York PSC has denied a request from the National Energy Marketers Association to extend the deadlines for Energy Service Companies (ESCOs) to execute the Self-Attestation and Data Security Agreement (DSA) required by the joint utilities under a "business-to-business" process related to cybersecurity.
NEM had requested that the deadlines be extended pending a report on the business-to-business process from Department of Public Service Staff, as well as pending guidance from the PSC
In denying NEM's request, the Secretary in a response stated, "The deadlines at issue were established in the business-to-business process by the Joint Utilities in consultation with Staff and the industry. In the Order Instituting Proceeding (issued June 14, 2018) in the referenced proceeding, the Commission supported the business-to-business process to ensure that cyber security protections are being adequately addressed to mitigate vulnerability of utility systems to cyber-attacks, and to ensure that confidential and sensitive customer information remains safeguarded from potential data breaches. The Commission noted that cyber security threats have become a common occurrence, and the industry must be vigilant to protect against, detect and respond to these events."
The Secretary in a response stated, "I understand that Staff has worked closely with all parties to modify and refine the Self-Attestation and DSA, and expressed its view that the final product represents a fair and balanced outcome of a productive process. Moreover, Staff informs me that the results of ESCO compliance, or lack thereof, by the deadlines is an important input to its Report to the Commission."
"For these reasons, postponing the deadlines at this point will delay progress towards implementing cyber security protections. Therefore, I decline to modify the business-to-business deadline," the Secretary stated in a response to NEM's petition
The business-to-business process required Self-Attestations to be provided by August 24, 2018, and requires the completed DSA by August 31, 2018
Separately, Department of Public Service Staff has requested an extension of the August 31, 2018 deadline to file a report on the status of the business-to-business process undertaken to address cybersecurity issues as directed in the Commission’s Order Instituting Proceeding in Case 18-M-0376, issued June 14, 2018. Staff noted that the original milestones established in the business-to-business process have twice been delayed by the utilities at the request of the Energy Services Entity (ESE) parties, thus, the business-to-business process has not been completed by the end of August as expected.
Staff, therefore, requested an extension up to and including September 24, 2018 as necessary to allow the business-to-business process to conclude, evaluate the outcome of that process, and prepare a report in compliance with the Commission’s directive.