New York PSC Denies Another ESCO Request For Extension Of Data Security Agreement Deadline
September 4, 2018 Email This Story Copyright 2010-17 EnergyChoiceMatters.com
Reporting by Paul Ring • firstname.lastname@example.org
The following story is brought free of charge to readers byEC Infosystems, the exclusive EDI provider of EnergyChoiceMatters.com
The Secretary of the New York PSC has denied a request from Liberty Power for an extension of the August 31 deadline for ESCOs to execute new Data Security Agreements (DSA) required by the joint utilities under a "business-to-business" process related to cybersecurity.
Although the Secretary had recently denied a similar petition from the National Energy Marketers Association, in denying the NEM petition the Secretary had noted that the DSA deadline did not apply to NEM itself (although the request was denied on other grounds as well).
In its request dated August 30, Liberty Power, which is subject to the DSA as an ESCO, had said, "Liberty Power fully supports the New York State Public Service Commission’s initiative on establishing industry-wide best practices in Cyber Security for the state of New York. However, as was noted multiple times by various members of the ESCO community in the business to business meetings, if the same incident that occurred in March 2018 with the EDI Provider were to recur, the marketplace would be no more resilient or secure than it was in March. While some progress has been made in the business meetings, Liberty Power does not believe the current form of the Data Security Agreements ('DSAs') actually supports a more secure New York market. For example, Liberty Power believes that allowing for additional EDI processors to be certified per ESCO and the development of business process 'safety nets' that mitigate disruptions in EDI connections will ensure that the New York market is robust and able to withstand disruptions.
Liberty Power had further stated in its request that, "In addition, the process undertaken to create the DSAs has been hasty and has not led to addressing the concerns of the retailer community around the new role that the Joint Utilities are granted through the DSAs to become overseers of the retail marketplace. As the lack of proper resolution to the concerns of the ESCO community highlights, this new role/power of the Joint Utilities, if not properly bounded and in-check, lends itself to creep of scope into areas that should not be part of the utilities’ domain and can open the door to unintended consequences and abuse of power in a way that undermines retail choice. The cyber security landscape is ever changing, and the market needs a process that can evolve rapidly, is driven in a collaborative way, and is led with experts who can ensure that cyber risks are properly managed and avoided. To achieve the Commission’s objective of increasing security, while maintaining a robust retail marketplace, Liberty Power requests that the Commission extend the August 31, 2018 deadline by 30 days and asks the Commission to direct the ESCO and Utilities to submit a joint recommendation on cyber security that can be universally adopted into the UBP."
In denying Liberty's request for an extension, the PSC's Secretary stated, "The deadlines at issue were established in the business-to-business process by the Joint Utilities in consultation with Staff and the industry. In the Order Instituting Proceeding, issued June 14,2018, in the referenced proceeding, the Commission supported the business-to-business process to ensure that cyber security protections are being adequately addressed to mitigate vulnerability of utility systems to cyber-attacks, and to ensure that confidential and sensitive customer information remains safeguarded from potential data breaches. The Commission noted that cyber security threats have become a common occurrence, and the industry must be vigilant to protect against, detect and respond to these events."
In denying Liberty's request for an extension, the PSC's Secretary stated, "I understand that Staff has worked closely with all parties to modify and refine the DSA, and expressed its view that the final product represents a fair and balanced outcome of a productive process. Moreover, Staff informs me that the results of energy service entity compliance, or lack thereof, by the deadline is an important input to its Report to the Commission."
In denying Liberty's request for an extension, the PSC's Secretary stated, "Because postponing the deadlines at this point will delay progress towards implementing cyber security protections and it is unclear that the requested extension will produce net benefits, I decline to modify the business-to-business deadline."
The PSC's Secretary's ruling pertained only to Liberty's request for an extension of time. The Secretary stated that Liberty's request regarding the submission of a joint recommendation on cyber security is a matter for the Commission.