ALJ Would Deny Complaint From Retail Suppliers Seeking To Void Utility's $5 Million Cybersecurity Insurance Requirement
December 27, 2021 Email This Story Copyright 2010-21 EnergyChoiceMatters.com
Reporting by Paul Ring • email@example.com
The following story is brought free of charge to readers byEC Infosystems, the exclusive EDI provider of EnergyChoiceMatters.com
A Pennsylvania PUC ALJ would, in an initial decision, deny a complaint brought by a group of retail suppliers (NGSs) against National Fuel Gas Distribution Corporation (NFGD) in which the suppliers sought to void an NFGD tariff adopted by the Pennsylvania PUC that includes a $5,000,000 per incident cybersecurity insurance requirement, as well as an associated Data Security Agreement (DSA) and Self Attestation (SA)
The complaint was filed by EnergyMark LLC, Vineyard Oil & Gas Company, Mid American Natural Resources LLC, and Total Energy Resources LLC (NGSs). The Pennsylvania Independent Oil & Gas Association (PIOGA) intervened in support of the complaint
The ALJ summarized that, at issue here, is the lawfulness and reasonableness of NFGD’s Tariff Supplement 207, specifically the DSA and SA with the requirement that NGSs carry $5,000,000 cybersecurity insurance coverage.
"Tariff provisions approved by the Commission are prima facie reasonable," the ALJ noted
"The present controversy had its genesis on June 14, 2019, when NFGD filed a Supplement to its tariff which Supplement contained, among other items, a provision for a Data Security Agreement," the ALJ noted, quoting the tariff as follows:
"DATA SECURITY AGREEMENT As a condition of access to customer information via publicly available Company business systems, including but not limited to web portals, the Company will require parties requesting such access to sign a Data Security Agreement and require that parties carry and maintain Cybersecurity insurance in an amount no less than $5,000,000 per incident. A standard form Data Security Agreement will be provided in the Company’s Operational Procedures Manual. Such requirement shall not apply to customers with usage less than 5,000 mcf per year that seek to access their own customer account information. Further, the Company may accept Cybersecurity insurance provided under another agreement, provided that such agreement is substantially identical in form and effect as the standard form Data Security Agreement."
"This tariff filing was reviewed and subsequently approved by the Commission. No party had filed a complaint with respect to the tariff filing," the ALJ said
The NGSs alleged that NFGD, in filing Supplement No. 207 with the PUC, "misrepresent[ed]" the status of a similar tariff provision in New York
The NGSs alleged that, "NFGD manipulated the Commission process that approved Supplement No. 207 by misrepresenting the status of the DSA included with Supplement No. 207. NFGD based its filing of Supplement No. 207 on its claim that the DSA was 'patterned after the DSA in NFG’s New York service territory,' implying that it had both force and effect as well as the approval of the NYPSC."
The NGSs noted that the New York tariff was not in effect at such time, and that it underwent several significant changes prior to approval by the New York PSC.
"When the NYPSC did rule on the DSA, after a thorough consideration of an extensive record, it rejected the same portion of the DSA that is at issue here -- the $5 million cybersecurity insurance requirement," the NGSs noted
The NGSs further alleged, "NFGD misled suppliers to believe that it would adjust its Pennsylvania filing to reflect what ultimately was approved in New York, but NFGD did not do so."
However, NFGD said that none of the communications (part of marketer meetings, etc.) cited by NGSs stated that the Pennsylvania requirement
would be "the same" or "identical" to the New York requirements
The ALJ said that NGSs failed to meet their burden of proof to support the alleged misrepresentations
"I find that the Joint Complainants have not presented substantial evidence that they were intentionally misled by NGDC [sic, NFGD] so as to persuade the Joint Complainants not to take part in the Pennsylvania tariff proceeding that led to the Commission’s approval of Supplement No. 207," the ALJ said
"The Joint Complainants had notice and an opportunity to be heard before the Commission acted on the proposed Supplement and the cybersecurity section/DSA therein along
with the insurance requirement. No complaints were filed to the Supplement, which became effective on August 30, 2019," the ALJ said
"The Joint Complainants did not file a complaint at the time that the Commission was considering the requirements of Supplement 207 in 2019. Instead, the Joint Complainants elected to focus on a proceeding before the NYPSC in the expectation that the PA PUC ultimately would modify the requirements of Supplement 207 based on the outcome of that New York proceeding. That was a choice made by the Joint Complainants, and they have failed to show by a preponderance of the evidence that NFGD prevented them, by act or implication, from filing a Complaint against Supplement 207 in 2018-2019," the ALJ said
With the NGSs' allegations of misrepresentation disposed of, the ALJ found that the NGSs failed to meet their burden that the existing tariff is unlawful or unreasonable, or that circumstances have changed so dramatically as to warrant cancellation of the tariff provision
Among other things, NGSs alleged that the insurance requirement constitutes a barrier to market entry
"Considering the lawfulness and reasonableness of the cybersecurity DSA in total, I agree with NFGD’s argument that neither the Joint Complainants nor PIOGA have presented any studies, analyses, valuations, comparative cost estimates, or any other type of verifiable, substantive evidence in the record in this proceeding that supports their claims regarding the costs of obtaining cybersecurity insurance or the impacts of those costs on their members’ businesses. NGDC [sic, NFGD] Reply Brief at 8. This is a critical point. The Joint Complainants presented no evidence of actual costs for complying with the DSA cybersecurity insurance requirements and did not evaluate the effects of such costs on their businesses," the ALJ said
"Joint Complainants also contend that this case is about a utility seeking to gain a competitive advantage by implementing anti-competitive and far-reaching requirements for supplier access to its systems -- an advantage that if unchecked will irreparably damage the competitive market. Once again, neither PIOGA nor the Joint Complainants have presented evidence that persuades me that the requirements of Supplement 207 were formulated as a barrier to market entry that is anti-competitive and that will irreparably damage the competitive market, nor have PIOGA or the Joint Complainants demonstrated that this is even an unintended and unacceptable consequence of Supplement 207," the ALJ said
"As posed by the Joint Complainants, the contention that the cost of compliance with the financial requirements of the DSA poses an obstacle to market entry might be made against any provision that increases the cost to a potential market participant seeking to enter the market. I agree with NFGD that neither the Joint Complainants nor PIOGA presented evidence that substantiates the actual costs that would be incurred to obtain cybersecurity insurance," the ALJ said
While NGSs argued that NFGD lacks authority to impose additional financial security requirements on suppliers, the ALJ said that the provision in the Code cited by NGSs is a bonding requirement for natural gas suppliers specifically related to costs to LDCs from SOLR drops. "It does not preclude, explicitly or by implication, further security requirements that may be imposed on a natural gas supplier," the ALJ said
The ALJ would deny changes that NFGD proposed to the cybersecurity tariff during the complaint case, stating that the complaint case is not the correct forum for such changes. Such changes include revisions proposed by NGSs, now agreed to by NFGD, to more closely align language to that in New York, though the changes retain the $5 million insurance requirement
NFGD voluntarily suspended enforcement of the cybersecurity insurance requirements contained in Rule 33 of its Tariff and the Data Security Agreement (DSA) pending the outcome of the complaint