Utility Significantly Lowers Cybersecurity Amount Required From Retail Suppliers (Was $5 Million); Files Other Data Security Revisions For Suppliers
October 5, 2022 Email This Story Copyright 2010-21 EnergyChoiceMatters.com
Reporting by Paul Ring • firstname.lastname@example.org
The following story is brought free of charge to readers byEC Infosystems, the exclusive EDI provider of EnergyChoiceMatters.com
In Pennsylvania, National Fuel Gas Distribution Corporation ('Distribution' or the
'Company') has proposed changes to the applicable tariff pages (Rule 33) related to cybersecurity and the standard Data
Security Agreement (DSA) and Self Attestation (SA) required from retail suppliers
Notably, National Fuel Gas Distribution would, under the filing, decrease the minimum
cybersecurity coverage requirement from $5,000,000 to $2,000,000, "in light of changing market
"As a part of this filing, the
Company has re-evaluated the $5,000,000 minimum requirement. Based on this re-evaluation,
Distribution has become aware that the costs of obtaining cybersecurity insurance policies that are
compliant with Rule 33 and the DSA have substantially increased over the past three (3) years.
Distribution also believes that a $2,000,000 minimum requirement will ensure that marketers have
sufficient coverage and cybersecurity protections in place and will mitigate cost concerns for the
marketers," the utility said
Distribution said that it is also proposing revisions to the DSA and SA that incorporate feedback from natural gas suppliers (NGSs) during a collaborative process
"Rule 33 (and other associated tariff pages) has also been revised to clarify its
applicability to marketers, suppliers and agents based upon the level of access to Distribution’s
system that is afforded to these entities," Distribution said
For example, certain requirements may not apply
to Third Party Representatives that are not electronically interconnected with
Distribution other than by email.
Distribution said that the various changes under the filing, "more closely align the DSA and SA with the versions of those
documents that apply in New York (which the NGSs previously identified were preferable)."
Distribution said that the filing includes the previously proposed changes below, which were based upon the
feedback Distribution received from NGSs during a collaborative process, including
• a revision to the auditing requirements that confirms a third-party auditor will be
• an affirmation that the NGS will determine and implement the necessary Data
Protection Requirements needed to be in compliance with the DSA and SA;
• elimination of the requirement that an NGS will require a third-party representative
that is not connected to Distribution’s system to abide by the DSA and SA; and
• a confirmation that no encryption in transit is required for email communications.