PUC Asks Whether Retail Suppliers & Brokers Should Be Subject To Cybersecurity Obligations

November 14, 2022

Email This Story
Copyright 2010-21 EnergyChoiceMatters.com
Reporting by Paul Ring • ring@energychoicematters.com

The following story is brought free of charge to readers by EC Infosystems, the exclusive EDI provider of EnergyChoiceMatters.com

The Pennsylvania Public Utility Commission (PUC) has issued an Advance Notice of Proposed Rulemaking Order (ANOPR) to review its current regulations relating to cybersecurity, including whether electric generation suppliers (EGSs) and natural gas suppliers (NGSs) should be subject to the regulations

The PUC's definitions of EGS and NGS include brokers and aggregators, in addition to load serving suppliers

The PUC's cybersecurity regulations fall into two groups: (1) cyber attack reporting regulations and (2) self-certification regulations

The self-certification regulations currently apply to jurisdictional utilities, as defined by 52 Pa. Code § 101.2.

Licensed entities under the PUC’s supervision do not qualify as a "jurisdictional utility" under Section 101.2 and are thus not subject to the existing self-certification regulations, including but not limited to electric generation suppliers (EGS) and natural gas suppliers (NGS)

The reporting regulations apply to a subset of utilities, and also do not currently apply to EGSs or NGSs

The PUC sought comment, "on whether the self certification regulations, or revisions thereto, should be applied to additional types of entities that are subject to the PUC’s supervision."

The PUC also stated, "there is an open question as to whether the reporting requirements should remain limited to water, electric, gas and steam public utilities, or be broadened to include any of the following: other certificated public utilities, such as wastewater and telecommunications public utilities, and licensed entities such as those providing EGS, NGS and TNC [transportation network company] services."

The PUC listed five potential regulatory approaches to ensure that public utilities (and potentially other entities) have adequate cybersecurity plans in place to respond to cyber threats:

• Similar to the existing regulations, require a public utility to self-certify that it has a plan, a program, or both, that complies with criteria set forth in the PUC’s regulations and to report annually to the PUC that such plans and/or programs exist and are updated and tested annually.

• Require a public utility to self-certify that it has a plan, a program, or both, that complies with an appropriate Federal or industry standard and to report annually to the PUC that such plans and/or programs exist and are updated and tested annually.

• Require a public utility to provide a third-party expert certification that the public utility has a plan, a program, or both, in place that comply with a relevant Federal or industry standard appropriate to that utility and to report annually to the PUC that such plans and/or programs exist and are updated and tested annually.

• Integrate an onsite review of cybersecurity measures, plans, and programs into the PUC’s public utility management audit process and examine cybersecurity measures, plans, and programs in place as a part of the management audit function.

• Require a public utility to file a confidential copy of its cybersecurity plans and programs with the PUC and enable the PUC to directly review and comment on the adequacy of such plans and programs and, where deficiencies exist, require conformance with regulatory standards.

The PUC sought comment on the relative merits and weaknesses of each of the above approaches

With respect to the existing rules, which (in current or revised form) may in the future be applied to suppliers and brokers, the PUC sought comment on ways to streamline and otherwise improve the filing, handling, and storage of Self-Certification Forms.

The PUC also sought comment on whether and how to streamline the self-certification form, plan and reporting requirements to better calibrate the benefits of the existing regulations against the burdens they place on regulated entities, especially smaller utilities, and on PUC staff.

The PUC sought comment on potential ways to revise the reporting criteria in its existing regulations, including the potential addition of new requirements for reporting incidents involving IT.

The PUC sought comment with respect to the continuing efficacy of the $50,000 reporting threshold for cyber attacks in the current rule

Docket L-2022-3034353

ADVERTISEMENT

ADVERTISEMENT
NEW Jobs on RetailEnergyJobs.com:
• NEW! -- Pricing Manager -- Retail Supplier
• NEW! -- Pricing and Operations Analyst -- Retail Supplier
• NEW! -- Sales Director
• NEW! -- Market Operations Analyst -- Retail Supplier
• NEW! -- Accounting Manager -- Retail Supplier
• NEW! -- Sales Development Representative
• NEW! -- Operations Analyst/Manager - Retail Supplier
• NEW! -- Customer Success
• NEW! -- Operations Manager - Retail Supplier
• NEW! -- Marketing Associate - Retail Supplier
• NEW! -- Supervisor-Commercial Operations
• NEW! -- Market Operations Analyst
• NEW! -- Customer Data Specialist
• NEW! -- Director, Regulatory Affairs, Retail Supplier
• NEW! -- Account Manager Project Manager
• NEW! -- Retail Energy Policy Analyst
• NEW! -- Incentive Specialists
• NEW! -- Utility Rates Specialist
• NEW! -- Customer Onboarding Specialist
• NEW! -- Energy Performance Engineer

HOME

Copyright 2010-22 Energy Choice Matters.  If you wish to share this story, please email or post the website link; unauthorized copying, retransmission, or republication prohibited.