State Utility Commissions Likely Will Move on Cybersecurity if Congress Fails to Act
If Congress fails to pass cybersecurity legislation this year, state commissions will likely step in, said officials representing industry and state regulators. States like California are already “out in the front” in terms of cybersecurity policies, said Brett Kilbourne, vice president-government and industry affairs at the Utilities Telecom Council. State commissions have the authority to require utilities to incorporate cybersecurity protections, officials said.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
As efforts in the Senate continued in an effort to reach a compromise on cybersecurity standards for critical infrastructure, the National Association of Regulatory Utility Commissioners released a report (http://xrl.us/bnbn99) asking state utility commissioners to work with regulated utilities and ensure that they are taking “prudent steps and making sound investments for installing cybersecurity protections.” While state regulators are not directly responsible for installing these protections, “it may fall to regulators to ask questions of utilities to determine if there are [cybersecurity] gaps and facilitate action,” the report said.
State commissions have the power to require cybersecurity protections “to the extent they have jurisdiction over a service,” said Brad Ramsay, NARUC general counsel. The “jurisdiction to do so is a little bit more obvious” in the power sector than in the telecom sector, because there are some providers where by state statute, the PUCs have no jurisdiction, he said. “The reasons we regulate never change,” he said, and one reason is to ensure reliable service as well as restoration of service after a disruption in “all sectors.” If a state commission can require a company to “inspect your telephone poles, the odds are they also could tell that company it has to assure its network is protected against cyber attacks,” he said. On the telecom side, state authority to review cybersecurity precautions and costs are clearest for the small “rate-of-return” carriers and other carriers that retain carrier-of-last-resort obligations, he said.
As for whether state commissions can actually set cybersecurity standards, Ramsay said they probably could, but the “more important question is should the commission set standards and, if so, what type of standards they should be.” For example, states can require carriers to have backup power for service: “That is a standard.” But it’s unlikely that commissions would provide detailed technical standards on cybersecurity, he said. They could potentially set general guidelines or benchmarks. “I don’t know that that would be a likely thing for a state commission to do in the context of cybersecurity.” There’s nothing to “stop a state from trying to provide some cybersecurity requirements as long as it does not conflict with any federal requirements,” said Kilbourne. The NARUC report aims at educating policymakers about cybersecurity issues and “get[ting] them up to speed,” he said: “I am sure NARUC feels the need to take a more active role” in the area.
Depending on the state, commissions “absolutely can” ask regulated companies to act on cybersecurity, said a former state commissioner. “Almost all public service commissions have general rate authority, which covers just about anything.” It isn’t just the case that regulators are “looking for something to do on cybersecurity,” she said. When reviewing rate cases, regulators are “getting presented with utility requests to receive compensation for the expenditure they have made to secure their system,” she said. “Telecom, energy and natural gas providers are all more than likely quite sophisticated in this area,” she said, and are spending money on cybersecurity for which “they are ultimately going to seek some reimbursement.”
If Congress fails to act, it “opens up an opportunity for the states to regulate,” said Kilbourne. Some state commissioners such as Carolene Mays in Indiana already have indicated they want to “investigate” utilities’ cybersecurity preparedness, he said. Mays said in Indianapolis recently that cybersecurity is one “of our major concerns right now because utilities across the country are just not prepared,” the Evansville Courier & Press reported (http://xrl.us/bnboiy).
The role of state commissions in “cybersecurity continues to be more important than ever and you will continue to see states taking a very active role in working with their utilities to ensure these crucial systems are protected,” said Laura Chappelle, former chairman of the Michigan Public Service Commission.