| |
| |
|
|
A BILL TO BE ENTITLED
|
|
|
AN ACT
|
|
|
relating to a cybersecurity monitor for certain electric utilities. |
|
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
|
SECTION 1. Subchapter D, Chapter 39, Utilities Code, is |
|
|
amended by amending Section 39.1516 to read as follows: |
|
|
Sec. 39.1516. CYBERSECURITY MONITOR. (a) In this section, |
|
|
"monitored utility" means: |
|
|
(1) a transmission and distribution utility; |
|
|
(2) a corporation described in Section 32.053; |
|
|
(3) a municipally owned utility or electric |
|
|
cooperative that owns or operates equipment or facilities in the |
|
|
ERCOT power region to transmit electricity at 60 or more kilovolts; |
|
|
or |
|
|
(4) an electric utility, municipally owned utility, or |
|
|
electric cooperative, or power generation company that operates |
|
|
solely outside the ERCOT power region that has elected to |
|
|
participate under Subsection (d); or |
|
|
(5) a power generation company |
|
|
(b) The commission and the independent organization |
|
|
certified under Section 39.151 shall contract with an entity |
|
|
selected by the commission to act as the commission's cybersecurity |
|
|
monitor to: |
|
|
(1) manage a comprehensive cybersecurity outreach |
|
|
program for monitored utilities; |
|
|
(2) meet regularly with monitored utilities to discuss |
|
|
emerging threats, best business practices, and training |
|
|
opportunities; |
|
|
(3) review self-assessments voluntarily disclosed by |
|
|
monitored utilities of cybersecurity efforts; |
|
|
(4) research and develop best business practices |
|
|
regarding cybersecurity; and |
|
|
(5) report to the commission on monitored utility |
|
|
cybersecurity preparedness. |
|
|
(c) The independent organization certified under Section |
|
|
39.151 shall provide to the cybersecurity monitor any access, |
|
|
information, support, and cooperation that the commission |
|
|
determines is necessary for the monitor to perform the functions |
|
|
described by Subsection (b). The independent organization shall |
|
|
use funds from the fee authorized by Section 39.151(e) to pay for |
|
|
the cybersecurity monitor's activities. |
|
|
(d) An electric utility, municipally owned utility, or |
|
|
electric cooperative, or power generation company that operates |
|
|
solely outside the ERCOT power region mayshall elect to |
|
|
participate in the cybersecurity monitor program or to discontinue |
|
|
participation. The commission shall adopt rules establishing: |
|
|
(1) procedures for an electric utility, municipally |
|
|
owned utility, or electric cooperative to notify the commission, |
|
|
the independent organization certified under Section 39.151, and |
|
|
the cybersecurity monitor that the utility or cooperative elects to |
|
|
participate or to discontinue participation; and |
|
|
(2) a mechanism to require an electric utility, |
|
|
municipally owned utility, or electric cooperative that elects to |
|
|
participate to contribute to the costs incurred by the independent |
|
|
organization under this section. |
|
|
(e) The cybersecurity monitor shall operate under the |
|
|
supervision and oversight of the commission. |
|
|
(f) The commission shall adopt rules as necessary to |
|
|
implement this section and mayshall enforce the provisions of this |
|
|
section in the manner provided by this title. This section does not |
|
|
grant enforcement authority to the cybersecurity monitor or |
|
|
authorize the commission to delegate the commission's enforcement |
|
|
authority to the cybersecurity monitor. This section does not |
|
|
grant enforcement authority to the commission beyond authority |
|
|
explicitly provided for in this title. |
|
|
(g) The staff of the cybersecurity monitor may communicate |
|
|
with commission staff about any cybersecurity information without |
|
|
restriction. Commission staff shall maintain the confidentiality |
|
|
of the cybersecurity information. Notwithstanding any other law, |
|
|
commission staff may not disclose information obtained under this |
|
|
section in an open meeting or through a response to a public |
|
|
information request. |
|
|
(h) Information written, produced, collected, assembled, or |
|
|
maintained under Subsection (b), (c), or (g) is confidential and |
|
|
not subject to disclosure under Chapter 552, Government Code. A |
|
|
governmental body is not required to conduct an open meeting under |
|
|
Chapter 551, Government Code, to deliberate a matter described by |
|
|
Subsection (b), (c), or (g). |
|
|
SECTION 2. To the extent of any conflict, this Act prevails |
|
|
over another Act of the 87th Legislature, Regular Session, 2021, |
|
|
relating to nonsubstantive additions to and corrections in enacted |
|
|
codes. |
|
|
SECTION 3. This Act takes effect September 1, 2021. |