BILL ANALYSIS

 

 

Senate Research Center

S.B. 936

86R7104 GRM-F

By: Hancock

 

Business & Commerce

 

3/8/2019

 

As Filed

 

 

 

AUTHOR'S / SPONSOR'S STATEMENT OF INTENT

 

The security and safety of electric utility assets is a prime concern for the economic and physical well-being of the state. Threats to computer systems have recently become a widely discussed public concern. In addition to physical assets like poles and wires, electric utilities rely on intricate computer networks to operate. Electric utilities are working to secure their information resources against malicious actors and comply with federal standards for cybersecurity, but much of the work utilities do to secure their networks has been done apart from any oversight and coordination.

 

The objective of this bill is to develop a framework for collaboration between the Public Utility Commission of Texas, Texas electric utilities, and the Electric Reliability Council of Texas (ERCOT) regarding efforts to secure critical electric infrastructure from cyber vulnerabilities. The cybermonitor program is not intended to be a traditional compliance standard, but rather outreach to Texas electric utilities to evaluate corporate practices and programs for infrastructure protection and assist in identifying vulnerabilities and areas for improvement.

 

Bill Analysis

 

Section 1

 

The bill requires the Public Utility Commission to allow an electric utility to recover costs associated with the cybersecurity monitor program.

 

Section 3

 

The bill sets forth a cybersecurity monitor program. The bill defines "monitored utility" to include transmission and distribution utilities, the Lower Colorado River Authority, and municipally-owned utilities or electric cooperatives that operate electric transmission facilities. The bill also allows entities that operate outside ERCOT to elect to participate in the program, including electric utilities, municipally-owned utilities, or electric cooperatives.

 

The bill requires the Public Utility Commission to select an entity to act as PUC's cybersecurity monitor. The cybersecurity monitor will: (1) manage a comprehensive cybersecurity outreach program for monitored utilities; (2) meet regularly with monitored utilities to discuss emerging threats, best business practices, and training opportunities; (3) review self-assessments by monitored utilities of cybersecurity efforts; (4) research and develop best business practices regarding cybersecurity; and (5) report to the PUC on monitored utility cybersecurity preparedness.

 

The bill requires ERCOT to contract with this entity and to provide support and information to the cybersecurity monitor. The bill requires ERCOT to use funds from the ERCOT fee to fund the activities of the cybersecurity monitor.

 

The bill allows a utility that is outside ERCOT to elect to participate in the cybersecurity monitor program. The bill requires PUC to create a process for non-ERCOT utilities that choose to participate to contribute to the costs of the cybersecurity monitor program.

 

The bill specifies that no new enforcement authority is granted to the PUC through the cybersecurity monitor program.

 

The bill allows staff of the cybersecurity monitor to communicate with PUC staff and requires PUC staff and commissioners to maintain the confidentiality of cybersecurity information. The bill specifies that information from the cybersecurity monitor is not subject to the Texas Open Records Act. Deliberations of a government body to consider information from the cybersecurity monitor program are also not required to be open meetings.

 

Sections 2, 4, 5, 6, 7, 8, 9, and 10 make conforming changes.

 

As proposed, S.B. 936 amends current law relating to a cybersecurity monitor for certain electric utilities.

 

RULEMAKING AUTHORITY

 

Rulemaking authority is expressly granted to the Public Utility Commission of Texas in SECTION 3 (Section 39.1516, Utilities Code) of this bill.

 

SECTION BY SECTION ANALYSIS

 

SECTION 1. Amends Subchapter E, Chapter 36, Utilities Code, by adding Section 36.213, as follows:

 

Sec. 36.213. ADJUSTMENT FOR CYBERSECURITY MONITOR COSTS FOR CERTAIN UTILITIES. (a) Provides that this section does not apply to an electric utility that operates solely outside of the Electric Reliability Council of Texas (ERCOT) and has not elected to participate in the cybersecurity monitor program under Section 39.1516.

 

(b) Requires the Public Utility Commission of Texas (PUC), on its own motion or on the petition of an electric utility, to allow the electric utility to recover reasonable and necessary costs incurred in connection with activities under Section 39.1516.

 

SECTION 2. Amends Section 39.002, Utilities Code, to include Section 39.1516 in, and to delete Section 39.903 (System Benefit Fund) from, the list of sections that apply to a municipally owned electric cooperative.

 

SECTION 3. Amends Subchapter D, Chapter 39, Utilities Code, by following Section 39.1516, as follows:

 

Sec. 39.1516. CYBERSECURITY MONITOR. (a) Defines "monitored utility."

 

(b) Requires PUC and the independent organization certified under Section 39.151 (Essential Organizations) to contract with an entity selected by PUC to act as the PUC cybersecurity monitor to perform certain activities.

 

(c) Requires the independent organization certified under Section 39.151 (Independent Organization) to provide to the cybersecurity monitor any access, information, support, and cooperation that PUC determines is necessary for the monitor to perform the functions described by Subsection (b).� �Requires the independent organization to use funds from the fee authorized by Section 39.151(e) (relating to an administrative fee that an independent organization is authorized by PUC to charge wholesale buyers and sellers and other certain budgetary requirements) to pay for the cybersecurity monitor's activities.

 

(d) Authorizes an electric utility, municipally owned utility, or electric cooperative that operates solely outside the ERCOT power region to elect to participate in the cybersecurity monitor program or to discontinue participation. Requires PUC to adopt rules establishing:

 

(1) procedures for an electric utility, municipally owned utility, or electric cooperative to notify PUC, the independent organization certified under Section 39.151, and the cybersecurity monitor that the utility or cooperative elects to participate or to discontinue participation; and

 

(2) a mechanism to require an electric utility, municipally owned utility, or electric cooperative that elects to participate to contribute to the costs incurred by the independent organization under this section.

 

(e) Requires the cybersecurity monitor to operate under the supervision and oversight of PUC.

 

(f) Requires PUC to adopt rules as necessary to implement this section and authorizes PUC to enforce the provisions of this section in the manner provided by this title. Provides that this section does not grant enforcement authority to the cybersecurity monitor or authorize PUC to delegate PUC's enforcement authority to the cybersecurity monitor. Provides that this section does not grant enforcement authority to PUC beyond authority explicitly provided for this title.

 

(g) Authorizes the staff of the cybersecurity monitor to communicate with PUC �staff about any cybersecurity information without restriction. Requires PUC staff to maintain the confidentiality of the cybersecurity information. Prohibits PUC staff, notwithstanding any other law, from disclosing information obtained under this section in an open meeting or through a response to a public information request.

 

(h) Provides that information written, produced, collected, assembled, or maintained under Subsection (b), (c), or (g) is confidential and not subject to disclosure under Chapter 552 (Public Information), Government Code. Provides that a governmental body is not required to conduct an open meeting under Chapter 551 (Open Meetings), Government Code, to deliberate a matter described by Subsection (b), (c), or (g).

 

SECTION 4.� Amends Section 39.402(a), Utilities Code, to prohibit the provisions of this chapter, other than this subchapter, Sections 39.1516, 39.904, and 39.905 (Goal for Energy Efficiency), rather than Sections 39.904 and 39.905, and the provisions relating to the duty to obtain a permit from the Texas Commission on Environmental Quality for an electric generating facility and to reduce emissions from an electric generating facility, from applying to an electric utility until the date on which the electric utility subject to this subchapter is authorized by PUC to implement customer choice.

 

 

SECTION 5.� Amends Section 39.452(d), Utilities Code, to make a conforming change.

 

SECTION 6. Amends Section 39.502(b), Utilities Code,� to make a conforming change.

 

SECTION 7. Amends Section 39.552(b), Utilities Code,� to make a conforming change

 

SECTION 8.� Amends Section 40.001(b), Utilities Code, to include Section 39.1516 among the sections to which a river authority operating a steam generating plant on or before January 1, 1999, is subject.

 

SECTION 9. Amends Section 40.004, Utilities Code, as follows:

 

Sec. 40.004. Provides that except as specifically otherwise provided in this chapter, PUC has jurisdiction over municipally owned utilities for the following purposes:

(1)�(5) makes no changes to these subdivisions;

 

(6) deletes existing text requiring collection of the nonbypassable fee established under Section 39.903(b) (relating to the financing of the system benefit fund) and makes a nonsubstantive change;�

 

(7) makes a nonsubstantive change to this subdivision; and

 

(8) to evaluate and monitor the cybersecurity preparedness of a municipally owned utility described by Section 39.1516(a)(3) or (4).

 

SECTION 10. Amends Section 41.004, Utilities Code, as follows:

 

Sec. 41.004. JURISDICTION OF COMMISSION. Provides that PUC, except as specifically provided otherwise in this chapter, only has jurisdiction over electric cooperatives for certain reasons including to evaluate and monitor the cybersecurity preparedness of an electric cooperative described by Section 39.1516(a)(3) or (4). Makes nonsubstantive changes.

 

SECTION 11.� Provides that to the extent of any conflict, this Act prevails over another Act of the 86th Legislature, Regular Session, 2019, relating to nonsubstantive additions to and corrections in enacted codes.

 

SECTION 12. Effective date: September 1, 2019.