On August 27, 2019, FERC and NERC staffs issued a Joint Staff White Paper on Notices of Penalty Pertaining to Violations of Critical Infrastructure Protection Reliability Standards. In that White Paper, FERC/NERC staffs propose departing from FERC’s historical practice of withholding most material details regarding CIP Reliability Standard violations. FERC has recently signaled an appetite to depart from that practice by disclosing the names of a handful of allegedly violating electric utilities in response to Freedom of Information Act (FOIA) requests.
FERC/NERC staff now recommend that exceptional practice become the rule. Specifically, the White Paper proposes that each CIP Notice of Penalty (CIP NOP) NERC submits to FERC for endorsement would consist of two documents:
(NERC itself does not directly impose penalties on registered entities, but instead issues CIP NOPs proposing penalties that are subsequently endorsed by FERC.) The White Paper assures that any change in practice adopted by NERC and FERC would be implemented on a going-forward basis to CIP NOPs submitted to FERC after adoption of the White Paper’s proposal.
FERC received over 80 comments on the White Paper before the end of the comment period on October 28. (Although the FERC Commissioners themselves did not vote to approve the White Paper, a majority of the Commission has publicly endorsed its approach.) Stakeholders may get another opportunity to comment on the White Paper’s proposals if FERC/NERC later decide to adopt them formally.
Striking a New Balance Between Transparency and Security
The White Paper responds to an “unprecedented” number of FOIA requests for information on alleged violations—many of them requesting the name of offending electric utilities. The White Paper suggests that FERC staff is having difficulty processing those FOIA requests in a consistent manner: FERC staff must comb through the contents of each CIP NOP to discriminate between information meriting confidentiality as Critical Energy Infrastructure Information (CEII) and information that can be released to the public. This time-consuming, subjective process has satisfied neither industry nor public advocacy groups.
The White Paper strikes a new balance between transparency and security. FERC/NERC staff contend that transparency would be improved by a new, public cover sheet containing enough information to assist the public in determining which electric utilities have robust compliance programs. Similarly, the new, confidential attachment would improve security by (1) reducing the potential for inadvertent release of sensitive information resulting from FERC staff’s case-by-case evaluation of CIP NOP contents in response to FOIA requests and (2) by requiring mitigation measures to be in place before NERC submits CIP NOPs to FERC for endorsement.
But Not Everyone Is Convinced the White Paper Strikes the Right Balance
Reaction to the White Paper was mixed. Some public advocacy groups and state government officials welcomed the White Paper as a first step in improving accountability of electric utilities for CIP Reliability Standard violations. In contrast, several electric utility trade associations and the U.S. Department of Energy called for FERC and NERC to avoid disclosing electric utilities’ names, lest highlighting utility-specific vulnerabilities in the bulk power system make it easier for hackers to plan and execute future cybersecurity attacks.
The White Paper Underscores the High Stakes Involved in Electric Utilities’ Insurance For Cyberattacks
The debate over the effectiveness of the White Paper’s name-and-shame approach in preventing cyberattacks on the bulk power system underscores the substantial cyber risks utilities face and, likewise, the importance of appropriate insurance for those cyber risks. Electric utilities should keep in mind a few key points with respect to coverage for cyber-related incidents:
The White Paper’s proposed name-and-shame approach could also introduce a new wrinkle in negotiations between electric utilities and insurers over cyber coverage. Disclosure of a pattern of cybersecurity-related CIP violations by an electric utility may prompt regulators to demand the utility obtain robust cyber coverage. Similarly, a pattern of CIP violations by an electric utility may lead to insurers demanding higher premiums, offering smaller limits, imposing additional coverage limitations/exclusions, or refusing to insure a utility altogether.
Electric utilities are increasingly the target of cyberattacks. FERC/NERC’s White Paper is one response to that threat—but it could have secondary effects for risk management tools such as insurance products. Pillsbury’s experienced insurance coverage attorneys are available to assist corporate policyholders in the negotiation of cyber coverage or in connection with coverage claims arising out of cyber incidents. And Pillsbury’s energy regulatory attorneys are available to assist clients in monitoring relevant FERC dockets for changes in FERC/NERC’s practice regarding CIP NOPs and cybersecurity issues.
* Richard Mroz is managing director of Resolute Strategies LLC.