New York EDCs Urge Swift Action By PSC Confirming Ability To Deny Access To ESCOs Not Signing DSA
May 20,2019
The joint New York utilities have filed reply comments with the New York PSC requesting that the PSC take "swift" action to confirm that the utilities may prohibit ESCOs and other entities (energy service entities or ESEs) from accessing utility systems if ESEs do not comply with the cybersecurity requirements developed by the utilities
The reply comments largely recite the utilities' previously reported concerns and positions
"In sum, despite conceding that there may be cyber risk or risk of losing customer information, the objecting parties incorrectly argue that the Joint Utilities’ have not demonstrated that ESEs should be required to sign a Data Security Agreement ('DSA') and meet the minimum cyber security standards in the technical requirements checklist in the DSA, known as the Self Attestation ('SA'). Indeed, the comments demonstrate many parties’ preference that there be no requirements associated with their connections to utility systems to receive customer data. Fundamentally, the ESEs that oppose the DSA prefer to maintain the status quo, that is, where the Joint Utilities, and thus, their customers, absorb the risks and costs associated with cyber security and data protection for the ESEs’ transactions with the Joint Utilities," the utilities said
"The status quo cannot and should not be maintained, and the Commission should take swift action to make clear that ESEs – in particular those that have not signed -- must promptly comply with the minimum data security requirements contained in the DSA to continue to
connect to utility systems and receive confidential customer information. The ESEs should be responsible and accountable for their actions and appropriately protect their cyber environments and customer data received from the Joint Utilities. As the Court of Appeals just expressly affirmed without equivocation in response to a challenge from energy service companies ('ESCOs'), the Commission is authorized to condition access to utility infrastructure. As the Commission has already found for Community Choice Aggregation ('CCA'), the Joint Utilities assert that minimum cyber security standards and a corresponding DSA must be a condition of such access for all ESEs," the utilities said
Among other things, the utilities asked that the PSC:
• Affirm the Joint Utilities’ authority to require ESEs to satisfactorily complete a DSA and prohibit ESEs from electronic access to utility systems as well as customer data without a DSA
• Affirm the Joint Utilities’ authority to require cyber security insurance
• Affirm the Joint Utilities’ authority to require ESE indemnification of the Joint Utilities.