Section 39.1516. Cybersecurity Monitor

TX Util § 39.1516 (2019) (N/A)
Copy with citation
Copy as parenthetical citation

Sec. 39.1516. CYBERSECURITY MONITOR. (a) In this section, "monitored utility" means:

(1) a transmission and distribution utility;

(2) a corporation described in Section 32.053;

(3) a municipally owned utility or electric cooperative that owns or operates equipment or facilities in the ERCOT power region to transmit electricity at 60 or more kilovolts; or

(4) an electric utility, municipally owned utility, or electric cooperative that operates solely outside the ERCOT power region that has elected to participate under Subsection (d).

(b) The commission and the independent organization certified under Section 39.151 shall contract with an entity selected by the commission to act as the commission's cybersecurity monitor to:

(1) manage a comprehensive cybersecurity outreach program for monitored utilities;

(2) meet regularly with monitored utilities to discuss emerging threats, best business practices, and training opportunities;

(3) review self-assessments voluntarily disclosed by monitored utilities of cybersecurity efforts;

(4) research and develop best business practices regarding cybersecurity; and

(5) report to the commission on monitored utility cybersecurity preparedness.

(c) The independent organization certified under Section 39.151 shall provide to the cybersecurity monitor any access, information, support, and cooperation that the commission determines is necessary for the monitor to perform the functions described by Subsection (b). The independent organization shall use funds from the fee authorized by Section 39.151(e) to pay for the cybersecurity monitor's activities.

(d) An electric utility, municipally owned utility, or electric cooperative that operates solely outside the ERCOT power region may elect to participate in the cybersecurity monitor program or to discontinue participation. The commission shall adopt rules establishing:

(1) procedures for an electric utility, municipally owned utility, or electric cooperative to notify the commission, the independent organization certified under Section 39.151, and the cybersecurity monitor that the utility or cooperative elects to participate or to discontinue participation; and

(2) a mechanism to require an electric utility, municipally owned utility, or electric cooperative that elects to participate to contribute to the costs incurred by the independent organization under this section.

(e) The cybersecurity monitor shall operate under the supervision and oversight of the commission.

(f) The commission shall adopt rules as necessary to implement this section and may enforce the provisions of this section in the manner provided by this title. This section does not grant enforcement authority to the cybersecurity monitor or authorize the commission to delegate the commission's enforcement authority to the cybersecurity monitor. This section does not grant enforcement authority to the commission beyond authority explicitly provided for in this title.

(g) The staff of the cybersecurity monitor may communicate with commission staff about any cybersecurity information without restriction. Commission staff shall maintain the confidentiality of the cybersecurity information. Notwithstanding any other law, commission staff may not disclose information obtained under this section in an open meeting or through a response to a public information request.

(h) Information written, produced, collected, assembled, or maintained under Subsection (b), (c), or (g) is confidential and not subject to disclosure under Chapter 552, Government Code. A governmental body is not required to conduct an open meeting under Chapter 551, Government Code, to deliberate a matter described by Subsection (b), (c), or (g).

Added by Acts 2019, 86th Leg., R.S., Ch. 610 (S.B. 936), Sec. 3, eff. September 1, 2019.