104TH GENERAL ASSEMBLY
State of Illinois
2025 and 2026 HB3576 Introduced , by Rep. Dagmara Avelar SYNOPSIS AS INTRODUCED: 220 ILCS 5/4-101 from Ch. 111 2/3, par. 4-101220 ILCS 5/4-102 new Amends the Public Utilities Act. Provides that, within 120 days after the effective date of the amendatory provisions, each water purveyor shall develop a cybersecurity program that defines and implements organizational accountabilities and responsibilities for cyber risk management activities, and establishes policies, plans, processes, and procedures for identifying and mitigating cyber risk to its public community water system. Provides that, within certain time periods after the effective date of the amendatory provisions, a water purveyor shall create a cybersecurity incident reporting process; obtain a cybersecurity insurance policy that meets certain standards; reasonably conform to the most recent version of one or more of specified industry-recognized cybersecurity frameworks; submit a compliance report; submit an incident report; and submit an annual status report. Sets forth provisions concerning violations of the amendatory provisions and rulemaking abilities of the Department of Natural Resources and the Illinois Commerce Commission. Makes other changes. LRB104 08875 AAS 18930 b A BILL FOR 104TH GENERAL ASSEMBLY
State of Illinois
2025 and 2026 HB3576 Introduced , by Rep. Dagmara Avelar SYNOPSIS AS INTRODUCED: 220 ILCS 5/4-101 from Ch. 111 2/3, par. 4-101220 ILCS 5/4-102 new 220 ILCS 5/4-101 from Ch. 111 2/3, par. 4-101 220 ILCS 5/4-102 new Amends the Public Utilities Act. Provides that, within 120 days after the effective date of the amendatory provisions, each water purveyor shall develop a cybersecurity program that defines and implements organizational accountabilities and responsibilities for cyber risk management activities, and establishes policies, plans, processes, and procedures for identifying and mitigating cyber risk to its public community water system. Provides that, within certain time periods after the effective date of the amendatory provisions, a water purveyor shall create a cybersecurity incident reporting process; obtain a cybersecurity insurance policy that meets certain standards; reasonably conform to the most recent version of one or more of specified industry-recognized cybersecurity frameworks; submit a compliance report; submit an incident report; and submit an annual status report. Sets forth provisions concerning violations of the amendatory provisions and rulemaking abilities of the Department of Natural Resources and the Illinois Commerce Commission. Makes other changes. LRB104 08875 AAS 18930 b LRB104 08875 AAS 18930 b A BILL FOR
104TH GENERAL ASSEMBLY
State of Illinois
2025 and 2026 HB3576 Introduced , by Rep. Dagmara Avelar SYNOPSIS AS INTRODUCED:
220 ILCS 5/4-101 from Ch. 111 2/3, par. 4-101220 ILCS 5/4-102 new 220 ILCS 5/4-101 from Ch. 111 2/3, par. 4-101 220 ILCS 5/4-102 new
220 ILCS 5/4-101 from Ch. 111 2/3, par. 4-101
220 ILCS 5/4-102 new
Amends the Public Utilities Act. Provides that, within 120 days after the effective date of the amendatory provisions, each water purveyor shall develop a cybersecurity program that defines and implements organizational accountabilities and responsibilities for cyber risk management activities, and establishes policies, plans, processes, and procedures for identifying and mitigating cyber risk to its public community water system. Provides that, within certain time periods after the effective date of the amendatory provisions, a water purveyor shall create a cybersecurity incident reporting process; obtain a cybersecurity insurance policy that meets certain standards; reasonably conform to the most recent version of one or more of specified industry-recognized cybersecurity frameworks; submit a compliance report; submit an incident report; and submit an annual status report. Sets forth provisions concerning violations of the amendatory provisions and rulemaking abilities of the Department of Natural Resources and the Illinois Commerce Commission. Makes other changes.
LRB104 08875 AAS 18930 b LRB104 08875 AAS 18930 b
LRB104 08875 AAS 18930 b
A BILL FOR
HB3576LRB104 08875 AAS 18930 b HB3576 LRB104 08875 AAS 18930 b
HB3576 LRB104 08875 AAS 18930 b
1 AN ACT concerning regulation.
2 Be it enacted by the People of the State of Illinois,
3 represented in the General Assembly:
4 Section 5. The Public Utilities Act is amended by changing
5 Section 4-101 and by adding Section 4-102 as follows:
6 (220 ILCS 5/4-101) (from Ch. 111 2/3, par. 4-101)
7 Sec. 4-101. The Commerce Commission shall have general
8 supervision of all public utilities, except as otherwise
9 provided in this Act, shall inquire into the management of the
10 business thereof and shall keep itself informed as to the
11 manner and method in which the business is conducted. It shall
12 examine those public utilities and keep informed as to their
13 general condition, their franchises, capitalization, rates and
14 other charges, and the manner in which their plants, equipment
15 and other property owned, leased, controlled or operated are
16 managed, conducted and operated, not only with respect to the
17 adequacy, security and accommodation afforded by their service
18 but also with respect to their compliance with this Act and any
19 other law, with the orders of the Commission and with the
20 charter and franchise requirements.
21 Whenever the Commission is authorized or required by law
22 to consider some aspect of criminal history record information
23 for the purpose of carrying out its statutory powers and
104TH GENERAL ASSEMBLY
State of Illinois
2025 and 2026 HB3576 Introduced , by Rep. Dagmara Avelar SYNOPSIS AS INTRODUCED:
220 ILCS 5/4-101 from Ch. 111 2/3, par. 4-101220 ILCS 5/4-102 new 220 ILCS 5/4-101 from Ch. 111 2/3, par. 4-101 220 ILCS 5/4-102 new
220 ILCS 5/4-101 from Ch. 111 2/3, par. 4-101
220 ILCS 5/4-102 new
Amends the Public Utilities Act. Provides that, within 120 days after the effective date of the amendatory provisions, each water purveyor shall develop a cybersecurity program that defines and implements organizational accountabilities and responsibilities for cyber risk management activities, and establishes policies, plans, processes, and procedures for identifying and mitigating cyber risk to its public community water system. Provides that, within certain time periods after the effective date of the amendatory provisions, a water purveyor shall create a cybersecurity incident reporting process; obtain a cybersecurity insurance policy that meets certain standards; reasonably conform to the most recent version of one or more of specified industry-recognized cybersecurity frameworks; submit a compliance report; submit an incident report; and submit an annual status report. Sets forth provisions concerning violations of the amendatory provisions and rulemaking abilities of the Department of Natural Resources and the Illinois Commerce Commission. Makes other changes.
LRB104 08875 AAS 18930 b LRB104 08875 AAS 18930 b
LRB104 08875 AAS 18930 b
A BILL FOR
220 ILCS 5/4-101 from Ch. 111 2/3, par. 4-101
220 ILCS 5/4-102 new
LRB104 08875 AAS 18930 b
HB3576 LRB104 08875 AAS 18930 b
HB3576- 2 -LRB104 08875 AAS 18930 b HB3576 - 2 - LRB104 08875 AAS 18930 b
HB3576 - 2 - LRB104 08875 AAS 18930 b
1 responsibilities, then, upon request and payment of fees in
2 conformance with the requirements of Section 2605-400 of the
3 Illinois State Police Law, the Illinois State Police is
4 authorized to furnish, pursuant to positive identification,
5 such information contained in State files as is necessary to
6 fulfill the request.
7 The Commission shall require all public utilities to
8 establish a security policy that includes on-site safeguards
9 to restrict physical or electronic access to critical
10 infrastructure and computerized control and data systems. The
11 Commission shall maintain a record of and each regulated
12 entity shall provide to the Commission an annual affidavit
13 signed by a representative of the regulated entity that
14 states:
15 (1) that the entity has a security policy in place;
16 (2) that the entity has conducted at least one
17 practice exercise based on the security policy within the
18 12 months immediately preceding the date of the affidavit;
19 and
20 (3) with respect to any entity that is an electric
21 public utility, that the entity follows, at a minimum, the
22 most current security standards set forth by the North
23 American Electric Reliability Council.
24 A water public utility's security policy shall also meet
25 the requirements set forth in Section 4-102.
26 (Source: P.A. 102-538, eff. 8-20-21.)
HB3576 - 2 - LRB104 08875 AAS 18930 b
HB3576- 3 -LRB104 08875 AAS 18930 b HB3576 - 3 - LRB104 08875 AAS 18930 b
HB3576 - 3 - LRB104 08875 AAS 18930 b
1 (220 ILCS 5/4-102 new)
2 Sec. 4-102. Cybersecurity policy for water purveyors.
3 (a) As used in this Section:
4 "Cybersecurity incident" means an event occurring on or
5 conducted through a computer network that jeopardizes the
6 integrity, confidentiality, or availability of computers,
7 information systems, communications systems, networks,
8 physical or virtual infrastructure controlled by computers or
9 information systems, or information residing on such computers
10 or information systems.
11 "Cybersecurity insurance policy" means an insurance policy
12 designed to mitigate losses from cybersecurity incidents,
13 including, but not limited to, data breaches, business
14 interruption, and network damage.
15 "Department" means the Department of Natural Resources.
16 "Industrial control system" means an information system
17 used to control industrial processes such as manufacturing,
18 product handling, production, or distribution.
19 "Industrial control system" includes supervisory control
20 and data acquisition systems used to control geographically
21 dispersed assets, and distributed control systems and smaller
22 control systems using programmable logic controllers to
23 control localized processes.
24 "Information resource" means information and related
25 resources, such as personnel, equipment, funds, and
HB3576 - 3 - LRB104 08875 AAS 18930 b
HB3576- 4 -LRB104 08875 AAS 18930 b HB3576 - 4 - LRB104 08875 AAS 18930 b
HB3576 - 4 - LRB104 08875 AAS 18930 b
1 information technology.
2 "Information system" means a discrete set of information
3 resources organized for the collection, processing,
4 maintenance, use, sharing, dissemination, or disposition of
5 information.
6 "Public community water system" means a public water
7 system which serves at least 15 service connections used by
8 year-round residents or regularly serves at least 25
9 year-round residents.
10 "Public water system" means a system for the provision to
11 the public of water for human consumption through pipes or
12 other constructed conveyances, if such system has at least 15
13 service connections or regularly serves an average of at least
14 25 individuals daily at least 60 days out of the year. "Public
15 water system" includes (i) any collection, treatment, storage
16 and distribution facilities under control of the operator of
17 such system and used primarily in connection with such system,
18 and (ii) any collection or pre-treatment storage facilities
19 not under such control which are used primarily in connection
20 with such system.
21 "Water purveyor" means any person that owns a public
22 community water system with more than 500 service connections.
23 (b) Within 120 days after the effective date of this
24 amendatory Act of the 104th General Assembly, each water
25 purveyor shall develop a cybersecurity program that defines
26 and implements organizational accountabilities and
HB3576 - 4 - LRB104 08875 AAS 18930 b
HB3576- 5 -LRB104 08875 AAS 18930 b HB3576 - 5 - LRB104 08875 AAS 18930 b
HB3576 - 5 - LRB104 08875 AAS 18930 b
1 responsibilities for cyber risk management activities, and
2 establishes policies, plans, processes, and procedures for
3 identifying and mitigating cyber risk to the water purveyor's
4 public community water system. As part of the cybersecurity
5 program, a water purveyor shall do the following:
6 (1) identify the individual directly responsible for
7 ensuring that the policies, plans, processes, and
8 procedures established pursuant to this Section are
9 executed in a timely manner;
10 (2) conduct risk assessments and implement appropriate
11 controls to mitigate identified risks to the public
12 community water system;
13 (3) maintain situational awareness of cyber threats
14 and vulnerabilities to the public community water system;
15 and
16 (4) create and exercise incident response and recovery
17 plans.
18 A water purveyor shall submit a copy of the cybersecurity
19 program developed pursuant to this subsection (b) to the
20 Commission in a form and manner as determined by the
21 Commission.
22 (c) Within 60 days after developing the cybersecurity
23 program required pursuant to subsection (b) of this Section,
24 each water purveyor shall create a cybersecurity incident
25 reporting process.
26 (d) No later than 180 days after the effective date of this
HB3576 - 5 - LRB104 08875 AAS 18930 b
HB3576- 6 -LRB104 08875 AAS 18930 b HB3576 - 6 - LRB104 08875 AAS 18930 b
HB3576 - 6 - LRB104 08875 AAS 18930 b
1 amendatory Act of the 104th General Assembly, each water
2 purveyor shall obtain a cybersecurity insurance policy that
3 meets any applicable standards adopted by the Commission.
4 (e) No later than 180 days after the effective date of this
5 amendatory Act of the 104th General Assembly, each water
6 purveyor shall update its cybersecurity program developed
7 pursuant to this Section to apply to all of the public
8 community water system's industrial control systems and to
9 reasonably conform to the most recent version of one or more of
10 the following industry-recognized cybersecurity frameworks:
11 (1) the Framework for Improving Critical
12 Infrastructure Cybersecurity developed by the National
13 Institute of Standards and Technology;
14 (2) the Center for Internet Security Critical Security
15 Controls for Effective Cyber Defense; or
16 (3) the International Organization for Standardization
17 and International Electrotechnical Commission 27000 family
18 of standards for an information security management
19 system.
20 Whenever a final revision to one or more of the frameworks
21 listed in this subsection (e) is published, a water purveyor
22 whose cybersecurity program conformed to that framework shall
23 revise its cybersecurity program to reasonably conform to the
24 revised framework, and submit a copy of the revised
25 cybersecurity program to the Commission, no later than 180
26 days after publication of the revised framework.
HB3576 - 6 - LRB104 08875 AAS 18930 b
HB3576- 7 -LRB104 08875 AAS 18930 b HB3576 - 7 - LRB104 08875 AAS 18930 b
HB3576 - 7 - LRB104 08875 AAS 18930 b
1 (f) No later than one year after the effective date of this
2 amendatory Act of the 104th General Assembly, and each year
3 thereafter, each water purveyor shall submit to the Department
4 and the Commission a certification demonstrating that the
5 water purveyor is in compliance with the requirements of this
6 Section. The certification shall be made in a form and manner
7 as determined by the Department, in consultation with the
8 Commission. The certification shall be signed by a senior
9 executive responsible for security of the regulated entity.
10 (g) The Commission shall cause to be audited any public
11 community water system that fails to submit a cybersecurity
12 program, a revision, or a certification pursuant to this
13 Section. Any audit shall be conducted by a qualified and
14 independent cybersecurity company, at the water purveyor's
15 expense. Following the audit, the water purveyor shall submit
16 the audit and any corrective action plans derived from the
17 audit to the Commission.
18 (h) A water purveyor shall, upon the request of the
19 Department or the Commission, provide proof of compliance with
20 the requirements of this Section, in a form and manner as
21 determined by the Department or by the Commission.
22 (i) On and after 90 days after the effective date of this
23 amendatory Act of the 104th General Assembly, a water purveyor
24 shall inform the Commission, in a written or oral report,
25 within 48 hours or as soon as practicable after the discovery
26 or occurrence of any notable, unusual, or significant
HB3576 - 7 - LRB104 08875 AAS 18930 b
HB3576- 8 -LRB104 08875 AAS 18930 b HB3576 - 8 - LRB104 08875 AAS 18930 b
HB3576 - 8 - LRB104 08875 AAS 18930 b
1 cybersecurity incident or any cybersecurity incident that must
2 be reported to another regulatory agency, including the
3 following:
4 (1) any cybersecurity incident that results in the
5 compromise of the confidentiality, integrity,
6 availability, or privacy of the water purveyor's utility
7 billing, communications, data management, or business
8 information systems, or the information on such systems;
9 and
10 (2) any cybersecurity incident against the water
11 purveyor's industrial control systems, including
12 monitoring, operations, and centralized control systems,
13 that adversely impacts, disables, or manipulates
14 infrastructure, resulting in loss of service,
15 contamination of finished water, or damage to
16 infrastructure.
17 (j) No later than 30 days after receiving a report of a
18 cybersecurity incident from a water purveyor pursuant to
19 subsection (i), the Commission shall cause to be audited the
20 water purveyor's cybersecurity program and any actions the
21 water purveyor took in response to the cybersecurity incident.
22 The audit shall identify cyber threats and vulnerabilities to
23 the public community water system, weaknesses in the public
24 community water system's cybersecurity program, and strategies
25 to address those weaknesses so as to protect the public
26 community water system from the threat of future cybersecurity
HB3576 - 8 - LRB104 08875 AAS 18930 b
HB3576- 9 -LRB104 08875 AAS 18930 b HB3576 - 9 - LRB104 08875 AAS 18930 b
HB3576 - 9 - LRB104 08875 AAS 18930 b
1 incidents. Any audit shall be conducted by a qualified and
2 independent cybersecurity company at the water purveyor's
3 expense. After the completion of the audit, the water purveyor
4 shall submit the audit and any corrective action plans derived
5 from the audit to the Commission.
6 (k) By July 31 of each year, a water purveyor shall provide
7 to the Commission a report that identifies the following:
8 (1) an overview of the water purveyor's approach to
9 cybersecurity awareness and protection;
10 (2) a description of cybersecurity awareness training
11 efforts for the water purveyor's staff members,
12 specialized cybersecurity training for cybersecurity
13 personnel, and participation by the water purveyor's
14 cybersecurity staff in emergency preparedness exercises in
15 the previous calendar year;
16 (3) an organizational diagram of the water purveyor's
17 cybersecurity organization, including positions and
18 contact information for primary and secondary
19 cybersecurity emergency contacts;
20 (4) a description of the water purveyor's internal and
21 external communications plan regarding unauthorized
22 actions that result in interruption, degradation of
23 service, financial harm, or breach of sensitive business
24 or customer data, including the water purveyor's plan for
25 notifying the Commission and customers;
26 (5) a redacted summary of any unauthorized actions
HB3576 - 9 - LRB104 08875 AAS 18930 b
HB3576- 10 -LRB104 08875 AAS 18930 b HB3576 - 10 - LRB104 08875 AAS 18930 b
HB3576 - 10 - LRB104 08875 AAS 18930 b
1 that resulted in material interruption, financial harm, or
2 breach of sensitive business or customer data, including
3 the parties that were notified of the unauthorized action
4 and any remedial actions undertaken;
5 (6) key performance indicators and other metrics
6 related to physical security and cybersecurity;
7 (7) any notable cybersecurity information not included
8 in paragraphs (1) through (6); and
9 (8) any other information as directed by the
10 Commission.
11 (l) The Department or the Commission shall create a
12 centralized portal allowing for electronic submittal of the
13 report required under this Section. The lack of a centralized
14 portal pursuant to this subsection (l) shall not negate the
15 requirement for a water purveyor to submit a report.
16 (m) Any person who violates the provisions of this
17 Section, or any rule or regulation adopted pursuant thereto,
18 shall be subject to the penalties and other remedies set forth
19 in Sections 4-202 and Section 4-203. No later than 18 months
20 after the effective date of this amendatory Act of the 104th
21 General Assembly, the Department shall adopt a schedule of
22 civil administrative penalties for specific violations of this
23 Section.
24 (n) Reports and other submissions made under this Section
25 shall not be open to public inspection unless otherwise
26 ordered by the Commission. Regulated entities shall not report
HB3576 - 10 - LRB104 08875 AAS 18930 b
HB3576- 11 -LRB104 08875 AAS 18930 b HB3576 - 11 - LRB104 08875 AAS 18930 b
HB3576 - 11 - LRB104 08875 AAS 18930 b
HB3576 - 11 - LRB104 08875 AAS 18930 b