By: Shaheen H.B. No. 4397
A BILL TO BE ENTITLED
AN ACT
relating to a cybersecurity monitor for certain electric utilities.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. Subchapter D, Chapter 39, Utilities Code, is
amended by amending Section 39.1516 to read as follows:
Sec. 39.1516. CYBERSECURITY MONITOR. (a) In this section,
"monitored utility" means:
(1) a transmission and distribution utility;
(2) a corporation described in Section 32.053;
(3) a municipally owned utility or electric
cooperative that owns or operates equipment or facilities in the
ERCOT power region to transmit electricity at 60 or more kilovolts;
or
(4) an electric utility, municipally owned utility, or
electric cooperative, or power generation company that operates
solely outside the ERCOT power region that has elected to
participate under Subsection (d); or
(5) a power generation company
(b) The commission and the independent organization
certified under Section 39.151 shall contract with an entity
selected by the commission to act as the commission's cybersecurity
monitor to:
(1) manage a comprehensive cybersecurity outreach
program for monitored utilities;
(2) meet regularly with monitored utilities to discuss
emerging threats, best business practices, and training
opportunities;
(3) review self-assessments voluntarily disclosed by
monitored utilities of cybersecurity efforts;
(4) research and develop best business practices
regarding cybersecurity; and
(5) report to the commission on monitored utility
cybersecurity preparedness.
(c) The independent organization certified under Section
39.151 shall provide to the cybersecurity monitor any access,
information, support, and cooperation that the commission
determines is necessary for the monitor to perform the functions
described by Subsection (b). The independent organization shall
use funds from the fee authorized by Section 39.151(e) to pay for
the cybersecurity monitor's activities.
(d) An electric utility, municipally owned utility, or
electric cooperative, or power generation company that operates
solely outside the ERCOT power region mayshall elect to
participate in the cybersecurity monitor program or to discontinue
participation. The commission shall adopt rules establishing:
(1) procedures for an electric utility, municipally
owned utility, or electric cooperative to notify the commission,
the independent organization certified under Section 39.151, and
the cybersecurity monitor that the utility or cooperative elects to
participate or to discontinue participation; and
(2) a mechanism to require an electric utility,
municipally owned utility, or electric cooperative that elects to
participate to contribute to the costs incurred by the independent
organization under this section.
(e) The cybersecurity monitor shall operate under the
supervision and oversight of the commission.
(f) The commission shall adopt rules as necessary to
implement this section and mayshall enforce the provisions of this
section in the manner provided by this title. This section does not
grant enforcement authority to the cybersecurity monitor or
authorize the commission to delegate the commission's enforcement
authority to the cybersecurity monitor. This section does not
grant enforcement authority to the commission beyond authority
explicitly provided for in this title.
(g) The staff of the cybersecurity monitor may communicate
with commission staff about any cybersecurity information without
restriction. Commission staff shall maintain the confidentiality
of the cybersecurity information. Notwithstanding any other law,
commission staff may not disclose information obtained under this
section in an open meeting or through a response to a public
information request.
(h) Information written, produced, collected, assembled, or
maintained under Subsection (b), (c), or (g) is confidential and
not subject to disclosure under Chapter 552, Government Code. A
governmental body is not required to conduct an open meeting under
Chapter 551, Government Code, to deliberate a matter described by
Subsection (b), (c), or (g).
SECTION 2. To the extent of any conflict, this Act prevails
over another Act of the 87th Legislature, Regular Session, 2021,
relating to nonsubstantive additions to and corrections in enacted
codes.
SECTION 3. This Act takes effect September 1, 2021.