(A) immediately report directly to the commission and
commission staff any cybersecurity concerns that the cybersecurity
monitor believes would pose a threat to continuous and adequate electric
service or create an immediate danger to the public safety, and notify
the affected utility or utilities of the information reported to the
commission or commission staff;
(B) regularly communicate with the commission and commission
staff, and keep the commission and commission staff apprised of its
activities, findings, and observations;
(C) coordinate with the commission and commission staff
to identify priorities; and
(E) coordinate with the commission and commission staff
to assess the resources and methods for cybersecurity monitoring,
including consulting needs.
(l) ERCOT's responsibilities and support role. ERCOT
must provide to the cybersecurity monitor any access, information,
support, or cooperation that the commission determines is necessary
for the cybersecurity monitor to perform the functions described by
subsection (f) of this section.
(1) ERCOT must conduct an internal cybersecurity risk
assessment, vulnerability testing, and employee training to the extent
that ERCOT is not otherwise required to do so under applicable state
and federal cybersecurity and information security laws.
(2) ERCOT must submit an annual report to the commission
on ERCOT's compliance with applicable cybersecurity and information
security laws by January 15 of each year or as otherwise determined
by the commission.
(3) Information submitted in the report under paragraph
(2) of this subsection is confidential and not subject to disclosure
under chapter 552, Government Code, and must be protected in accordance
with the confidentiality standards established in PURA, the ERCOT
protocols, commission rules, and other applicable laws.
(m) Participation in the cybersecurity monitor program.
(1) A transmission and distribution utility, a corporation
described in PURA §32.053, and a municipally owned utility or
electric cooperative that owns or operates equipment or facilities
in the ERCOT power region to transmit electricity at 60 or more kilovolts
must participate in the cybersecurity monitor program.
(2) An electric utility, municipally owned utility,
or electric cooperative that operates solely outside the ERCOT power
region may elect to participate in the cybersecurity monitor program.
(A) An electric utility, municipally owned utility,
or electric cooperative that elects to participate in the cybersecurity
monitor program must annually:
(i) file with the commission its intent to participate
in the program and to contribute to the costs of the cybersecurity
monitor's activities in the project established by commission staff
for this purpose; and
(ii) complete and submit to ERCOT the participant agreement
form available on the ERCOT website to furnish information necessary
to determine and collect the monitored utility's share of the costs
of the cybersecurity monitor's activities under subsection (n) of
this section.
(B) The cybersecurity monitor program year is the calendar
year. An electric utility, municipally owned utility, or electric
cooperative that elects to participate in the cybersecurity monitor
program must file its intent to participate and complete the participant
agreement form under subparagraph (A) of this subsection for each
calendar year that it intends to participate in the program.
(i) Notification of intent to participate and a completed
participant agreement form may be submitted at any time during the
program year, however, an electric utility, municipally owned utility,
or electric cooperative that elects to participate in an upcoming
program year is encouraged to complete these steps by December 1 prior
to the program year in order to obtain the benefit of participation
for the entire program year.
(ii) The cost of participation is determined on an
annual basis and will not be prorated.
(iii) A monitored utility that operates solely outside
of the ERCOT power region may discontinue its participation in the
cybersecurity monitor program at any time but is required to pay the
annual cost of participation for any calendar year in which the monitored
utility submitted a notification of intent to participate.
(3) Each monitored utility must designate one or more
points of contact who can answer questions the Cybersecurity Monitor
may have regarding a monitored utility's cyber and physical security
activities.
(n) Funding of the Cybersecurity Monitor.
(1) ERCOT must use funds from the rate authorized by
PURA §39.151(e) to pay for the cybersecurity monitor's activities.
(2) A monitored utility that operates solely outside
of the ERCOT power region must contribute to the costs incurred for
the cybersecurity monitor's activities.
(A) On an annual basis, ERCOT must calculate the non-refundable,
fixed fee that a monitored utility that operates solely outside of
the ERCOT power region must pay in order to participate in the cybersecurity
monitor program for the upcoming calendar year.
(B) ERCOT must file notice of the fee in the project
designated by the commission for this purpose and post notice of the
fee on the ERCOT website by October 1 of the preceding program year.
(C) Before filing notice of the fee as required by
paragraph (2)(B) of this subsection, ERCOT must obtain approval of
the fee amount and calculation methodology from the commission's executive
director.
|