Bill Text: IL HB4725 | 2021-2022 | 102nd General Assembly | Introduced
Bill Title: Amends the Public Utilities Act. Provides that all public utilities are required to establish a security policy. Provides that Illinois Commerce Commission staff shall determine entities subject to the attestation and reporting requirements. Provides that each entity subject to the attestation and reporting requirements shall provide to the Commission, by July 31 of each year, an annual affidavit signed by a senior executive responsible for security of the regulated entity that states the entity has a security policy that satisfies specified requirements. Provides that the entity shall also, at least annually, provide to the Commission a report on the entity's cybersecurity program and related information. Provides that entities subject to this shall inform the Commission, in a written or oral report, within 48 hours or as soon as practicable, after the discovery or occurrence of any notable, unusual, or significant cybersecurity incident. Provides that attestations, reports, and other submissions made shall not be open to public inspection unless otherwise ordered by the Commission.
Spectrum: Partisan Bill (Democrat 1-0)
Status: (Introduced - Dead) 2022-03-04 - Rule 19(a) / Re-referred to Rules Committee [HB4725 Detail]
Download: Illinois-2021-HB4725-Introduced.html
| ||||||||||||||||||||||
| ||||||||||||||||||||||
| ||||||||||||||||||||||
| ||||||||||||||||||||||
| ||||||||||||||||||||||
| 1 | AN ACT concerning regulation.
| |||||||||||||||||||||
| 2 | Be it enacted by the People of the State of Illinois,
| |||||||||||||||||||||
| 3 | represented in the General Assembly:
| |||||||||||||||||||||
| 4 | Section 5. The Public Utilities Act is amended by changing | |||||||||||||||||||||
| 5 | Section 4-101 and by adding Section 4-102 as follows:
| |||||||||||||||||||||
| 6 | (220 ILCS 5/4-101) (from Ch. 111 2/3, par. 4-101)
| |||||||||||||||||||||
| 7 | Sec. 4-101. The Commerce Commission shall have general | |||||||||||||||||||||
| 8 | supervision of all
public utilities, except as otherwise | |||||||||||||||||||||
| 9 | provided in this Act, shall inquire into
the management of the | |||||||||||||||||||||
| 10 | business thereof and shall keep itself informed as to the
| |||||||||||||||||||||
| 11 | manner and method in which the business is conducted. It shall | |||||||||||||||||||||
| 12 | examine those
public utilities and keep informed as to their | |||||||||||||||||||||
| 13 | general condition, their
franchises, capitalization, rates and | |||||||||||||||||||||
| 14 | other charges, and the manner in which
their plants, equipment | |||||||||||||||||||||
| 15 | and other property owned, leased, controlled or
operated are | |||||||||||||||||||||
| 16 | managed, conducted and operated, not only with respect to the
| |||||||||||||||||||||
| 17 | adequacy, security and accommodation afforded by their service | |||||||||||||||||||||
| 18 | but also with
respect to their compliance with this Act and any | |||||||||||||||||||||
| 19 | other law, with the orders
of the Commission and with the | |||||||||||||||||||||
| 20 | charter and franchise requirements.
| |||||||||||||||||||||
| 21 | Whenever the Commission is authorized or required
by law | |||||||||||||||||||||
| 22 | to consider some aspect of criminal history record information | |||||||||||||||||||||
| 23 | for
the purpose of carrying out its statutory powers and | |||||||||||||||||||||
| |||||||
| |||||||
| 1 | responsibilities,
then, upon request and payment of fees in | ||||||
| 2 | conformance with the requirements
of Section 2605-400 of the | ||||||
| 3 | Illinois State Police Law, the Illinois State Police is | ||||||
| 4 | authorized to furnish,
pursuant to positive identification, | ||||||
| 5 | such information contained in State
files as is necessary to | ||||||
| 6 | fulfill the request. | ||||||
| 7 | The Commission shall require all public utilities to | ||||||
| 8 | establish a security policy that includes on-site safeguards | ||||||
| 9 | to restrict physical or electronic access to critical | ||||||
| 10 | infrastructure and computerized control and data systems. The | ||||||
| 11 | Commission shall maintain a record of and each regulated | ||||||
| 12 | entity shall provide to the Commission an annual affidavit | ||||||
| 13 | signed by a representative of the regulated entity that | ||||||
| 14 | states:
| ||||||
| 15 | (1) that the entity has a security policy in place; | ||||||
| 16 | (2) that the entity has conducted at least one | ||||||
| 17 | practice exercise based on the security policy within the | ||||||
| 18 | 12 months immediately preceding the date of the affidavit; | ||||||
| 19 | and | ||||||
| 20 | (3) with respect to any entity that is an electric | ||||||
| 21 | public utility, that the entity follows, at a minimum, the | ||||||
| 22 | most current security standards set forth by the North | ||||||
| 23 | American Electric Reliability Council.
| ||||||
| 24 | (Source: P.A. 102-538, eff. 8-20-21.)
| ||||||
| 25 | (220 ILCS 5/4-102 new) | ||||||
| |||||||
| |||||||
| 1 | Sec. 4-102. Security policy. | ||||||
| 2 | (a) The Commission shall require public utilities to | ||||||
| 3 | establish a security policy in order to: | ||||||
| 4 | (1) gather sufficient information regarding entities | ||||||
| 5 | that affect large numbers of Illinois population while | ||||||
| 6 | balancing any administrative burden on Commission staff | ||||||
| 7 | and regulated entities; | ||||||
| 8 | (2) gather sufficient depth of information regarding | ||||||
| 9 | security policies, implementations, and incidents while | ||||||
| 10 | avoiding the creation of a repository of valuable | ||||||
| 11 | sensitive information residing in the Commission's | ||||||
| 12 | electronic and physical systems that may lead to | ||||||
| 13 | undesirable disclosure of critical infrastructure | ||||||
| 14 | information through legal, procedural, or technical means, | ||||||
| 15 | and making the Commission a target for attackers; and | ||||||
| 16 | (3) encourage regulated entities to go beyond minimum | ||||||
| 17 | security requirements and use a risk-based approach to | ||||||
| 18 | apply the most effective interventions in the | ||||||
| 19 | ever-evolving threat landscape. | ||||||
| 20 | (b) All public utilities are required to establish a | ||||||
| 21 | security policy. Commission staff shall, at the direction and | ||||||
| 22 | discretion of the Executive Director, determine entities | ||||||
| 23 | subject to the attestation and reporting requirements in this | ||||||
| 24 | Section. | ||||||
| 25 | (c) Each entity subject to the attestation and reporting | ||||||
| 26 | requirements of this Section, as identified in subsection (b), | ||||||
| |||||||
| |||||||
| 1 | shall provide to the Commission, by July 31 of each year, | ||||||
| 2 | submitted through electronic filing or as otherwise directed | ||||||
| 3 | by the Executive Director or designated Commission staff, and | ||||||
| 4 | the Commission shall maintain a record of, an annual affidavit | ||||||
| 5 | signed by a senior executive responsible for security of the | ||||||
| 6 | regulated entity that states the entity has a security policy | ||||||
| 7 | in place that: | ||||||
| 8 | (1) includes, but is not limited to, safeguards to | ||||||
| 9 | restrict physical and electronic access to critical | ||||||
| 10 | infrastructure and computerized control and data systems; | ||||||
| 11 | (2) is documented in electronic or paper format; | ||||||
| 12 | (3) is updated at least annually; | ||||||
| 13 | (4) includes at least one practice exercise based on | ||||||
| 14 | the security policy within the 12 months immediately | ||||||
| 15 | preceding the date of the affidavit; | ||||||
| 16 | (5) follows industry best practices and is based on | ||||||
| 17 | widely-accepted frameworks and standards, and | ||||||
| 18 | (A) with respect to any entity that is an electric | ||||||
| 19 | public utility, that the entity follows, at a minimum, | ||||||
| 20 | the most current security standards set forth by the | ||||||
| 21 | North American Electric Reliability Corporation; | ||||||
| 22 | (B) with respect to any entity that is a gas public | ||||||
| 23 | utility, that the entity follows, at a minimum, the | ||||||
| 24 | most current security standards or guidelines set | ||||||
| 25 | forth by the Transportation Security Agency; and | ||||||
| 26 | (C) with respect to any entity that is a water | ||||||
| |||||||
| |||||||
| 1 | public utility, that the entity follows, at a minimum, | ||||||
| 2 | the most current security standards or guidelines set | ||||||
| 3 | forth by the American Water Works Association and | ||||||
| 4 | recognized by the federal Environmental Protection | ||||||
| 5 | Agency; | ||||||
| 6 | (6) is appropriate for the entity's risk profile and | ||||||
| 7 | potential threats as identified in regular risk | ||||||
| 8 | assessments; | ||||||
| 9 | (7) requires implementation of risk management | ||||||
| 10 | strategies; | ||||||
| 11 | (8) has been assessed by a third-party at least every | ||||||
| 12 | 2 years for its implementation; | ||||||
| 13 | (9) has a program for addressing vulnerabilities found | ||||||
| 14 | through assessments; | ||||||
| 15 | (10) documents key contact information of other | ||||||
| 16 | entities with whom the regulated entity maintains | ||||||
| 17 | partnerships for information sharing, planning, and | ||||||
| 18 | situational awareness; | ||||||
| 19 | (11) manages security risks from both intentional and | ||||||
| 20 | unintentional insider actions; | ||||||
| 21 | (12) manages security risks from vendors throughout | ||||||
| 22 | the supply chain; and | ||||||
| 23 | (13) contemplates cybersecurity insurance, whether or | ||||||
| 24 | not the entity acquires or maintains cybersecurity | ||||||
| 25 | insurance. | ||||||
| 26 | (d) In addition to the annual attestations that the | ||||||
| |||||||
| |||||||
| 1 | regulated entity's security policy contains the components in | ||||||
| 2 | subsection (c), the regulated entity shall also, at least | ||||||
| 3 | annually, provide a written or oral annual report, | ||||||
| 4 | individually or jointly with other regulated entities, to the | ||||||
| 5 | Executive Director or designated Commission staff regarding | ||||||
| 6 | the regulated entity's cybersecurity program and related | ||||||
| 7 | information. This report shall include, but is not limited to, | ||||||
| 8 | the following information: | ||||||
| 9 | (1) an overview of the regulated entity's approach to | ||||||
| 10 | cybersecurity awareness and protection, including all | ||||||
| 11 | items listed in the attestation; | ||||||
| 12 | (2) a description of cybersecurity awareness training | ||||||
| 13 | efforts for the regulated entity's staff members, | ||||||
| 14 | specialized cybersecurity training for cybersecurity | ||||||
| 15 | personnel, and participation by the regulated entity's | ||||||
| 16 | cybersecurity staff in emergency preparedness exercises in | ||||||
| 17 | the previous calendar year; | ||||||
| 18 | (3) an organizational diagram of the regulated | ||||||
| 19 | entity's cybersecurity organization, including positions | ||||||
| 20 | and contact information for primary and secondary | ||||||
| 21 | cybersecurity emergency contacts; | ||||||
| 22 | (4) a description of the regulated entity's internal | ||||||
| 23 | and external communications plan regarding unauthorized | ||||||
| 24 | actions that result in interruption, degradation of | ||||||
| 25 | service, financial harm, or breach of sensitive business | ||||||
| 26 | or customer data, including the regulated entity's plan | ||||||
| |||||||
| |||||||
| 1 | for notifying the Commission and customers; | ||||||
| 2 | (5) a redacted summary of any unauthorized actions | ||||||
| 3 | that resulted in material interruption, financial harm, or | ||||||
| 4 | breach of sensitive business or customer data, including | ||||||
| 5 | the parties that were notified of the unauthorized action | ||||||
| 6 | and any remedial actions undertaken; | ||||||
| 7 | (6) key performance indicators and other metrics | ||||||
| 8 | related to physical security and cybersecurity; | ||||||
| 9 | (7) any notable cybersecurity information not included | ||||||
| 10 | in paragraphs (1) through (6); and | ||||||
| 11 | (8) any other information as directed by the Executive | ||||||
| 12 | Director or designated Commission staff. | ||||||
| 13 | (e) Regulated entities subject to this Section shall | ||||||
| 14 | inform the Commission, in a written or oral report, within 48 | ||||||
| 15 | hours or as soon as practicable, after the discovery or | ||||||
| 16 | occurrence of any notable, unusual, or significant | ||||||
| 17 | cybersecurity incident, or any cybersecurity incident that | ||||||
| 18 | must be reported to another regulatory agency, or as directed | ||||||
| 19 | by designated Commission staff, unless otherwise prohibited by | ||||||
| 20 | law or court order or instructed otherwise by law enforcement | ||||||
| 21 | personnel. | ||||||
| 22 | (f) Regulated entities subject to this Section shall make | ||||||
| 23 | the relevant security policy, assessments, reports, and | ||||||
| 24 | related documents available for review by designated | ||||||
| 25 | Commission staff. | ||||||
| 26 | (g) Attestations, reports, and other submissions made | ||||||
| |||||||
| |||||||
| 1 | under this Section shall not be open to public inspection | ||||||
| 2 | unless otherwise ordered by the Commission. Regulated entities | ||||||
| 3 | shall not report information otherwise required under this | ||||||
| 4 | Section if prohibited by law or court order or instructed | ||||||
| 5 | otherwise by law enforcement personnel. | ||||||
| 6 | (h) The Commission may adopt rules to implement this | ||||||
| 7 | Section.
| ||||||
