102ND GENERAL ASSEMBLY
State of Illinois
2021 and 2022
HB4725

 

Introduced 1/27/2022, by Rep. Bob Morgan

 

SYNOPSIS AS INTRODUCED:
 
220 ILCS 5/4-101  from Ch. 111 2/3, par. 4-101
220 ILCS 5/4-102 new

    Amends the Public Utilities Act. Provides that all public utilities are required to establish a security policy. Provides that Illinois Commerce Commission staff shall determine entities subject to the attestation and reporting requirements. Provides that each entity subject to the attestation and reporting requirements shall provide to the Commission, by July 31 of each year, an annual affidavit signed by a senior executive responsible for security of the regulated entity that states the entity has a security policy that satisfies specified requirements. Provides that the entity shall also, at least annually, provide to the Commission a report on the entity's cybersecurity program and related information. Provides that entities subject to this shall inform the Commission, in a written or oral report, within 48 hours or as soon as practicable, after the discovery or occurrence of any notable, unusual, or significant cybersecurity incident. Provides that attestations, reports, and other submissions made shall not be open to public inspection unless otherwise ordered by the Commission.


LRB102 22900 SPS 32053 b

 

 

A BILL FOR

 

HB4725LRB102 22900 SPS 32053 b

1    AN ACT concerning regulation.
 
2    Be it enacted by the People of the State of Illinois,
3represented in the General Assembly:
 
4    Section 5. The Public Utilities Act is amended by changing
5Section 4-101 and by adding Section 4-102 as follows:
 
6    (220 ILCS 5/4-101)  (from Ch. 111 2/3, par. 4-101)
7    Sec. 4-101. The Commerce Commission shall have general
8supervision of all public utilities, except as otherwise
9provided in this Act, shall inquire into the management of the
10business thereof and shall keep itself informed as to the
11manner and method in which the business is conducted. It shall
12examine those public utilities and keep informed as to their
13general condition, their franchises, capitalization, rates and
14other charges, and the manner in which their plants, equipment
15and other property owned, leased, controlled or operated are
16managed, conducted and operated, not only with respect to the
17adequacy, security and accommodation afforded by their service
18but also with respect to their compliance with this Act and any
19other law, with the orders of the Commission and with the
20charter and franchise requirements.
21    Whenever the Commission is authorized or required by law
22to consider some aspect of criminal history record information
23for the purpose of carrying out its statutory powers and

 

 

HB4725- 2 -LRB102 22900 SPS 32053 b

1responsibilities, then, upon request and payment of fees in
2conformance with the requirements of Section 2605-400 of the
3Illinois State Police Law, the Illinois State Police is
4authorized to furnish, pursuant to positive identification,
5such information contained in State files as is necessary to
6fulfill the request.
7    The Commission shall require all public utilities to
8establish a security policy that includes on-site safeguards
9to restrict physical or electronic access to critical
10infrastructure and computerized control and data systems. The
11Commission shall maintain a record of and each regulated
12entity shall provide to the Commission an annual affidavit
13signed by a representative of the regulated entity that
14states:
15        (1) that the entity has a security policy in place;
16        (2) that the entity has conducted at least one
17    practice exercise based on the security policy within the
18    12 months immediately preceding the date of the affidavit;
19    and
20        (3) with respect to any entity that is an electric
21    public utility, that the entity follows, at a minimum, the
22    most current security standards set forth by the North
23    American Electric Reliability Council.
24(Source: P.A. 102-538, eff. 8-20-21.)
 
25    (220 ILCS 5/4-102 new)

 

 

HB4725- 3 -LRB102 22900 SPS 32053 b

1    Sec. 4-102. Security policy.
2    (a) The Commission shall require public utilities to
3establish a security policy in order to:
4        (1) gather sufficient information regarding entities
5    that affect large numbers of Illinois population while
6    balancing any administrative burden on Commission staff
7    and regulated entities;
8        (2) gather sufficient depth of information regarding
9    security policies, implementations, and incidents while
10    avoiding the creation of a repository of valuable
11    sensitive information residing in the Commission's
12    electronic and physical systems that may lead to
13    undesirable disclosure of critical infrastructure
14    information through legal, procedural, or technical means,
15    and making the Commission a target for attackers; and
16        (3) encourage regulated entities to go beyond minimum
17    security requirements and use a risk-based approach to
18    apply the most effective interventions in the
19    ever-evolving threat landscape.
20    (b) All public utilities are required to establish a
21security policy. Commission staff shall, at the direction and
22discretion of the Executive Director, determine entities
23subject to the attestation and reporting requirements in this
24Section.
25    (c) Each entity subject to the attestation and reporting
26requirements of this Section, as identified in subsection (b),

 

 

HB4725- 4 -LRB102 22900 SPS 32053 b

1shall provide to the Commission, by July 31 of each year,
2submitted through electronic filing or as otherwise directed
3by the Executive Director or designated Commission staff, and
4the Commission shall maintain a record of, an annual affidavit
5signed by a senior executive responsible for security of the
6regulated entity that states the entity has a security policy
7in place that:
8        (1) includes, but is not limited to, safeguards to
9    restrict physical and electronic access to critical
10    infrastructure and computerized control and data systems;
11        (2) is documented in electronic or paper format;
12        (3) is updated at least annually;
13        (4) includes at least one practice exercise based on
14    the security policy within the 12 months immediately
15    preceding the date of the affidavit;
16        (5) follows industry best practices and is based on
17    widely-accepted frameworks and standards, and
18            (A) with respect to any entity that is an electric
19        public utility, that the entity follows, at a minimum,
20        the most current security standards set forth by the
21        North American Electric Reliability Corporation;
22            (B) with respect to any entity that is a gas public
23        utility, that the entity follows, at a minimum, the
24        most current security standards or guidelines set
25        forth by the Transportation Security Agency; and
26            (C) with respect to any entity that is a water

 

 

HB4725- 5 -LRB102 22900 SPS 32053 b

1        public utility, that the entity follows, at a minimum,
2        the most current security standards or guidelines set
3        forth by the American Water Works Association and
4        recognized by the federal Environmental Protection
5        Agency;
6        (6) is appropriate for the entity's risk profile and
7    potential threats as identified in regular risk
8    assessments;
9        (7) requires implementation of risk management
10    strategies;
11        (8) has been assessed by a third-party at least every
12    2 years for its implementation;
13        (9) has a program for addressing vulnerabilities found
14    through assessments;
15        (10) documents key contact information of other
16    entities with whom the regulated entity maintains
17    partnerships for information sharing, planning, and
18    situational awareness;
19        (11) manages security risks from both intentional and
20    unintentional insider actions;
21        (12) manages security risks from vendors throughout
22    the supply chain; and
23        (13) contemplates cybersecurity insurance, whether or
24    not the entity acquires or maintains cybersecurity
25    insurance.
26    (d) In addition to the annual attestations that the

 

 

HB4725- 6 -LRB102 22900 SPS 32053 b

1regulated entity's security policy contains the components in
2subsection (c), the regulated entity shall also, at least
3annually, provide a written or oral annual report,
4individually or jointly with other regulated entities, to the
5Executive Director or designated Commission staff regarding
6the regulated entity's cybersecurity program and related
7information. This report shall include, but is not limited to,
8the following information:
9        (1) an overview of the regulated entity's approach to
10    cybersecurity awareness and protection, including all
11    items listed in the attestation;
12        (2) a description of cybersecurity awareness training
13    efforts for the regulated entity's staff members,
14    specialized cybersecurity training for cybersecurity
15    personnel, and participation by the regulated entity's
16    cybersecurity staff in emergency preparedness exercises in
17    the previous calendar year;
18        (3) an organizational diagram of the regulated
19    entity's cybersecurity organization, including positions
20    and contact information for primary and secondary
21    cybersecurity emergency contacts;
22        (4) a description of the regulated entity's internal
23    and external communications plan regarding unauthorized
24    actions that result in interruption, degradation of
25    service, financial harm, or breach of sensitive business
26    or customer data, including the regulated entity's plan

 

 

HB4725- 7 -LRB102 22900 SPS 32053 b

1    for notifying the Commission and customers;
2        (5) a redacted summary of any unauthorized actions
3    that resulted in material interruption, financial harm, or
4    breach of sensitive business or customer data, including
5    the parties that were notified of the unauthorized action
6    and any remedial actions undertaken;
7        (6) key performance indicators and other metrics
8    related to physical security and cybersecurity;
9        (7) any notable cybersecurity information not included
10    in paragraphs (1) through (6); and
11        (8) any other information as directed by the Executive
12    Director or designated Commission staff.
13    (e) Regulated entities subject to this Section shall
14inform the Commission, in a written or oral report, within 48
15hours or as soon as practicable, after the discovery or
16occurrence of any notable, unusual, or significant
17cybersecurity incident, or any cybersecurity incident that
18must be reported to another regulatory agency, or as directed
19by designated Commission staff, unless otherwise prohibited by
20law or court order or instructed otherwise by law enforcement
21personnel.
22    (f) Regulated entities subject to this Section shall make
23the relevant security policy, assessments, reports, and
24related documents available for review by designated
25Commission staff.
26    (g) Attestations, reports, and other submissions made

 

 

HB4725- 8 -LRB102 22900 SPS 32053 b

1under this Section shall not be open to public inspection
2unless otherwise ordered by the Commission. Regulated entities
3shall not report information otherwise required under this
4Section if prohibited by law or court order or instructed
5otherwise by law enforcement personnel.
6    (h) The Commission may adopt rules to implement this
7Section.