May 26, 2020

May 26, 2020

Subscribe to Latest Legal News and Analysis

FERC Raises the Threshold for Cyber Incident Reporting

Over the past year, the Federal Energy Regulatory Commission (“FERC” or the “Commission”) has become increasingly vocal about their commitment to prioritize cybersecurity and protect the U.S. electric grid from cyber threats.  In furtherance of this endeavor, last week the Commission issued a final rule (Order No. 848) which directs the North American Electric Reliability Corporation (“NERC”) to expand its critical infrastructure protection standards (“CIP” standards) related to the reporting of cyber incidents. Under the current standard, entities are only required to report successful compromises which, the Commission found, is too low of a reporting threshold because it does not capture the full scope of cyber threats facing the electric grid.  To address this gap, Order No. 848 is now requiring entities to report any attempts to compromise. Through issuing this final rule, FERC is seeking to bolster existing cyber standards without imposing unnecessary additional burdens on industry stakeholders.  At the same time, FERC is seeking to better align the CIP standards to the reporting regimes used at the Department of Homeland Security and the Electricity Information Sharing and Analysis Center (“E-ISAC”). 

In addition to expanding the scope of reportable cyber incidents, Order No. 848 prescribes the content of the reports, the filing deadlines for reports and also the dissemination of reports.  With these changes, FERC has added more standardization to the reporting process by laying out the minimum information requirements for a cyber-incident report.  At NERC’s request, FERC has provided some flexibility to ensure that NERC has the ability to shape the reporting requirements in a manner that maximizes efficiency while minimizing the burden on industry stakeholders, but is also effective for regulators.

This final rule, along with Order Nos. 840 and 843 issued earlier this year, dealing with event reporting and access control security respectively, demonstrate that FERC is delivering on its promise to bolster the grid’s resiliency against cyber risks facing the energy sector.  The urgent-manner in which the Commission is operating in this space further indicates that FERC views cyber as a high-priority issue that warrants an appropriate level of attention and investment of industry resources to meet the evolving threats.

© 2020 Van Ness Feldman LLP


About this Author

Darshana Singh, Van Ness Feldman Law Firm, Washington DC, Cybersecurity and Energy Law Attorney

Darsh Singh assists clients and firm professionals in the energy regulatory arena. Prior to joining Van Ness Feldman, Darsh served as a law clerk in the Office of Administrative Litigation at the Federal Energy Regulatory Commission (FERC) and interned at the Federal Trade Commission (FTC).   While at FERC, Darsh assisted Trial Staff in natural gas and oil pipeline rate proceedings and conducted research on market-based rates.   During her time at the FTC, Darsh focused on complex antitrust and consumer protection issues. 

While at The George...

Gwen Fleming, Van Ness Feldman Law Firm, Washington DC, White Collar and Environmental Law Litigation Attorney

Gwen Keyes Fleming has more than twenty years of public sector experience, having served as both an elected and appointed official at the state and local levels, as well as in various branches of the federal government.  Most recently, she served as the Principal Legal Advisor (General Counsel) for Immigration & Customs Enforcement (ICE) in the U.S. Department of Homeland Security (DHS), and as Chief of Staff to the Environmental Protection Agency (EPA) during the Obama Administration.  In addition to her time at the DHS and EPA, Gwen served as the EPA Region 4 (Southeastern Region) Regional Administrator, where she was responsible for establishing and implementing environmental policy for eight southeastern states and six federally recognized tribes.  Gwen was twice elected District Attorney for the Stone Mountain Judicial Circuit in DeKalb County, Georgia; the first African-American and first woman to hold that office.

Gwen’s practice at Van Ness Feldman focuses on environmental policy, litigation, and white collar criminal defense matters including audits and special investigations, for private as well as municipal clients.  She also provides strategic advice and counsel on national security matters related to incident response and the protection of environmental and energy infrastructure from cyber and physical threats.  She is coordinating the firm’s practice in the area of cybersecurity and is the co-author of Van Ness Feldman's Reports entitled “Critical Infrastructure: 2017 Cybersecurity Review and What to Expect in 2018” and “Federal Government Takes Steps to Shape Rules for Automated Vehicles”   She has also served as a speaker on the issues relating to critical infrastructure cybersecurity.