FERC Proposes Cybersecurity Incident Reporting Rule

Privacy & Cybersecurity Update

Date: January 02, 2018

On December 21, 2017 the Federal Energy Regulatory Commission (FERC) proposed a rule to direct the North American Electric Reliability Corporation (NERC) to clarify and expand the scope of cyber incident reporting. The rule envisions that the NERC will require reporting of cyber incidents when there is a compromise of or even an attempt to compromise certain network infrastructure.

If the rule is finalized, cyber incidents would have to be reported to both the Electricity Information Sharing and Analysis Center (E-ISAC), which is required under the current standard, and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which is an office within the Department of Homeland Security (DHS).

In 2016 the federal government issued guidance on how the private sector can exchange certain types of cyber threat information with the government and, in accordance with the Cybersecurity Act of 2015 (“Act”), retain liability protection. According to this guidance, private-sector entities may share “cyber threat indicators” and “defensive measures” (which are specific terms defined by law) through DHS’s Automated Indicator Sharing (AIS) initiative, an online web form, email or certain other information-sharing programs. However, the guidance explicitly notes that private-sector entities “will not receive liability protection under the Act” if they share cyber-related information in a manner that is not consistent with the Act’s implementing guidelines.

If the NERC’s standards are updated as proposed in the rule, the standards should be tailored to and incorporate, to the greatest extent possible, existing federal guidelines and procedures. Similarly, regardless of whether the rule is finalized, private-sector entities should consider participating in the AIS initiative as part of their broader cybersecurity strategies.


For more information, please contact:

Marvin T. Griff

Roy E. Hadley, Jr.

Steven G. Stransky

Thomas F. Zych

This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgement of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel.

This document may be considered attorney advertising in some jurisdictions.