Mich. Admin. Code R. 460.2324 - Security reporting

Rule 24.

(1) To inform the commission regarding matters that may affect the security or safety of persons or property, whether public or private, a utility must do both of the following:

(a) Provide a written or oral annual report, individually or jointly with other utilities, to designated members of the commission staff regarding the utility's cybersecurity program and related risk planning. This report on the threat assessment and preparedness strategy must contain all of the following information:

(i) An overview of the program describing the utility's approach to cybersecurity awareness and protection.

(ii) A description of cybersecurity awareness training efforts for the utility's staff members, specialized cybersecurity training for cybersecurity personnel, and participation by the utility's cybersecurity staff in emergency preparedness exercises in the previous calendar year.

(iii) An organizational diagram of the utility's cybersecurity organization, including positions and contact information for primary and secondary cybersecurity emergency contacts.

(iv) A description of the utility's communications plan regarding unauthorized actions that result in loss of service, financial harm, or breach of sensitive business or customer data, including the utility's plan for notifying the commission and customers.

(v) A redacted summary of any unauthorized actions that resulted in material loss of service, financial harm, or breach of sensitive business or customer data, including the parties that were notified of the unauthorized action and any remedial actions undertaken.

(vi) A description of the risk assessment tools and methods used to evaluate, prioritize, and improve cybersecurity capabilities, including work completed pursuant to R 460.2345.

(vii) General information about current emergency response plans regarding cybersecurity incidents, domestic preparedness strategies, threat assessments, and vulnerability assessments.

(b) In addition to the information required under subdivision (a) of this subrule, an investor-owned public utility must include in its annual report to the Michigan public service commission an overview of major investments in cybersecurity during the previous calendar year and plans and rationale for major investments in cybersecurity anticipated for the next calendar year.

(2) As soon as reasonably practicable and prior to any public notification, a utility must orally report the confirmation of a cybersecurity incident to a designated member of the commission staff and to the Michigan fusion center, unless prohibited by law or court order or instructed otherwise by official law enforcement personnel, if any of the following occurred:

(a) A person intentionally interrupted the production, transmission, or distribution of natural gas.

(b) A person extorted money or other things of value from the utility through a cybersecurity attack.

(c) A person caused a denial of service in excess of 12 hours.

(d) A security breach, as defined by section 3(b) of the identity theft protection act, 2004 PA 452, MCL 445.63(b), prior to public and customer notification.

(e) At the utility's discretion, any other cybersecurity incident, attack, or threat that the utility deems notable, unusual, or significant.

(3) As used in subrule (2) of this rule, "person" means any individual, firm, corporation, educational institution, financial institution, governmental entity, or legal or other entity.

(4) As used in subrule (2)(c) of this rule, "denial of service" means, for a utility, a successful attempt to prevent a legitimate user from accessing electronic information made accessible by the utility or by another party on the behalf of the utility.

Notes

Mich. Admin. Code R. 460.2324

2020 MR 17, Eff. 9/3/2020