102ND GENERAL ASSEMBLY
State of Illinois
2021 and 2022
HB4725
 
Introduced 1/27/2022, by Rep. Bob Morgan
 
SYNOPSIS AS INTRODUCED:
 

 
  
220 ILCS 5/4-101  from Ch. 111 2/3, par. 4-101
220 ILCS 5/4-102 new

     Amends the Public Utilities Act. Provides that all public utilities are required to establish a security policy. Provides that Illinois Commerce Commission staff shall determine entities subject to the attestation and reporting requirements. Provides that each entity subject to the attestation and reporting requirements shall provide to the Commission, by July 31 of each year, an annual affidavit signed by a senior executive responsible for security of the regulated entity that states the entity has a security policy that satisfies specified requirements. Provides that the entity shall also, at least annually, provide to the Commission a report on the entity's cybersecurity program and related information. Provides that entities subject to this shall inform the Commission, in a written or oral report, within 48 hours or as soon as practicable, after the discovery or occurrence of any notable, unusual, or significant cybersecurity incident. Provides that attestations, reports, and other submissions made shall not be open to public inspection unless otherwise ordered by the Commission.
  


LRB102 22900 SPS 32053 b

 
 
A BILL FOR
 

  
HB4725LRB102 22900 SPS 32053 b


  
1    AN ACT concerning regulation.
  
 
2    Be it enacted by the People of the State of Illinois,
 
3represented in the General Assembly:
  
 
 
4    Section 5. The Public Utilities Act is amended  by changing 
5Section 4-101 and  by adding Section 4-102 as follows:
 



6    (220 ILCS 5/4-101)  (from Ch. 111 2/3, par. 4-101)


7    Sec. 4-101. The Commerce Commission shall have general 
8supervision of all
public utilities, except as otherwise 
9provided in this Act, shall inquire into
the management of the 
10business thereof and shall keep itself informed as to the

11manner and method in which the business is conducted. It shall 
12examine those
public utilities and keep informed as to their 
13general condition, their
franchises, capitalization, rates and 
14other charges, and the manner in which
their plants, equipment 
15and other property owned, leased, controlled or
operated are 
16managed, conducted and operated, not only with respect to the

17adequacy, security and accommodation afforded by their service 
18but also with
respect to their compliance with this Act and any 
19other law, with the orders
of the Commission and with the 
20charter and franchise requirements.

21    Whenever the Commission is authorized or required
by law 
22to consider some aspect of criminal history record information 
23for
the purpose of carrying out its statutory powers and 
 
 
HB4725- 2 -LRB102 22900 SPS 32053 b

1responsibilities,
then, upon request and payment of fees in 
2conformance with the requirements
of Section 2605-400 of the 
3Illinois State Police Law, the Illinois State Police is 
4authorized to furnish,
pursuant to positive identification, 
5such information contained in State
files as is necessary to 
6fulfill the request.
7    The Commission shall require all public utilities to 
8establish a security policy that includes on-site safeguards 
9to restrict physical or electronic access to critical 
10infrastructure and computerized control and data systems. The 
11Commission shall maintain a record of and each regulated 
12entity shall provide to the Commission an annual affidavit 
13signed by a representative of the regulated entity that 
14states:


15        (1) that the entity has a security policy in place;
16        (2) that the entity has conducted at least one 
17    practice exercise based on the security policy within the 
18    12 months immediately preceding the date of the affidavit; 
19    and
20        (3) with respect to any entity that is an electric 
21    public utility, that the entity follows, at a minimum, the 
22    most current security standards set forth by the North 
23    American Electric Reliability Council.


24(Source: P.A. 102-538, eff. 8-20-21.)

 
25    (220 ILCS 5/4-102 new)
 
 
HB4725- 3 -LRB102 22900 SPS 32053 b

1    Sec. 4-102. Security policy.
2    (a) The Commission shall require public utilities to 
3establish a security policy in order to: 
4        (1)   gather sufficient information regarding entities 
5    that affect large numbers of Illinois population while 
6    balancing any administrative burden on Commission staff 
7    and regulated entities;
8        (2)   gather sufficient depth of information regarding 
9    security policies, implementations, and incidents while 
10    avoiding the creation of a repository of valuable 
11    sensitive information residing in the Commission's 
12    electronic and physical systems that may lead to 
13    undesirable disclosure of critical infrastructure 
14    information through legal, procedural, or technical means, 
15    and making the Commission a target for attackers; and
16        (3) encourage regulated entities to go beyond minimum 
17    security requirements and use a risk-based approach to 
18    apply the most effective interventions in the 
19    ever-evolving threat landscape. 
20    (b) All public utilities are required to establish a 
21security policy. Commission staff shall, at the direction and 
22discretion of the Executive Director, determine entities 
23subject to the attestation and reporting requirements in this 
24Section.
25    (c) Each entity subject to the attestation and reporting 
26requirements of this Section, as identified in subsection (b), 
 
 
HB4725- 4 -LRB102 22900 SPS 32053 b

1shall provide to the Commission, by July 31 of each year, 
2submitted through electronic filing or as otherwise directed 
3by the Executive Director or designated Commission staff, and 
4the Commission shall maintain a record of, an annual affidavit 
5signed by a senior executive responsible for security of the 
6regulated entity that states the entity has a security policy 
7in place that:
8        (1)    includes, but is not limited to, safeguards to 
9    restrict physical and electronic access to critical 
10    infrastructure and computerized control and data systems;
11        (2)    is documented in electronic or paper format;
12        (3)    is updated at least annually;
13        (4)    includes at least one practice exercise based on 
14    the security policy within the 12 months immediately 
15    preceding the date of the affidavit;
16        (5)    follows industry best practices and is based on 
17    widely-accepted frameworks and standards, and
18            (A)    with respect to any entity that is an electric 
19        public utility, that the entity follows, at a minimum, 
20        the most current security standards set forth by the 
21        North American Electric Reliability Corporation;
22            (B)    with respect to any entity that is a gas public 
23        utility, that the entity follows, at a minimum, the 
24        most current security standards or guidelines set 
25        forth by the Transportation Security Agency; and
26            (C)    with respect to any entity that is a water 
 
 
HB4725- 5 -LRB102 22900 SPS 32053 b

1        public utility, that the entity follows, at a minimum, 
2        the most current security standards or guidelines set 
3        forth by the American Water Works Association and 
4        recognized by the federal Environmental Protection 
5        Agency;
6        (6)    is appropriate for the entity's risk profile and 
7    potential threats as identified in regular risk 
8    assessments;
9        (7)     requires implementation of risk management 
10    strategies;
11        (8)    has been assessed by a third-party at least every 
12    2 years for its implementation;
13        (9)    has a program for addressing vulnerabilities found 
14    through assessments;
15        (10)    documents key contact information of other 
16    entities with whom the regulated entity maintains 
17    partnerships for information sharing, planning, and 
18    situational awareness;
19        (11)    manages security risks from both intentional and 
20    unintentional insider actions;
21        (12)    manages security risks from vendors throughout 
22    the supply chain; and
23        (13)    contemplates cybersecurity insurance, whether or 
24    not the entity acquires or maintains cybersecurity 
25    insurance.
26    (d)    In addition to the annual attestations that the 
 
 
HB4725- 6 -LRB102 22900 SPS 32053 b

1regulated entity's security policy contains the components in 
2subsection (c), the regulated entity shall also, at least 
3annually, provide a written or oral annual report, 
4individually or jointly with other regulated entities, to the 
5Executive Director or designated Commission staff regarding 
6the regulated entity's cybersecurity program and related 
7information.  This report shall include, but is not limited to, 
8the following information:
9        (1)    an overview of the regulated entity's approach to 
10    cybersecurity awareness and protection, including all 
11    items listed in the attestation;
12        (2)    a description of cybersecurity awareness training 
13    efforts for the regulated entity's staff members, 
14    specialized cybersecurity training for cybersecurity 
15    personnel, and participation by the regulated entity's 
16    cybersecurity staff in emergency preparedness exercises in 
17    the previous calendar year;
18        (3)    an organizational diagram of the regulated 
19    entity's cybersecurity organization, including positions 
20    and contact information for primary and secondary 
21    cybersecurity emergency contacts;
22        (4)    a description of the regulated entity's internal 
23    and external communications plan regarding unauthorized 
24    actions that result in interruption, degradation of 
25    service, financial harm, or breach of sensitive business 
26    or customer data, including the regulated entity's plan 
 
 
HB4725- 7 -LRB102 22900 SPS 32053 b

1    for notifying the Commission and customers;
2        (5)    a redacted summary of any unauthorized actions 
3    that resulted in material interruption, financial harm, or 
4    breach of sensitive business or customer data, including 
5    the parties that were notified of the unauthorized action 
6    and any remedial actions undertaken;
7        (6)    key performance indicators and other metrics 
8    related to physical security and cybersecurity;
9        (7)    any notable cybersecurity information not included 
10    in paragraphs (1) through (6); and
11        (8)    any other information as directed by the Executive 
12    Director or designated Commission staff.
13    (e)     Regulated entities subject to this Section shall 
14inform the Commission, in a written or oral report, within 48 
15hours or as soon as practicable, after the discovery or 
16occurrence of any notable, unusual, or significant 
17cybersecurity incident, or any cybersecurity incident that 
18must be reported to another regulatory agency, or as directed 
19by designated Commission staff, unless otherwise prohibited by 
20law or court order or instructed otherwise by law enforcement 
21personnel.
22    (f)   Regulated entities subject to this Section shall make 
23the relevant security policy, assessments, reports, and 
24related documents available for review by designated 
25Commission staff.
26    (g)      Attestations, reports, and other submissions made 
 
 
HB4725- 8 -LRB102 22900 SPS 32053 b

1under this Section shall not be open to public inspection 
2unless otherwise ordered by the Commission. Regulated entities 
3shall not report information otherwise required under this 
4Section if prohibited by law or court order or instructed 
5otherwise by law enforcement personnel.
6    (h)   The Commission may adopt rules to implement this 
7Section.