State commissions can select from a toolkit of regulatory approaches to promote desired utility cybersecurity behavior. One approach is to allow the industry to selfregulate, and another approach...
NERC's Reliability Standards: The Good, the Bad, and the Fill-in-the-Blanks
How to prepare for mandatory enforcement.
He sees enforcement of the standards as an important component of FERC’s enforcement agenda:
I will make no promise that the reliability standards ultimately established by the commission will never be violated. I can promise that, unlike in the past, if established reliability standards are violated, the violator will be subject to significant civil penalties. 2
FPA § 215 and FERC’s final rule on certifying the ERO and establishing reliability standards (Final Rule) 3 give the ERO the primary role in auditing compliance with the reliability standards and investigating and enforcing violations of the reliability standards. Although the ERO and regional entities are not governmental authorities, companies subject to audits and investigations conducted by the ERO and regional entities should treat those entities as if they are federal agencies and provide the same level of diligence, accuracy, and truthfulness as they would if FERC itself were conducting the audit or investigation. False statements made to the ERO or a regional entity could be considered, by FERC and the courts, to be false statements made to FERC.
Federal law makes it a criminal offense to influence, obstruct, or impede a governmental agency in the conduct of any pending proceeding. 4 Courts have held broadly that a “proceeding” of a governmental agency includes a preliminary or formal investigation. 5 While the ERO and the regional entities that will conduct reliability investigations will not be governmental agencies, as entities created by federal statute and empowered by federal statute to conduct investigations and levy penalties with respect to reliability matters, the ERO and the regional entities potentially could be deemed to be “federal agencies” for purposes of the obstruction analysis. The Final Rule requires the ERO to file its or a regional entity’s record of investigatory findings with FERC when it proposes to levy a penalty for a reliability violation, so false statements made to the ERO or regional entity eventually may come to constitute false statements made to FERC. Finally, even false statements made in internal investigations potentially could lead to criminal liability for the individuals making the statements, if the statements have the effect of deceiving FERC.
EPACT amended the FPA to strengthen substantially FERC’s authority to levy civil penalties for violations of its regulations, rules, and orders. In October 2005 FERC issued its Policy Statement on Enforcement to explain how it intends to implement its enhanced enforcement authority. 6 FERC explained in its Policy Statement that it would consider the successful establishment of a culture of compliance within a utility, self-reporting of regulatory violations, and cooperation with FERC as mitigating factors in any enforcement action.
FERC has signaled that it will reward cooperation, and the ERO likely will do the same. In its application to FERC to become the ERO, NERC submitted proposed “ERO sanctions guidelines” that set out the processes and practices the ERO would follow, and the factors it would consider, when determining penalties, sanctions, or remedial actions for violations of reliability standards. 7 The proposed ERO sanctions guidelines are consistent with the factors and considerations identified in FERC’s Policy Statement