On November 29, 2018, the Ontario Energy Board (OEB) announced that the Cyber Security Readiness Report (Cyber Report), along with amendments to the OEB’s Electricity Reporting and Record Keeping Requirements (RRR), have been adopted and have come into effect. Licensed transmitters and distributors are now required to submit their first Cyber Report by April 30, 2019. The intention of the Cyber Report is to confirm to the OEB whether a licensee has implemented the identified activities related to cyber security readiness. The OEB will use the information from the Cyber Report to both assess the sector and individual licensee’s state of readiness in order to determine if any further action is necessary. Further details on the completion and filing of the Cyber Reports are set out in the OEB’s revised RRR.
Background
On March 15, 2018, the OEB issued amendments to the Transmission Systems Code and Distribution System Code to establish regulatory requirements for licensed transmitters and distributors in order to provide the OEB with information about how the licensees are managing their cyber security risks. Specifically, the amendments required a licensee to provide the OEB with reports on its cyber security readiness referencing the Ontario Cyber Security Framework (Framework).
Over the next few months, the OEB sought and received comments from various stakeholders on the OEB’s proposed form of the Cyber Report and the corresponding amendments to the RRR. Pursuant to the OEB’s September 20, 2018 letter, the OEB proposed to require the Cyber Report to be filed annually as part of a licensee’s reporting requirement under the RRR. The purpose of the Cyber Report is to provide the OEB with information regarding a "transmitter’s or distributor’s cyber security readiness, including its risk assessment and the status of implementation of control objectives relying on the Framework as a guide." The goal is to increase the reported state of cyber security in the electricity sector such that it is comparable and understood.
Cyber Report Requirements
Pursuant to the OEB’s November 29, 2018 letter, licensees are now required to provide, on an annual basis by April 30, in the form set out in Appendix A to the same letter, the following information:
- the status of cyber security readiness as determined in accordance with the Framework; and
- a self–certification statement signed by the Chief Executive Officer of the licensee attesting to the cyber security readiness set out in the Cyber Report.
In terms of cyber security readiness, the Cyber Report requires the licensee to determine the control objectives that they have implemented or plan to implement and how they will be achieved based on the licensee’s assessment of their cyber security risk tolerance. Specifically, the Cyber Report asks the licensee to identify the following information:
- the organization’s cyber security risk using the Inherent Risk Profile Tool in the Framework as either "high", "medium" or "low";
- the status of implementation of control objectives consistent with the organization’s risk profile;
- whether specific security objectives have been implemented, such as: a corporate privacy and cyber security governance program, privacy and cyber security risk identification and risk prioritization processes, third party or self-audits of privacy and cyber security program, and participation in the IESO’s information sharing services;
- whether mitigation plans and privacy and cyber security awareness education and training programs are in place;
- whether the licensee has systems and/or processes in place to identify, protect and detect cyber security and privacy events/incidents;
- whether incident response processes are in place and if they are regularly tested; and
- whether documented incident recovery processes are in place and if they are regularly tested.
The industry-led Framework upon which the Cyber Report is based will evolve to integrate key learnings over time, and this will require licensees to make appropriate adjustments and assess their plans. Accordingly, the OEB will routinely assess if the evolutionary changes to the Framework necessitate any adjustments to the Cyber Report.
If you have any questions or require further information, please reach out to one of the authors below.