Okla. Admin. Code § 165:35-33-7

Current through Vol. 42, No. 4, November 1, 2024
Section 165:35-33-7 - Reporting requirements
(a) Subsequent to the preparation of the initial Security Plan prepared under OAC 165:35-33-5(a), each utility shall prepare a Security Plan Update Report by March 1 of each year, following the same format as the initial Security Plan with redlines of all new changes, marked "Highly Sensitive Confidential" and kept on site at the utility's business office.
(b) Each subsequent Security Plan Update Report shall update the previous year's report by indicating for each specific coded location, all costs and completion dates (actual and projected) for all current and prior additional security measures claimed under this Subchapter.
(c) The utility is required to report cybersecurity or infrastructure security events that affect customers immediately to the PUD Director and his or her designee.
(d) For those security measures previously reported that have not yet been completed, revised estimated costs and estimated completion dates shall be provided.
(e) The Security Plan Update Report shall also include (by specific coded location) a description of each proposed security measure that has not been previously reported, the estimated costs for each, as well as the estimated completion date for each measure.
(f) Costs reflected in the initial Security Plan and in subsequent Security Plan Update Reports, whether estimated or actual, shall be identified as either capital or expense costs.
(g) Beginning August 1, 2005 and by March 1 of every year thereafter, and/or when a change is made, each utility shall submit a Certification Letter to the PUD Director, marked as "Highly Sensitive Confidential" and certifying that as of the date of the Certification Letter:
(1) The utility does not have a Homeland Security and Critical Infrastructure Plan as contemplated or defined by this Subchapter but has otherwise taken steps to secure Critical Infrastructure and is not seeking cost recovery under this Subchapter;
(2) The utility has a Security Plan but is not seeking cost recovery; or
(3) The utility has a Security Plan and/or has prepared its Security Plan Update Report updating the Security Plan and/or previous year's Security Plan Update Report, and is seeking cost recovery;
(A) The redlines contained within the current Security Plan Update Report encompass in the entirety, all of the changes made to the utility's Security Plan since the Security Plan's inception or the previous year's certification; and
(B) The Security Plan is available for Commission and/or Attorney General review at the utility's local place of business or a legal representative's office.
(h) A utility shall not be required to file its initial Security Plan or any of its subsequent Security Plan Update Reports with the Commission. Each utility shall instead, secure and maintain on site, at the utility's local place of business, its initial Security Plan and all subsequent Security Plan Update Reports.

Okla. Admin. Code § 165:35-33-7

Added at 22 Ok Reg 704, eff 7-1-05
Amended by Oklahoma Register, Volume 36, Issue 21, July 15, 2019, eff. 7/25/2019
Amended by Oklahoma Register, Volume 41, Issue 23, August 15, 2024, eff. 10/1/2024