Energy Grid and Legal Compliance
What can the recent debacle with the Texas energy grid failure teach us about data governance, privacy and cybersecurity risks? A lot, actually. Specifically, it teaches us that compliance matters.
I’ve spent a career working in one form or another with “compliance”. Whether it was in my early days as a materials engineer, auditing supply chain compliance with quality standards under a Malcolm Baldridge model for a standard, or in my current role driving global privacy and data governance strategy under regulations such as the GDPR and DFARS. In between, I’ve worked with, advised on, and counseled clients using standards such as ISO 27001, ISO 27018, ISO 27701, SOC 1 & 2, HITECH, NIST 800-53, and more. With more letters than six alphabets, and forests of paper outlining specific controls, each one comes with their own complexities.
Effort, Risk, and Reward
It has never been unusual that business and finance teams look askew at these compliance programs. They certainly require time, money, and resources to implement and maintain. And justifying an investment in compliance in response to what seems like a remote risk can be very difficult to do in a competitive environment driven by short term profits. This is where Texas offers a lesson that information services companies can learn from.
The Federal Energy Regulatory Commission and North American Electric Reliability Corporation set standards for the U.S. and connected Canadian power grids. While my understanding of these standards is fairly limited, I can undoubtedly say they are complex and require a significant investment in order to ensure compliance with. The regulations weren’t always complex – energy regulation began with the Federal Power Commission in 1920, when high voltage power lines had only been in existence for about 20 years and many people were terrified to operate light switches for fear of electrocution. But, as the electric power grid became integral to the daily operations, the regulations became more and more complex. They became complex for a reason – lives now depend on the nearly uninterrupted supply of power in a large variety of conditions, including conditions which only infrequently occur.
In this manner, information management is very much like electricity, particularly as more and more of society is functioning in a digital environment. Twenty years ago, computerized records were kept on tape or spinning disk drives in larger, privately owned, information systems. Digital information referred to the information on those disks, and did not create an online fingerprint of your daily life, which was lived far more “IRL” than online.
Call to Address Digital Risk in Energy Reg
As more and more of our lives are lived online, laws are evolving to recognize the risk that outlier events can create greater and greater harm. Global governments are drafting legislation and regulation to address the risk. Industry groups are banding together to assess, reassess, and create new sets of standardized controls sets designed to guide companies on how to protect their information systems and the information within them. Just as utility companies compliant with FERC regulations still experienced power outages, implementing information security controls doesn’t guarantee that governed systems will never face a data breach, ransomware attack, or catastrophic site event – but just as compliant energy grids were able to recover from severe weather events faster, information security controls can help mitigate the impact of significant cyber events.
The history of energy regulation also provides a window into the possible future of information systems regulation. With the 100 year anniversary of the Federal Power Commission in 2020, we can consider whether if, 100 years from now, will information and information systems will be regulated similarly to power distribution systems? My firm prediction is “yes”. If you knew you had the tools to start preparing for that now, wouldn’t you start sooner rather than later?
コメント