(1) A utility fails to comply with these rules, and is considered in non-compliance, when:
- (a) The company does not file documentation required by these rules showing that it has prepared a cybersecurity plan by July 1 of each calendar year; or
- (b) The company does not file documentation required by these rules showing that it has implemented that cybersecurity plan by July 1 of each calendar year.
- (2) After a hearing, the Commission may impose reasonable sanctions, including civil and monetary penalties, against a utility in non-compliance with these rules.
- (3) Monetary penalties imposed by the Commission will be consistent with the statutory limit set in T.C.A. § 65-4-120.
(4) If the Commission determines that sanctions shall include a monetary penalty, it may consider:
- (a) The efforts by the utility to comply with these rules;
- (b) The financial stability of the utility; and
- (c) The impact of non-compliance on customers of the utility.
- (5) The Commission may require a utility to establish a separate fund to further support its compliance with these rules.
- (6) Any utility in non-compliance shall be reported to the General Assembly in accordance with T.C.A. § 65-4-127(f).
Authority: T.C.A. §§ 65-2-102, 65-4-120, and 65-4-127. Administrative History: New rules filed June 27, 2023; effective September 25, 2023.