WEBVTT
00:00:16.684 --> 00:00:19.050
PUC Committee
meeting on this date,
00:00:19.050 --> 00:00:22.890
Wednesday, December 8th, 2021.
00:00:22.890 --> 00:00:25.550
All parties are on listen only,
00:00:25.550 --> 00:00:28.510
during the public comment section,
00:00:28.510 --> 00:00:30.250
you can press star one.
00:00:30.250 --> 00:00:32.080
Today's call is being recorded.
00:00:32.080 --> 00:00:35.050
If you have any objections,
please disconnect.
00:00:35.050 --> 00:00:37.750
I will turn today's call
over to President Batjer.
00:00:37.750 --> 00:00:39.000
Thank you, you may begin.
00:00:40.090 --> 00:00:41.810
Thank you so much operator.
00:00:41.810 --> 00:00:43.890
Well, I'd like to say
good morning to everyone
00:00:43.890 --> 00:00:46.500
and thank you for joining us today.
00:00:46.500 --> 00:00:50.980
I am calling the CPUC
Commissioner Committee meeting
00:00:50.980 --> 00:00:54.680
of December 8th, 2021 to order.
00:00:54.680 --> 00:00:58.320
There are three committees
here at the CPUC,
00:00:58.320 --> 00:01:00.680
the Finance and
Administration Committee,
00:01:00.680 --> 00:01:02.930
the Policy and Governance Committee
00:01:02.930 --> 00:01:05.380
and the Emerging Trends Committee.
00:01:05.380 --> 00:01:07.240
Today, the Emerging Trends
00:01:07.240 --> 00:01:10.433
and the Finance Administration
Committee will meet.
00:01:11.330 --> 00:01:13.530
Due to the Corona virus pandemic
00:01:13.530 --> 00:01:15.800
and the shelter in place order,
00:01:15.800 --> 00:01:19.060
we are conducting today's
committee meeting online
00:01:19.060 --> 00:01:21.530
and by remote participation,
00:01:21.530 --> 00:01:25.860
the meeting is live-streamed
on CPUC's website.
00:01:25.860 --> 00:01:27.090
You can view the meeting
00:01:27.090 --> 00:01:32.090
at www.adminmonitor.com/com/ca/cpuc.
00:01:41.747 --> 00:01:45.310
And adminmonitor is all one word.
00:01:45.310 --> 00:01:49.670
Closed captioning is available
in English and Spanish
00:01:49.670 --> 00:01:51.140
through the webcast.
00:01:51.140 --> 00:01:54.800
You can click on the green
button to select your language
00:01:54.800 --> 00:01:55.763
of choice.
00:01:57.010 --> 00:02:00.560
We will have an opportunity
for the public to comment
00:02:00.560 --> 00:02:03.070
following the Q&A and discussion
00:02:03.070 --> 00:02:04.930
among the Commissioners.
00:02:04.930 --> 00:02:08.470
If you wish to make a public
comment or ask a question,
00:02:08.470 --> 00:02:13.470
please dial 800-857-1917
00:02:13.550 --> 00:02:16.307
and enter code 5180519 pound
00:02:20.340 --> 00:02:23.230
and press star one.
00:02:23.230 --> 00:02:26.620
You will be placed into a
queue and it will be called upon
00:02:26.620 --> 00:02:31.070
to speak when we get to
the public comment period,
00:02:31.070 --> 00:02:32.530
we will be at the end,
00:02:32.530 --> 00:02:35.310
and which of course that will
be the public comment period
00:02:35.310 --> 00:02:39.003
will be at the end of the committee.
00:02:43.350 --> 00:02:47.260
I will now turn the Commission
to Commissioner Shiroma
00:02:47.260 --> 00:02:51.380
to introduce the items on
the emerging trends agenda,
00:02:51.380 --> 00:02:52.470
Commissioner Shiroma.
00:02:53.950 --> 00:02:55.880
Yes, thank you,
President Batjer.
00:02:55.880 --> 00:02:57.453
Good morning, everyone.
00:02:58.360 --> 00:03:02.320
For our emerging trends
committee presentation,
00:03:02.320 --> 00:03:07.320
we will hear from Jim Chil,
Program Manager in the Security
00:03:08.060 --> 00:03:12.570
and Resilience Branch of
our Safety Policy Division
00:03:12.570 --> 00:03:17.470
and Dan Bouts, Director
of the Safety Policy Division.
00:03:17.470 --> 00:03:22.470
Jim has a decade of experience
at FEMA and a master's degree
00:03:23.720 --> 00:03:25.533
from University of Michigan.
00:03:28.140 --> 00:03:31.280
Dan, prior to joining the Commission
00:03:31.280 --> 00:03:33.840
served as Assistant Director
00:03:33.840 --> 00:03:37.710
at the California Governor's
Office of Emergency Services,
00:03:37.710 --> 00:03:40.920
has an extensive background
with the Armed Forces
00:03:40.920 --> 00:03:44.230
and obtained a PhD in industrial
00:03:44.230 --> 00:03:46.470
and organizational psychology
00:03:46.470 --> 00:03:48.023
from Walden University.
00:03:48.870 --> 00:03:50.750
Earlier this year,
00:03:50.750 --> 00:03:54.040
Commissioner (indistinct)
and I were working
00:03:54.040 --> 00:03:56.513
on our Emerging Trends
Committee work plan.
00:03:58.020 --> 00:04:03.020
Some folks will recall we
did a survey with most staff
00:04:05.110 --> 00:04:07.880
and one of the topic areas
00:04:10.030 --> 00:04:14.590
we included is a
cybersecurity into the work plan.
00:04:14.590 --> 00:04:16.930
As a result of all of these efforts,
00:04:16.930 --> 00:04:20.310
it's an important topic
given the ever-changing state
00:04:20.310 --> 00:04:21.940
of affairs.
00:04:21.940 --> 00:04:26.840
And when we saw the colonial
pipeline ransomware attack
00:04:26.840 --> 00:04:28.720
that occurred last may,
00:04:28.720 --> 00:04:32.090
we saw an opportunity
to focus the cyber security
00:04:32.090 --> 00:04:35.250
presentation on this issue.
00:04:35.250 --> 00:04:40.000
So today Tim and Dan
will present us information
00:04:40.000 --> 00:04:41.660
about ransomware,
00:04:41.660 --> 00:04:44.910
including the colonial
pipeline incidents
00:04:44.910 --> 00:04:49.410
and overview of trends in
ransomware and discussion
00:04:49.410 --> 00:04:52.223
of its relevance to
our regulated utilities.
00:04:53.490 --> 00:04:56.403
All right, Jim and Dan, take it away.
00:04:58.160 --> 00:04:59.460
Thank you, Commissioner.
00:05:01.040 --> 00:05:03.760
So my name are Jim Chill.
00:05:03.760 --> 00:05:07.130
I'm the Program Manager
for security and resilience.
00:05:07.130 --> 00:05:09.975
Dan, did you sorry to interrupt you.
00:05:09.975 --> 00:05:11.260
I didn't mean to cut you off.
00:05:11.260 --> 00:05:12.093
No, no, no.
00:05:12.093 --> 00:05:13.430
Please, go ahead.
00:05:13.430 --> 00:05:14.263
Okay.
00:05:14.263 --> 00:05:16.710
So we put together a presentation.
00:05:16.710 --> 00:05:20.190
This is one slice of
cybersecurity and an issue.
00:05:20.190 --> 00:05:21.810
So it's, I just,
00:05:21.810 --> 00:05:24.493
before we get into the
actual presentation itself,
00:05:25.400 --> 00:05:29.440
it's a very large area, very vast area.
00:05:29.440 --> 00:05:31.540
This is just one very specific look in.
00:05:31.540 --> 00:05:35.470
I think it helps to provide
some insights to it by looking
00:05:35.470 --> 00:05:38.470
at a specific case such
as colonial pipeline,
00:05:38.470 --> 00:05:40.453
the link to the next slide,
00:05:41.740 --> 00:05:43.910
just a quick overview
of how this presentation
00:05:43.910 --> 00:05:44.870
is gonna go.
00:05:44.870 --> 00:05:49.160
One, we'll just give a very
quick one-on-one on ransomware.
00:05:49.160 --> 00:05:50.770
We could spend days doing it,
00:05:50.770 --> 00:05:54.620
but just very quickly go into
the mechanics of the colonial
00:05:54.620 --> 00:05:56.930
pipeline, ransomware attack,
00:05:56.930 --> 00:05:58.150
discuss some challenges
00:05:58.150 --> 00:06:02.580
and then field any questions as needed.
00:06:02.580 --> 00:06:05.733
So moving on to the next slide.
00:06:07.050 --> 00:06:11.130
So this is the ransomware
overview and we have,
00:06:11.130 --> 00:06:12.590
these are common attack methods
00:06:12.590 --> 00:06:15.640
and this is terminology you'll
hear getting thrown around
00:06:15.640 --> 00:06:20.640
a lot in the news by CNN,
by Fox, depending on how,
00:06:21.540 --> 00:06:25.120
whatever news program,
everybody watches.
00:06:25.120 --> 00:06:30.050
But we'll hear malware or
phishing or zero day exploits.
00:06:30.050 --> 00:06:33.120
And these are all just
different attack methods
00:06:33.120 --> 00:06:34.210
that are used.
00:06:34.210 --> 00:06:35.510
Now, they're not all of them,
00:06:35.510 --> 00:06:37.740
but they're probably the
most commonly known
00:06:38.989 --> 00:06:41.573
and displayed out to the public.
00:06:42.520 --> 00:06:44.053
Going to the next slide.
00:06:48.020 --> 00:06:48.853
Okay.
00:06:48.853 --> 00:06:50.210
So ransomware,
00:06:51.170 --> 00:06:54.655
the basics of ransomware is
that it's actually one of many
00:06:54.655 --> 00:06:56.943
different types of attacks.
00:06:58.310 --> 00:07:03.310
And essentially what
happens is that data is usually
00:07:04.270 --> 00:07:08.970
encrypted and then held
hostage until a ransom is paid.
00:07:08.970 --> 00:07:11.060
And sometimes there's
something called a double hot,
00:07:11.060 --> 00:07:14.275
a double ransom, which is not only are
00:07:14.275 --> 00:07:15.860
they gonna decrypt it,
00:07:15.860 --> 00:07:18.712
but they also won't
share it with everybody.
00:07:18.712 --> 00:07:21.133
So there's a lot of avenues to this.
00:07:22.562 --> 00:07:26.210
And it's evolved from
this whole idea of just
00:07:27.252 --> 00:07:30.810
a single group that has the
skillset to do it to also being
00:07:30.810 --> 00:07:32.380
done as a service too.
00:07:32.380 --> 00:07:36.040
So it's actually now available
to maybe non-technical
00:07:36.040 --> 00:07:38.360
organizations for a price.
00:07:38.360 --> 00:07:43.360
And what we've have seen is
that ransomware payments in 2020
00:07:43.760 --> 00:07:48.650
have climbed this
year 82% and prior year
00:07:48.650 --> 00:07:50.940
to that was 171%.
00:07:50.940 --> 00:07:53.530
So we're seeing an increase
in the average ransomware
00:07:53.530 --> 00:07:54.800
payments going up.
00:07:54.800 --> 00:07:59.403
Now, that's just to say that
these numbers are pretty,
00:08:00.500 --> 00:08:04.430
it's not as clear and tightly
calculate as GDP or things
00:08:04.430 --> 00:08:06.993
like that, because
really there's a lot of,
00:08:08.500 --> 00:08:12.380
not a lot of sharing of the
information widely and publicly.
00:08:12.380 --> 00:08:14.980
So this is just one of the
publicly available numbers
00:08:14.980 --> 00:08:18.500
that we feel has some
that can provide a range
00:08:18.500 --> 00:08:20.723
in terms of how much
this actually costs.
00:08:22.080 --> 00:08:24.263
Moving to the next slide.
00:08:27.100 --> 00:08:29.200
So this is the ransomware methods.
00:08:29.200 --> 00:08:33.560
And one thing that I
really liked this slide,
00:08:33.560 --> 00:08:36.510
because what this definitely shows is,
00:08:36.510 --> 00:08:40.190
there's all these methods in
terms of how people use code
00:08:40.190 --> 00:08:43.640
and computers to create a situation
00:08:43.640 --> 00:08:46.260
where they can actually demand a ransom.
00:08:46.260 --> 00:08:48.480
But what this shows
that a lot of this shows
00:08:48.480 --> 00:08:50.970
is at the center of it,
there's a human element.
00:08:50.970 --> 00:08:55.160
There's a person element to
ransomware where it can be
00:08:55.160 --> 00:08:57.370
prevented by people.
00:08:57.370 --> 00:09:01.410
And good computer hygiene,
good cybersecurity hygiene.
00:09:01.410 --> 00:09:04.140
And so it doesn't, I think
00:09:04.140 --> 00:09:07.430
there's a lot of focus on the
technical hardware aspect
00:09:07.430 --> 00:09:10.030
of ransomware and cyber security,
00:09:10.030 --> 00:09:12.160
but really a lot of it
comes down to the people
00:09:12.160 --> 00:09:16.490
and this shows that things
like spam and phishing emails
00:09:16.490 --> 00:09:21.490
to weak passwords and account management
00:09:21.640 --> 00:09:26.520
and access management
are all human-driven
00:09:26.520 --> 00:09:27.860
types of situations.
00:09:27.860 --> 00:09:31.356
So it puts a kind of a face
00:09:31.356 --> 00:09:34.450
to the security as
well as the attack to,
00:09:34.450 --> 00:09:36.883
so moving on to the next slide.
00:09:40.602 --> 00:09:42.640
So we get a little bit
into the colonial pipeline
00:09:42.640 --> 00:09:45.023
ransomware attack,
and just to start off with,
00:09:46.060 --> 00:09:48.510
colonial pipeline did not
have any direct effects
00:09:48.510 --> 00:09:49.763
on California.
00:09:51.336 --> 00:09:53.470
Most of the in which all
the infrastructure goes
00:09:53.470 --> 00:09:56.940
from west to east.
00:09:56.940 --> 00:10:01.940
And so that was something
that we saw and we actually under
00:10:02.040 --> 00:10:05.240
supported the calcium in the
analysis of the infrastructure,
00:10:05.240 --> 00:10:08.123
which is the state
lead for cybersecurity.
00:10:10.140 --> 00:10:12.173
Moving to the next slide.
00:10:14.240 --> 00:10:17.490
So we're gonna go over
kind of who was involved,
00:10:17.490 --> 00:10:20.530
what were the impacts and
then challenges exposed.
00:10:20.530 --> 00:10:22.263
So gonna the next slide.
00:10:26.876 --> 00:10:31.170
So colonial pipeline, just a
quick overview of what it is,
00:10:31.170 --> 00:10:34.510
basically it it basically supplies fuel,
00:10:34.510 --> 00:10:37.480
including gasoline,
diesel, heating oil, jet fuel
00:10:37.480 --> 00:10:42.480
and military supplies basically
from pretty much primarily
00:10:43.220 --> 00:10:48.220
the Gulf of Mexico and
into the Eastern seaboard
00:10:48.430 --> 00:10:50.450
of the country.
00:10:50.450 --> 00:10:52.820
And so it's one of the
largest pipeline operators
00:10:52.820 --> 00:10:57.010
and they deliver 2.5
million barrels a day
00:10:57.010 --> 00:10:59.430
over 55 other miles of pipeline,
00:10:59.430 --> 00:11:02.220
which makes it a very
large piece of infrastructure.
00:11:02.220 --> 00:11:07.220
And in terms of delivery of
key fuels to an operations,
00:11:08.910 --> 00:11:12.470
and that could impact
anywhere from airports to home
00:11:12.470 --> 00:11:17.470
heating, to transportation
delivery logistics companies.
00:11:17.970 --> 00:11:22.250
So that's kind of the larger
kind of tangible impacts
00:11:22.250 --> 00:11:25.740
that could happen even
with short-term disruptions.
00:11:25.740 --> 00:11:27.113
Moving to the next slide.
00:11:34.280 --> 00:11:38.260
So the group that was
allegedly responsible for this
00:11:38.260 --> 00:11:39.970
is a group called
DarkSide Hacking Group.
00:11:39.970 --> 00:11:43.510
And here, I don't wanna
focus too much on who they are,
00:11:43.510 --> 00:11:46.100
but this is just an example of that
00:11:46.100 --> 00:11:48.933
they're pretty well-organized
as an organization.
00:11:50.060 --> 00:11:54.170
They've been around
probably about a year or so,
00:11:54.170 --> 00:11:56.530
they have a website
that has a press room,
00:11:56.530 --> 00:11:59.763
a mailing list and
hotline for victims to call.
00:12:01.070 --> 00:12:03.790
They have a code of ethics
from what we can tell from open
00:12:03.790 --> 00:12:06.520
source information
that's out on the web.
00:12:06.520 --> 00:12:09.290
And so that they don't always,
00:12:09.290 --> 00:12:12.330
they don't attack hospitals
from what we understand
00:12:12.330 --> 00:12:15.823
and schools or
universities or non-profits.
00:12:16.670 --> 00:12:19.730
So that's just, and this is not to say,
00:12:19.730 --> 00:12:23.480
a question about their
ethical values here,
00:12:23.480 --> 00:12:27.060
but they're a much more or
sophisticated group in terms
00:12:27.060 --> 00:12:30.700
of they have an ethos,
they have organizations
00:12:30.700 --> 00:12:33.940
for communication, and obviously
00:12:35.022 --> 00:12:36.848
they have the capability
00:12:36.848 --> 00:12:39.053
of conducting the ransomware operations.
00:12:41.193 --> 00:12:42.026
So, there's--
00:12:43.372 --> 00:12:45.260
Sorry to cut you
off here, but I'm not.
00:12:45.260 --> 00:12:48.970
So, I mean, is this a
legal thing I'm confused?
00:12:48.970 --> 00:12:51.520
Like why are they
allowed to have a website
00:12:51.520 --> 00:12:54.660
and like have a code of ethics?
00:12:54.660 --> 00:12:56.440
Like, is this something is like,
00:12:56.440 --> 00:12:57.790
I'm missing something here.
00:12:58.630 --> 00:13:01.852
Well, it's more
of, there really,
00:13:01.852 --> 00:13:05.100
what this slide is to say
is that they're organized,
00:13:05.100 --> 00:13:06.900
much more organized than just a group
00:13:06.900 --> 00:13:08.363
of people with computers.
00:13:09.500 --> 00:13:10.980
They have,
00:13:10.980 --> 00:13:14.220
nothing is actually prevents
them from having a website
00:13:14.220 --> 00:13:15.800
per se,
00:13:15.800 --> 00:13:18.140
and nothing actually prevents
them from having an ethos
00:13:18.140 --> 00:13:20.180
or a mission statement
as an organization.
00:13:20.180 --> 00:13:21.593
So it's just,
00:13:22.870 --> 00:13:25.190
when we think about kind
of an organization going
00:13:25.190 --> 00:13:28.980
from playing Sandlot baseball to maybe,
00:13:28.980 --> 00:13:30.746
minor league pro baseball,
00:13:30.746 --> 00:13:33.310
they have mission
statements, you have coaching,
00:13:33.310 --> 00:13:35.967
you have a whole
infrastructure around it,
00:13:35.967 --> 00:13:37.110
not just the ball bat.
00:13:37.110 --> 00:13:42.110
And so that's really,
we're talking about, sorry.
00:13:42.360 --> 00:13:43.193
Oh, you do.
00:13:43.193 --> 00:13:44.950
But just to answer your question, also,
00:13:44.950 --> 00:13:46.610
a lot of these companies,
00:13:46.610 --> 00:13:48.890
existing countries
without extradition treaties
00:13:48.890 --> 00:13:50.400
to the United States.
00:13:50.400 --> 00:13:53.200
So this is like an
international environment,
00:13:53.200 --> 00:13:56.130
and they're very peculiar
about where they host
00:13:56.130 --> 00:13:58.590
their services to provide
them the greatest amount
00:13:58.590 --> 00:14:01.693
of flexibility based on local laws.
00:14:03.210 --> 00:14:04.579
Wow. Okay.
00:14:04.579 --> 00:14:05.412
Thank you.
00:14:09.156 --> 00:14:09.989
Okay.
00:14:11.447 --> 00:14:15.640
So this dark side is organized group,
00:14:15.640 --> 00:14:18.310
and there are other
organized groups like DarkSide,
00:14:18.310 --> 00:14:20.739
this is just to demonstrate that
00:14:20.739 --> 00:14:23.360
it's an organization
behind these groups.
00:14:23.360 --> 00:14:26.150
There's a level of professionalism
behind these groups,
00:14:26.150 --> 00:14:28.460
regardless of whether their
service or products that they're
00:14:28.460 --> 00:14:31.780
actually providing.
00:14:31.780 --> 00:14:34.243
So moving to the next slide.
00:14:38.810 --> 00:14:40.610
Just that we wanted to show this slide,
00:14:40.610 --> 00:14:44.250
because we wanted to give
people a feel for how these things
00:14:44.250 --> 00:14:46.550
kind of potentially happen.
00:14:46.550 --> 00:14:50.530
This is not a screenshot
from the DarkSide ransomware
00:14:50.530 --> 00:14:53.090
during event with colonial pipeline,
00:14:53.090 --> 00:14:55.790
but it is kind of what the
thing that people will see.
00:14:56.740 --> 00:14:59.980
And we just wanted to ground
it a little bit with this image
00:14:59.980 --> 00:15:03.690
where it kind of notifies that
files have been encrypted.
00:15:03.690 --> 00:15:05.280
There's a ransom amount,
00:15:05.280 --> 00:15:07.160
and then time until the
ransom is increased,
00:15:07.160 --> 00:15:09.330
or files are encrypted permanently,
00:15:09.330 --> 00:15:11.190
as well as potentially any other demands
00:15:11.190 --> 00:15:13.950
that are part of what the group wants.
00:15:13.950 --> 00:15:16.380
And this is something
that somebody would see
00:15:16.380 --> 00:15:17.233
on their screen.
00:15:18.640 --> 00:15:23.640
So it's not a subtle email or
a large press announcement.
00:15:25.380 --> 00:15:28.190
It's pretty targeted in terms of
the communication from what
00:15:28.190 --> 00:15:29.023
we've seen.
00:15:29.920 --> 00:15:31.323
Going to the next slide.
00:15:34.430 --> 00:15:37.520
So just to walk through
the timeline of events,
00:15:37.520 --> 00:15:42.290
and so on May 6th, there
was an initial intrusion and theft,
00:15:42.290 --> 00:15:44.960
meaning that they got
access to the network,
00:15:44.960 --> 00:15:49.960
and they were able to encrypt
data and then threatened
00:15:49.970 --> 00:15:51.630
to leak it to the internet.
00:15:51.630 --> 00:15:56.630
On May 7th, they continue,
there was an assessment done
00:15:59.100 --> 00:16:01.690
there was network, I'm sorry, the brand,
00:16:01.690 --> 00:16:05.230
some were effective billing
and accounting systems.
00:16:05.230 --> 00:16:08.970
And so what colonial pipeline
did is basically they took
00:16:08.970 --> 00:16:12.650
certain systems offline
to contain the threat.
00:16:12.650 --> 00:16:17.060
And so, the colonial
pipeline ransomware attack
00:16:17.060 --> 00:16:20.420
primarily effected
information technology.
00:16:20.420 --> 00:16:25.160
It did not affect the actual
operational technology,
00:16:25.160 --> 00:16:29.600
meaning that the
programs and the machines
00:16:29.600 --> 00:16:34.600
that impacts the direct
physical operation of the pipeline.
00:16:35.850 --> 00:16:38.320
And so this was really
more billing and accounting
00:16:38.320 --> 00:16:39.950
information pieces,
00:16:39.950 --> 00:16:44.680
but what was happening is
that because they couldn't bill
00:16:44.680 --> 00:16:47.223
and then they can really deliver either.
00:16:49.200 --> 00:16:53.410
And so on the seventh colonial
pipeline paid the ransom,
00:16:56.040 --> 00:16:58.813
and it was valued
approximately at $4.4 million.
00:16:59.760 --> 00:17:04.053
And that allowed the company
to get the decryption key
00:17:04.053 --> 00:17:07.070
and then became the recovery process.
00:17:07.070 --> 00:17:09.180
Now one would think, oh you know what,
00:17:09.180 --> 00:17:11.550
it's really great to just,
00:17:11.550 --> 00:17:13.830
we got decrypted the data,
00:17:13.830 --> 00:17:15.880
and now we can be back up and running,
00:17:15.880 --> 00:17:18.820
but there's a tail to this
in terms of the recovery
00:17:18.820 --> 00:17:21.980
where just because
the data was decrypted,
00:17:21.980 --> 00:17:26.860
that does the group, also the
company go back and assess,
00:17:26.860 --> 00:17:29.160
actually do a full
assessment of their network
00:17:30.210 --> 00:17:32.130
and their systems to
make sure that things
00:17:32.130 --> 00:17:34.230
are not still embedded there,
00:17:34.230 --> 00:17:37.500
or they're not gonna be
vulnerable to another attack again.
00:17:37.500 --> 00:17:42.500
So there's a bit of a lag in
terms of the ransom is paid
00:17:42.800 --> 00:17:45.420
and then there's time
that's gonna happen.
00:17:45.420 --> 00:17:47.340
Usually, like for an example, if,
00:17:47.340 --> 00:17:50.350
to make it analogous
to a kidnapping situation,
00:17:50.350 --> 00:17:52.060
you pay the ransom
and usually the person
00:17:52.060 --> 00:17:52.893
you get the person back.
00:17:52.893 --> 00:17:55.990
And then the situation is pretty
much over for the most part
00:17:55.990 --> 00:17:57.980
in terms of the hostage situation,
00:17:57.980 --> 00:18:01.350
but here there's a lot more
recovery that's involved.
00:18:01.350 --> 00:18:05.320
So what happened on May
9th is that the department of
00:18:05.320 --> 00:18:09.480
transportation issued a
regional emergency declaration,
00:18:09.480 --> 00:18:12.530
which allowed for just
the relaxation of labor laws,
00:18:13.570 --> 00:18:14.660
governing drivers,
00:18:14.660 --> 00:18:17.890
and allowed them to
keep fuel supplies open
00:18:17.890 --> 00:18:19.210
for that period of time.
00:18:19.210 --> 00:18:23.000
And then on the 12th
colonial pipeline restarts
00:18:23.000 --> 00:18:24.890
the operations.
00:18:24.890 --> 00:18:28.950
What was interesting also
about this is about fast-forward
00:18:28.950 --> 00:18:33.950
about maybe a month and US
Department of Justice recovers,
00:18:35.110 --> 00:18:39.490
probably about 2.3
million of that ransom,
00:18:39.490 --> 00:18:40.980
which was very interesting.
00:18:40.980 --> 00:18:44.050
There's very little actually about that.
00:18:44.050 --> 00:18:46.200
But the fact that they
were able to do that
00:18:47.310 --> 00:18:51.820
was kind of a situation where
a lot of people didn't think
00:18:51.820 --> 00:18:55.168
that Department of Justice or
ransoms could be recovered,
00:18:55.168 --> 00:18:59.180
but means and methods are not,
00:18:59.180 --> 00:19:02.330
or have not been widely
shared on how that was done,
00:19:02.330 --> 00:19:04.553
but they did report that that was done.
00:19:06.140 --> 00:19:08.433
Moving on to the next slide.
00:19:10.490 --> 00:19:14.020
So just to take this outside
of just colonial pipeline
00:19:14.020 --> 00:19:15.300
and their systems,
00:19:15.300 --> 00:19:19.650
what we did see as a short-term
price increase and shortages
00:19:19.650 --> 00:19:23.220
that were driven by
panic rather than supply,
00:19:23.220 --> 00:19:26.470
given that it was about a five
day event where the pipelines
00:19:26.470 --> 00:19:31.470
were down, we saw demand
spike about 20% for gasoline.
00:19:32.100 --> 00:19:37.100
And then also the national
average push the up
00:19:37.520 --> 00:19:41.900
7 cents for gasoline to $3 and 3 cents,
00:19:41.900 --> 00:19:45.820
which is I'd love to pay
$3 and 3 cents for gasoline
00:19:45.820 --> 00:19:47.450
in California.
00:19:47.450 --> 00:19:49.310
But that's just to put that in context,
00:19:49.310 --> 00:19:50.390
that's the national average,
00:19:50.390 --> 00:19:52.620
and it increased that
in person to 7 cents.
00:19:55.170 --> 00:19:59.410
Okay. So moving on to the next slide.
00:19:59.410 --> 00:20:04.290
So what this colonial
pipeline case study,
00:20:04.290 --> 00:20:08.760
as well as other ransom
cybersecurity events have
00:20:08.760 --> 00:20:11.453
brought up is some challenges.
00:20:13.175 --> 00:20:16.230
And so we just kind of picked
two of the bigger ones that
00:20:16.230 --> 00:20:21.230
we've seen in our interactions
and just looking at various
00:20:22.070 --> 00:20:25.593
other cyber security
incidents out there,
00:20:27.280 --> 00:20:30.513
and to go into the next slide here,
00:20:32.220 --> 00:20:35.640
the first one is really the
ransom payments, right.
00:20:35.640 --> 00:20:39.210
To pay, not to pay and who has to pay.
00:20:39.210 --> 00:20:42.110
Those are really the three
questions associated with that.
00:20:43.402 --> 00:20:47.010
The Columbia pipeline
paid, they paid the ransom,
00:20:47.010 --> 00:20:48.830
and then however,
00:20:48.830 --> 00:20:51.280
the federal government and
government stance has been don't
00:20:51.280 --> 00:20:52.900
pay the ransom.
00:20:52.900 --> 00:20:56.360
So then the quandary
there is, okay, well, do I pay,
00:20:56.360 --> 00:20:58.830
or do I let this piece of
infrastructure just sit there
00:20:58.830 --> 00:21:01.320
and not operate right.
00:21:01.320 --> 00:21:02.763
And have national impacts?
00:21:04.100 --> 00:21:06.610
The other side of this is that
actually insurance companies
00:21:06.610 --> 00:21:08.060
have a major role in this
00:21:09.201 --> 00:21:12.360
and a lot of it has to do with
how the ransom gets paid
00:21:12.360 --> 00:21:14.640
and what the company does and the things
00:21:14.640 --> 00:21:17.690
that they need to do
actually govern whether or not
00:21:18.530 --> 00:21:21.320
they're covered under their
cyber security insurance.
00:21:21.320 --> 00:21:26.320
So it's a big thing in terms
of creating a preparedness,
00:21:26.360 --> 00:21:30.140
but also they do have a very
large thing in this who gets
00:21:30.140 --> 00:21:31.340
paid and how they get paid,
00:21:31.340 --> 00:21:34.203
but also how the companies
go about their business too.
00:21:36.070 --> 00:21:38.520
So any questions about
this challenge number one?
00:21:42.290 --> 00:21:44.333
Okay. Moving to challenge number two.
00:21:48.320 --> 00:21:52.003
So this is really the
big piece, not just,
00:21:53.540 --> 00:21:55.810
it's not just computers
going back to the people's
00:21:55.810 --> 00:21:59.830
situations and the organizational
situation where there's
00:21:59.830 --> 00:22:01.980
a multitude of players and processes
00:22:01.980 --> 00:22:04.400
associated with cybersecurity.
00:22:04.400 --> 00:22:08.100
And that is one of the
big challenges in terms of
00:22:09.070 --> 00:22:13.400
how we work forward, how
we respond, recover, prepare,
00:22:13.400 --> 00:22:18.400
and mitigate, and then
evolve in that cycle to actually,
00:22:19.170 --> 00:22:20.640
be prepared for cyber security,
00:22:20.640 --> 00:22:25.640
because that mitigation is a
sort of a never ending cycle.
00:22:27.400 --> 00:22:30.420
There's always someone who's
gonna be smarter and better.
00:22:30.420 --> 00:22:34.890
And then you got to match
that, or be better than that.
00:22:34.890 --> 00:22:37.810
And so, it's an ongoing cycle with that,
00:22:37.810 --> 00:22:41.630
but it does show a large
set of kind of what we call
00:22:41.630 --> 00:22:45.610
the alphabet soup of, DOD FEMA,
00:22:48.910 --> 00:22:53.163
DOE, Department of
Energy, DHS, cyber security.
00:22:54.724 --> 00:22:55.557
You can see.
00:22:57.960 --> 00:23:00.800
There's the NIST who's
provides frameworks
00:23:00.800 --> 00:23:03.090
and guidance, and then there's UL.
00:23:03.090 --> 00:23:04.050
And there's, there's,
00:23:04.050 --> 00:23:06.520
there's a lot of people
involved with this and there's,
00:23:06.520 --> 00:23:09.970
it's not just one person
that has the silver bullet
00:23:11.928 --> 00:23:15.530
in terms of cyber
security and ensuring that,
00:23:15.530 --> 00:23:18.623
we're mitigating and
ready for cyber attacks.
00:23:19.694 --> 00:23:22.020
And so that is kind of a big
challenge because we have
00:23:22.020 --> 00:23:24.170
technology evolving very quickly.
00:23:24.170 --> 00:23:27.640
And then we also have this
wide range of stakeholders
00:23:27.640 --> 00:23:32.630
that may not have a full
ownership stake in the issue
00:23:32.630 --> 00:23:34.123
or that specific issue.
00:23:35.290 --> 00:23:39.170
Let's say it's a piece
of critical infrastructure,
00:23:39.170 --> 00:23:43.570
but they do have a stake in
sometimes the consequences
00:23:43.570 --> 00:23:46.790
of that infrastructure,
not being operational.
00:23:46.790 --> 00:23:49.860
So a lot of people
involved, which is great,
00:23:49.860 --> 00:23:52.900
but also getting our arms
around and hurting those cats
00:23:52.900 --> 00:23:56.830
is also very critical in
terms of making sure
00:23:56.830 --> 00:24:00.330
that we're installed
and ready for things
00:24:00.330 --> 00:24:02.470
and able to mitigate or respond
00:24:02.470 --> 00:24:04.593
and recover from cyber attacks.
00:24:06.000 --> 00:24:08.750
So what that means
for us as sort of our IOUs
00:24:08.750 --> 00:24:13.750
and as a regulator and IOUs
00:24:15.680 --> 00:24:19.030
and a lot of it is bringing
these folks together
00:24:19.030 --> 00:24:24.030
and ensuring that they're
coordinated, they're connected.
00:24:25.250 --> 00:24:27.670
If there's a response that
they've met each other before
00:24:27.670 --> 00:24:29.270
that they have process and procedures
00:24:29.270 --> 00:24:31.250
that they're integrated,
00:24:31.250 --> 00:24:34.070
obviously working with DOD
is very different than working
00:24:34.070 --> 00:24:38.500
with someone like Department
of Energy, different cultures,
00:24:38.500 --> 00:24:41.720
different ways of doing
business, different resources too.
00:24:41.720 --> 00:24:44.350
And so bringing
everybody together early on,
00:24:44.350 --> 00:24:46.060
and we've been working with Calla,
00:24:46.060 --> 00:24:48.740
we asked the council to do that,
00:24:48.740 --> 00:24:52.300
is to bring all these players together,
00:24:52.300 --> 00:24:54.060
all the best thinking the process
00:24:54.060 --> 00:24:58.530
and the players and the
processes together to make sure
00:24:58.530 --> 00:25:00.920
that one, everybody's working together
00:25:00.920 --> 00:25:04.070
because there's stakes,
everybody has a stake in it.
00:25:04.070 --> 00:25:06.255
FEMA has consequence management.
00:25:06.255 --> 00:25:09.800
DHS has very specific
technical cyber security
00:25:09.800 --> 00:25:13.360
responsibilities, Calloway acts
as consequence management.
00:25:13.360 --> 00:25:18.330
And the council has also
very specific cyber security
00:25:18.330 --> 00:25:21.350
responsibilities to as lead
agency within our state
00:25:21.350 --> 00:25:22.830
of California.
00:25:22.830 --> 00:25:24.630
So really what it is,
00:25:24.630 --> 00:25:27.180
is bringing the stakeholders together
00:25:27.180 --> 00:25:30.590
and bringing our IOUs
and giving them access,
00:25:30.590 --> 00:25:33.770
but also helping build
that team that we need
00:25:34.794 --> 00:25:37.044
to be able to respond,
recover, and mitigate.
00:25:39.110 --> 00:25:43.313
So that is all I have for this.
00:25:44.530 --> 00:25:45.363
Any questions?
00:25:48.030 --> 00:25:49.880
Thank you, Jay.
00:25:49.880 --> 00:25:50.990
Dan, anything else?
00:25:50.990 --> 00:25:52.140
And then we'll open up.
00:25:58.220 --> 00:25:59.850
Nothing additional.
00:25:59.850 --> 00:26:01.053
Okay. All right.
00:26:02.237 --> 00:26:05.900
Commissioner Shiroma I
have a question it's Maribel.
00:26:05.900 --> 00:26:07.780
Yes, what about it?
00:26:07.780 --> 00:26:10.100
I don't mean to jump
ahead if I'm interrupting you,
00:26:10.100 --> 00:26:11.063
I apologize.
00:26:12.959 --> 00:26:14.480
No, you're fine.
00:26:14.480 --> 00:26:18.220
Okay, Jim, I was
just wondering,
00:26:18.220 --> 00:26:23.113
you mentioned coordinating
with Cal sec at the end.
00:26:24.030 --> 00:26:26.460
And Dan and I kind of
lived through a little bit
00:26:26.460 --> 00:26:30.610
of this together when it
all happened with colonial.
00:26:30.610 --> 00:26:34.990
And I'm just wondering if you
could explain the coordination
00:26:34.990 --> 00:26:38.110
without obviously revealing
things that we can't publicly,
00:26:38.110 --> 00:26:41.170
but if you could reveal a
little bit how the coordination
00:26:41.170 --> 00:26:45.933
works at the state
level with Calloway yes.
00:26:47.234 --> 00:26:50.097
And the SEC and what the SEC does
00:26:50.097 --> 00:26:52.830
and who is the lead agency.
00:26:52.830 --> 00:26:56.340
I think the Commissioners
would benefit from hearing that.
00:26:56.340 --> 00:26:57.290
Absolutely. Okay.
00:26:58.240 --> 00:27:00.420
So the tell seasick,
00:27:00.420 --> 00:27:04.174
based out of California
is the state agency lead
00:27:04.174 --> 00:27:06.840
for cybersecurity at large,
00:27:06.840 --> 00:27:10.720
but they are also a
combination of multiple agencies.
00:27:10.720 --> 00:27:12.430
So they have the California
Military Department,
00:27:12.430 --> 00:27:14.680
the California Highway Patrol,
00:27:14.680 --> 00:27:17.370
the California Department of Technology
00:27:17.370 --> 00:27:21.400
among many other
agencies included, excuse me,
00:27:21.400 --> 00:27:25.500
included in that group are
several of Jim's P analyst,
00:27:25.500 --> 00:27:29.810
as well as Jim have the
security clearances to allow them
00:27:29.810 --> 00:27:32.040
to have those discussions.
00:27:32.040 --> 00:27:35.030
And there's an important
additional aspect
00:27:35.030 --> 00:27:35.863
of the Cal Cizik,
00:27:35.863 --> 00:27:40.390
which is embedded
federal cybersecurity entities.
00:27:40.390 --> 00:27:44.570
And so as these
incidents start to unfold,
00:27:44.570 --> 00:27:47.850
we can provide our expertise
to the Cal Cizik to help them
00:27:47.850 --> 00:27:50.920
understand what the
potential impacts are to ensure
00:27:50.920 --> 00:27:52.650
that they get to the
right point of contact
00:27:52.650 --> 00:27:55.083
if they don't have them with the IOUs.
00:27:56.070 --> 00:27:57.643
And then also just to ensure,
00:27:59.240 --> 00:28:01.820
that those coordinations
have happened beforehand.
00:28:01.820 --> 00:28:04.320
So when everyone pulls
out their phone books,
00:28:04.320 --> 00:28:06.263
they know exactly who to dial to.
00:28:07.474 --> 00:28:08.550
And there's not this like,
00:28:08.550 --> 00:28:12.370
who should I call, I'm
uncertain because that hesitation
00:28:12.370 --> 00:28:14.693
obviously can be a big
impediment to respond.
00:28:18.530 --> 00:28:23.530
So then Dan let's go
into real time as we can
00:28:23.650 --> 00:28:24.483
for a second.
00:28:24.483 --> 00:28:26.880
So when there is say a ransom attack,
00:28:26.880 --> 00:28:29.593
and we're notified of it by FBI,
00:28:29.593 --> 00:28:33.810
and hopefully not the
media first, but whatever,
00:28:33.810 --> 00:28:38.323
our first reach out, my
understanding is to Cal Cizik.
00:28:39.230 --> 00:28:44.000
And then we do the real
fast reach out to those entities
00:28:44.000 --> 00:28:47.240
we regulate who may be
impacted, is that correct?
00:28:47.240 --> 00:28:48.896
Or is that the wrong sequence?
00:28:48.896 --> 00:28:50.173
That's correct.
00:28:53.490 --> 00:28:56.690
I just wanted to make sure
that my fellow Commissioners
00:28:56.690 --> 00:28:59.260
knew that because that sequence,
00:28:59.260 --> 00:29:02.620
I know currently there may
be changes in the future,
00:29:02.620 --> 00:29:05.280
but currently that that
sequence is very important
00:29:05.280 --> 00:29:10.280
to the Cal Czic and then
that we're immediately,
00:29:10.420 --> 00:29:13.870
as soon as we possibly
know it are in the loop
00:29:13.870 --> 00:29:14.770
with CalCzec.
00:29:14.770 --> 00:29:15.670
So thank you, Dan.
00:29:15.670 --> 00:29:16.960
And thank you, Jim.
00:29:16.960 --> 00:29:18.620
And thank you, Commissioner Shiroma
00:29:18.620 --> 00:29:20.270
for letting me ask that question.
00:29:22.070 --> 00:29:23.057
Thank you, President Batjer,
00:29:23.057 --> 00:29:28.057
that's very important and
helpful information in any of us,
00:29:28.550 --> 00:29:33.290
maybe loosely aware of some
of these things in the media
00:29:33.290 --> 00:29:34.223
and so forth.
00:29:35.317 --> 00:29:40.317
It's important for our team
to be able to respond quickly.
00:29:41.370 --> 00:29:44.710
And it's good to know that
there is a team there's a set of
00:29:44.710 --> 00:29:48.990
protocols, that's phone numbers
and working relationships,
00:29:48.990 --> 00:29:51.100
rather than just calling
somebody that you've never talked
00:29:51.100 --> 00:29:54.330
to before never met before
those working relationships
00:29:54.330 --> 00:29:56.170
are really key.
00:29:56.170 --> 00:30:01.170
This information today from
Jim and Dan as to here in this
00:30:01.490 --> 00:30:03.920
fashion is, is quite stunning,
00:30:03.920 --> 00:30:06.400
but it's important for us to know.
00:30:06.400 --> 00:30:08.963
Other Commissioners,
questions or comments.
00:30:16.340 --> 00:30:17.453
Okay.
00:30:18.980 --> 00:30:20.100
Thank you.
00:30:20.100 --> 00:30:21.630
Thank you, Dan.
00:30:21.630 --> 00:30:22.470
Thank you, Jim.
00:30:22.470 --> 00:30:24.803
Keep up the good work or catalog it.
00:30:27.370 --> 00:30:28.743
Thank you both very much.
00:30:33.614 --> 00:30:37.490
All right. Back to
your President Batjer.
00:30:37.490 --> 00:30:42.490
Okay. I think we're now moving
on to the risk and compliance
00:30:43.840 --> 00:30:47.863
branch for their briefing.
00:30:48.890 --> 00:30:52.870
I believe I saw Angie coming on earlier.
00:30:52.870 --> 00:30:56.130
I'm not quite sure who's
going to do this presentation.
00:30:56.130 --> 00:30:59.463
Rachel, are you sorry, I
don't have those notes.
00:31:01.170 --> 00:31:04.450
I'll introduce President Batjer.
00:31:04.450 --> 00:31:07.483
And then we will hear
from Rachel and Angie.
00:31:11.300 --> 00:31:14.840
So, again, thanks to Jim and Dan
00:31:14.840 --> 00:31:17.670
for the Emerging Trends
Committee presentation.
00:31:17.670 --> 00:31:22.670
Now we will turn to Finance
and Administration Committee.
00:31:23.380 --> 00:31:27.650
We have a presentation
from director Angie Williams
00:31:27.650 --> 00:31:31.420
on the Commission's risks
identified as part of the State
00:31:31.420 --> 00:31:35.063
Leadership and
Accountability act or SLAA.
00:31:36.800 --> 00:31:40.220
I'm gonna introduce Director Williams.
00:31:40.220 --> 00:31:44.290
We will then hear from Executive
Director, Rachel Pearson,
00:31:44.290 --> 00:31:48.190
and then hear Angie's presentation.
00:31:48.190 --> 00:31:50.880
So Director Williams we'll
walk us through the identified
00:31:50.880 --> 00:31:55.880
SLAA risks, our response
action plans and milestones.
00:31:56.150 --> 00:31:59.880
We will also hear about the
status of implementing audit
00:31:59.880 --> 00:32:03.830
recommendations from our
control agencies and audits
00:32:03.830 --> 00:32:05.363
that are in progress.
00:32:06.400 --> 00:32:09.160
How can I, as co-chairs of the Finance
00:32:09.160 --> 00:32:10.990
and Administration Committee
00:32:10.990 --> 00:32:14.720
received a pre-brief from
director Williams as part
00:32:14.720 --> 00:32:18.573
of the work towards
strategic directive 12 on this,
00:32:19.770 --> 00:32:21.650
Andy Williams has served as Director
00:32:21.650 --> 00:32:23.800
of the Commissioners Utility Audits,
00:32:23.800 --> 00:32:28.800
risks and compliance
division since April of 2019.
00:32:28.910 --> 00:32:30.360
Prior to joining the Commission,
00:32:30.360 --> 00:32:34.040
Angie worked at the California
Department of Finance
00:32:34.040 --> 00:32:35.510
for 19 years,
00:32:35.510 --> 00:32:39.470
leading complex audits and
revamping the state leadership
00:32:39.470 --> 00:32:41.500
and accountability act.
00:32:41.500 --> 00:32:46.140
And Angie holds a
bachelor's of arts in accounting
00:32:46.140 --> 00:32:48.960
from California State
University at Chico.
00:32:48.960 --> 00:32:49.900
Now, at this point,
00:32:49.900 --> 00:32:53.210
I'm gonna turn the mic over
to our Executive Director,
00:32:53.210 --> 00:32:54.760
Rachel Pearson,
00:32:54.760 --> 00:32:57.600
for some additional introductory remarks
00:32:57.600 --> 00:32:59.970
and both executive director Pearson,
00:32:59.970 --> 00:33:02.863
and Angie will be
available during the Q7A.
00:33:05.070 --> 00:33:06.420
Executive Director Pearson.
00:33:08.170 --> 00:33:09.970
Good morning,
Commissioner Shiroma,
00:33:09.970 --> 00:33:11.500
President Batjer and Commissioners.
00:33:11.500 --> 00:33:14.280
Thank you very much for
the opportunity to be here
00:33:14.280 --> 00:33:15.113
this morning.
00:33:15.113 --> 00:33:20.010
I actually can't let the
last presentation go
00:33:20.010 --> 00:33:22.400
without just two connecting points.
00:33:22.400 --> 00:33:23.350
Number one,
00:33:23.350 --> 00:33:27.160
where James chose spoke
about the human elements
00:33:27.160 --> 00:33:30.670
of our vulnerability to
cyber security threats,
00:33:30.670 --> 00:33:35.210
our own IT department
sends out and requires
00:33:35.210 --> 00:33:40.210
all staff and take an annual
cyber security awareness
00:33:40.530 --> 00:33:42.730
training in order to
cut down on the risk
00:33:42.730 --> 00:33:43.960
that we will fall subject
00:33:43.960 --> 00:33:47.100
to one of those phishing email scams.
00:33:47.100 --> 00:33:49.060
So small plug all staff,
00:33:49.060 --> 00:33:51.660
please complete your cyber
security awareness training
00:33:51.660 --> 00:33:53.800
for 2021.
00:33:53.800 --> 00:33:58.770
And then just as we turn to
Angie and her presentation,
00:33:58.770 --> 00:34:02.270
cybersecurity is one of
those emerging threats.
00:34:02.270 --> 00:34:04.380
We've all become
much more familiar with it
00:34:04.380 --> 00:34:06.660
over the last several years,
00:34:06.660 --> 00:34:10.400
but it is one of those
threats to the CPCs ability
00:34:10.400 --> 00:34:12.410
to execute on our mission.
00:34:12.410 --> 00:34:16.730
It's both a threat to us as
an agency and to the utilities
00:34:16.730 --> 00:34:17.793
that we regulate.
00:34:18.900 --> 00:34:23.900
And so that's just one example
of the importance of work
00:34:24.015 --> 00:34:28.710
by director Angie
Williams, as she works with
00:34:28.710 --> 00:34:30.380
myself and our senior management,
00:34:30.380 --> 00:34:34.490
and with you Commissioners
to use different tools,
00:34:34.490 --> 00:34:38.303
different cycles, different
reports to assess risks,
00:34:38.303 --> 00:34:42.620
establish management
practices that mitigate against
00:34:42.620 --> 00:34:46.850
those risks and then drill down
and see how well we're doing
00:34:46.850 --> 00:34:49.523
on actual achievement
of that mitigation.
00:34:51.166 --> 00:34:53.700
So I really thank you for asking
00:34:53.700 --> 00:34:55.490
for this presentation today.
00:34:55.490 --> 00:34:58.500
I think Angie's work is very
important and I'm very glad
00:34:58.500 --> 00:35:01.420
that she'll be able to
give you the snapshot
00:35:01.420 --> 00:35:05.670
of this year's State
Leadership Accountability Act,
00:35:05.670 --> 00:35:08.470
risk assessment that
we're about to submit.
00:35:08.470 --> 00:35:09.690
Thank you very much. All right.
00:35:09.690 --> 00:35:10.683
Over to you, Angie.
00:35:12.530 --> 00:35:14.390
Hey, good morning, thank you.
00:35:14.390 --> 00:35:17.180
Again, my name is Angie
Williams and I'm the Director
00:35:17.180 --> 00:35:20.363
of the Utility Audits, Risk
and Compliance Division.
00:35:21.580 --> 00:35:23.313
We go to the next slide.
00:35:26.350 --> 00:35:29.910
Today, I'm gonna be discussing
the background of the State
00:35:29.910 --> 00:35:32.320
Leadership Accountability
Act in case some of you are not
00:35:32.320 --> 00:35:33.250
familiar with it.
00:35:33.250 --> 00:35:35.640
And the walk you through
the risk process that we went
00:35:35.640 --> 00:35:36.910
through this year,
00:35:36.910 --> 00:35:40.550
I'll also discuss the five
sleigh risks that we identified,
00:35:40.550 --> 00:35:43.640
the action plans and the milestone date.
00:35:43.640 --> 00:35:46.220
I'll also provide a status
update for the internal
00:35:46.220 --> 00:35:48.723
and external audit
recommendations that we have,
00:35:49.630 --> 00:35:52.623
and also discuss the audits
that are currently in progress.
00:35:59.560 --> 00:36:02.130
So just a quick background,
as you guys mentioned,
00:36:02.130 --> 00:36:05.500
the State Leadership
Accountability Act is known as SLAA.
00:36:05.500 --> 00:36:08.620
It's a requirement and
the government code.
00:36:08.620 --> 00:36:10.793
So all state departments must comply.
00:36:12.467 --> 00:36:16.673
The report is due December
31st, 2021 and every odd year.
00:36:18.220 --> 00:36:21.550
And then we also will
submit implementation plans
00:36:21.550 --> 00:36:24.890
that are due every six months
to Department of Finance
00:36:24.890 --> 00:36:28.450
and other control agencies
are CC'd on that as well.
00:36:28.450 --> 00:36:32.290
And then our risk process
was a collaborative effort with
00:36:32.290 --> 00:36:35.840
the executive director and senior
management team where we
00:36:35.840 --> 00:36:39.360
sat down and we identified
our goals for the year and what
00:36:39.360 --> 00:36:43.190
risks could prevent us
from meeting those goals.
00:36:43.190 --> 00:36:45.730
And that's how we came
up with the risks that I'll share
00:36:45.730 --> 00:36:46.743
the next few slides.
00:36:53.110 --> 00:36:57.040
So risk one is the staff
recruitment retention
00:36:57.040 --> 00:36:58.413
and staffing levels.
00:37:00.280 --> 00:37:02.450
Just so when I talk about action plans,
00:37:02.450 --> 00:37:04.790
I'm kind of using the word
action plan and controls
00:37:04.790 --> 00:37:08.030
interchangeably here in this situation,
00:37:08.030 --> 00:37:11.580
and may not read every
action plan just due to time.
00:37:11.580 --> 00:37:12.860
So if you have any questions,
00:37:12.860 --> 00:37:15.760
please feel free to stop me and ask.
00:37:15.760 --> 00:37:19.800
So in order to address this
risk of recruitment, retention,
00:37:19.800 --> 00:37:20.870
and staffing levels,
00:37:20.870 --> 00:37:23.743
we plan to update and
implement a recruitment plan.
00:37:24.690 --> 00:37:26.830
We want to update and
implement our workforce
00:37:26.830 --> 00:37:28.283
in succession plan.
00:37:29.120 --> 00:37:31.985
We're also doing activities
like changing our remaining
00:37:31.985 --> 00:37:35.200
in-person job exams to
make sure that they're online
00:37:35.200 --> 00:37:38.550
so we can hopefully get
more people participating.
00:37:38.550 --> 00:37:40.860
And then we also want to
support activities that have been
00:37:40.860 --> 00:37:44.373
developed by the diversity
equity and inclusion work group.
00:37:46.710 --> 00:37:47.543
Next.
00:37:51.423 --> 00:37:54.930
Two is workforce in succession planning.
00:37:54.930 --> 00:37:56.031
Oh, yes.
00:37:56.031 --> 00:37:57.540
Please go ahead.
00:37:57.540 --> 00:38:01.735
Commissioner (indistinct)
wanted to ask the question.
00:38:01.735 --> 00:38:02.913
Yeah.
00:38:03.780 --> 00:38:05.080
And none of the Commissioners wrong,
00:38:05.080 --> 00:38:06.930
if you prefer, we wait until the end,
00:38:06.930 --> 00:38:09.730
but I just had a very quick
question on that last slide,
00:38:15.090 --> 00:38:19.160
how many exams do you
happen to know how many exams
00:38:19.160 --> 00:38:20.623
are still not online?
00:38:22.490 --> 00:38:26.450
I believe we have two last
that we still wanna put online.
00:38:26.450 --> 00:38:30.200
I know for sure that we have
the financial examiner one that
00:38:30.200 --> 00:38:31.693
is not online currently.
00:38:32.660 --> 00:38:36.870
Okay. So we've gotten
most of exams are now online.
00:38:36.870 --> 00:38:38.510
Just a couple of them remaining.
00:38:38.510 --> 00:38:39.343
Yeah.
00:38:39.343 --> 00:38:42.500
So we have the engineer one
that was a big push last year
00:38:42.500 --> 00:38:45.000
that we worked on
getting that one online.
00:38:45.000 --> 00:38:47.300
And this year I know we're
working hard to get the financial
00:38:47.300 --> 00:38:48.533
examiner one online.
00:38:49.490 --> 00:38:50.860
Okay. Thank you.
00:38:57.425 --> 00:38:58.258
Thank you.
00:38:58.258 --> 00:38:59.133
Beck to you, Angie.
00:39:00.590 --> 00:39:01.767
Next slide, risk two.
00:39:02.952 --> 00:39:03.785
Thank you.
00:39:03.785 --> 00:39:06.660
Here, we have workforce
and succession planning.
00:39:06.660 --> 00:39:09.530
So this is where really where
we want to reduce the risk
00:39:09.530 --> 00:39:11.680
of having a key person dependency issue,
00:39:11.680 --> 00:39:14.720
where maybe there's only
one person or one small group
00:39:14.720 --> 00:39:16.210
of people who know how to do something.
00:39:16.210 --> 00:39:17.860
So we really wanna plan for this.
00:39:19.130 --> 00:39:21.880
Here, we wanna finalize
and distribute our technical
00:39:21.880 --> 00:39:23.950
advice on knowledge management guide.
00:39:23.950 --> 00:39:27.610
That's it's a very detailed
knowledge transfer guide
00:39:27.610 --> 00:39:28.883
that we're drafting.
00:39:30.040 --> 00:39:30.873
We also, again,
00:39:30.873 --> 00:39:33.210
wanna update and implement
our workforce in succession
00:39:33.210 --> 00:39:34.430
plan items.
00:39:34.430 --> 00:39:35.920
And then we also hope to relaunch
00:39:35.920 --> 00:39:37.763
our Strategic Mentoring Program.
00:39:42.050 --> 00:39:42.883
Next.
00:39:47.236 --> 00:39:49.030
Here, risk three technology.
00:39:49.030 --> 00:39:50.920
This is a very common one,
00:39:50.920 --> 00:39:54.360
identify and usually through
all the state departments
00:39:54.360 --> 00:39:56.890
have this as one of
their highest risks usually.
00:39:56.890 --> 00:39:59.030
So for technology,
we have support tools,
00:39:59.030 --> 00:40:00.230
design, and maintenance.
00:40:01.450 --> 00:40:04.930
We wanna finalize our
scoring criteria and create
00:40:04.930 --> 00:40:09.620
an initial IT project
prioritization portfolios utilized
00:40:09.620 --> 00:40:12.060
by the Information Technology
Governance Committee
00:40:12.060 --> 00:40:13.363
that we have in place now.
00:40:14.540 --> 00:40:17.489
We will also wanna make
sure that we've updated
00:40:17.489 --> 00:40:21.180
our policies and procedures,
and we have them.
00:40:21.180 --> 00:40:24.140
We also want to establish a
uniform data retention policy
00:40:24.140 --> 00:40:25.160
for the Commission.
00:40:25.160 --> 00:40:28.720
We do have a data retention
policy and overarching one
00:40:28.720 --> 00:40:30.280
already in place,
00:40:30.280 --> 00:40:33.860
but we want to ensure that
each division has a more detailed
00:40:33.860 --> 00:40:37.840
plan that can really focus
on what we have stored
00:40:37.840 --> 00:40:41.123
on our systems in order
to create more storage.
00:40:44.749 --> 00:40:45.582
Next.
00:40:48.340 --> 00:40:52.010
risk four, is internal
controls and oversight,
00:40:52.010 --> 00:40:57.010
here we wanna complete an
enterprise wide safety program,
00:40:57.210 --> 00:40:59.730
assessment of CPUC's, organizational,
00:40:59.730 --> 00:41:01.960
and business safety systems.
00:41:01.960 --> 00:41:04.260
And then once we've
completed that assessment,
00:41:04.260 --> 00:41:06.900
we wanna initiate a
health and safety policies
00:41:06.900 --> 00:41:10.750
and programs to respond to
the findings that we identified
00:41:10.750 --> 00:41:12.460
in that assessment.
00:41:12.460 --> 00:41:15.470
And then we also want to
ensure through that assessment
00:41:15.470 --> 00:41:17.180
and the findings that
we implement that were
00:41:17.180 --> 00:41:20.130
in accordance with OSHA and Cal/OSHA.
00:41:20.130 --> 00:41:22.610
So those are two big pushes
for this internal controls
00:41:22.610 --> 00:41:23.443
and oversight.
00:41:28.210 --> 00:41:33.210
Risk five, this one is
addressing CPUC's oversight
00:41:34.410 --> 00:41:36.980
of regulated utilities.
00:41:36.980 --> 00:41:41.040
Here, we're looking to develop
new water citation procedures
00:41:41.040 --> 00:41:44.150
to establish a patient
programs for water companies
00:41:44.150 --> 00:41:48.410
that are in violation of
either our public utility code,
00:41:48.410 --> 00:41:50.293
Commission orders or general orders.
00:41:51.380 --> 00:41:54.220
We also really have been
working hard to implement audit
00:41:54.220 --> 00:41:57.723
recommendations to improve
our fiscal safety oversight.
00:41:59.180 --> 00:42:02.350
We also wanna refine
our reporting requirements
00:42:02.350 --> 00:42:05.580
for the utility risk spending
accountability reports.
00:42:05.580 --> 00:42:08.380
That's something that the
Energy Division is working on.
00:42:09.350 --> 00:42:12.300
Also, we have the utility audits branch.
00:42:12.300 --> 00:42:14.718
There's a new section and that branch
00:42:14.718 --> 00:42:16.510
with communication section.
00:42:16.510 --> 00:42:19.010
And so they're gonna be
completing some audits
00:42:19.010 --> 00:42:21.290
on different carriers this year.
00:42:21.290 --> 00:42:23.460
And then we're also gonna implement
00:42:23.460 --> 00:42:25.133
enforcement committee activities.
00:42:26.440 --> 00:42:29.490
We already have a
enforcement committee in place.
00:42:29.490 --> 00:42:31.890
So now we're working on
the detailed of the activities
00:42:31.890 --> 00:42:34.140
and the action plans
that we wanna implement.
00:42:38.486 --> 00:42:39.319
Next.
00:42:41.680 --> 00:42:45.420
Next I'll provide an update
on our audit recommendations.
00:42:45.420 --> 00:42:49.910
These are audits that has
been performed on the CPUC
00:42:49.910 --> 00:42:52.270
by either our internal audit group,
00:42:52.270 --> 00:42:54.820
known as IAS internal audit services
00:42:54.820 --> 00:42:56.533
or by control agencies.
00:43:00.920 --> 00:43:02.380
We've been tracking,
00:43:02.380 --> 00:43:04.490
as you can see on
the pie chart on the left,
00:43:04.490 --> 00:43:07.653
the internal audit ones since 2018,
00:43:08.815 --> 00:43:10.750
let's see, for internal audits,
00:43:10.750 --> 00:43:15.750
we've had a total of 49 audit
recommendations since 2018,
00:43:16.440 --> 00:43:20.210
and we've been able to
implement 32 of those already.
00:43:20.210 --> 00:43:22.090
We still have 15 of them in progress.
00:43:22.090 --> 00:43:24.070
That's what the orange shows.
00:43:24.070 --> 00:43:26.810
And then two that will
not be implemented
00:43:28.577 --> 00:43:32.090
just to give an example
of the will not implement it.
00:43:32.090 --> 00:43:35.500
In case you're curious is for example,
00:43:35.500 --> 00:43:38.040
our internal audit services has
suggested that we purchased
00:43:38.040 --> 00:43:42.270
some software to help
us track our inventory.
00:43:42.270 --> 00:43:44.450
And we've decided that
purchasing the software
00:43:44.450 --> 00:43:45.520
really isn't necessary.
00:43:45.520 --> 00:43:48.110
At this point, we can
really implement the control
00:43:48.110 --> 00:43:50.020
and have a good solid system in place
00:43:50.020 --> 00:43:52.300
by just utilizing Excel and expanding
00:43:52.300 --> 00:43:55.340
some more columns
on there that we track.
00:43:55.340 --> 00:43:57.820
So we've decided to use a
more cost effective approach
00:43:57.820 --> 00:43:59.970
there, and that's why
it's not implemented.
00:44:01.990 --> 00:44:05.260
And then for external auditing,
00:44:05.260 --> 00:44:10.140
we've had 237 audit recommendations,
00:44:10.140 --> 00:44:13.150
but this does go back to since 2012.
00:44:13.150 --> 00:44:17.490
And we've been very
aggressive lately and we've been
00:44:17.490 --> 00:44:19.740
cleaning up a lot of the
audit recommendations
00:44:19.740 --> 00:44:21.880
and implementing them and
strengthening our controls.
00:44:21.880 --> 00:44:26.880
So we're up to implementing
161 now, we have 68 remaining,
00:44:27.960 --> 00:44:30.383
and then we have eight
that will not implement.
00:44:36.440 --> 00:44:37.543
And then next,
00:44:38.670 --> 00:44:40.920
this is kind of the same
information presented
00:44:40.920 --> 00:44:41.753
a little different.
00:44:41.753 --> 00:44:44.540
This shows a little bit more
detail about the difference
00:44:44.540 --> 00:44:46.630
control agencies that perform the audits
00:44:46.630 --> 00:44:50.750
and when they perform
them, as you can see,
00:44:50.750 --> 00:44:55.730
there's quite a job in 2020
and 2021 for implementation.
00:44:55.730 --> 00:44:58.810
And that's really due
to the executive director
00:44:58.810 --> 00:45:00.350
Rachel's leadership.
00:45:00.350 --> 00:45:04.020
She has implemented and
new process of accountability
00:45:04.020 --> 00:45:05.870
and reporting,
00:45:05.870 --> 00:45:08.900
and just her support with risk
and compliance branch has
00:45:08.900 --> 00:45:11.740
really made this successful
effort and we continue
00:45:11.740 --> 00:45:12.950
to implement the control.
00:45:12.950 --> 00:45:15.290
So I greatly appreciate her support
00:45:24.010 --> 00:45:24.933
Next slide.
00:45:27.357 --> 00:45:30.330
Is, these are the audits
that are in progress.
00:45:30.330 --> 00:45:35.069
So our internal audit shop here
at the CPUC has finishing up
00:45:35.069 --> 00:45:39.490
two of them, those are the
top two that started in 2019.
00:45:39.490 --> 00:45:41.190
Those are currently being reviewed
00:45:41.190 --> 00:45:43.550
by the chief acting chief.
00:45:43.550 --> 00:45:45.610
And then the other four below,
00:45:45.610 --> 00:45:47.868
there are ones that I've just begun.
00:45:47.868 --> 00:45:49.790
We've held entrance conferences.
00:45:49.790 --> 00:45:51.930
So they're just starting those audits
00:45:51.930 --> 00:45:53.570
in progress right now.
00:45:53.570 --> 00:45:56.550
And then we currently have
two extern audits being performed
00:45:56.550 --> 00:45:57.383
right now.
00:45:57.383 --> 00:46:00.620
We have the State
Controller's Office is here doing
00:46:00.620 --> 00:46:03.800
a routine audit on the payroll process
00:46:03.800 --> 00:46:08.020
and their audit period
is covering July, 2018
00:46:08.020 --> 00:46:10.830
to June 30th, 2021,
00:46:10.830 --> 00:46:13.660
and they'll test their
standard nine areas.
00:46:13.660 --> 00:46:15.710
So that one's in progress right now.
00:46:15.710 --> 00:46:18.040
And then the other
audit going on right now
00:46:18.040 --> 00:46:21.580
is the California State Auditors
is here performing an audit
00:46:21.580 --> 00:46:24.650
on electrical system safety oversight,
00:46:24.650 --> 00:46:27.400
and their audit period is
covering the last five years.
00:46:29.280 --> 00:46:32.263
And again, they are both in progress.
00:46:34.790 --> 00:46:36.090
Do you have any questions?
00:46:38.410 --> 00:46:39.260
Thank you, Angie.
00:46:39.260 --> 00:46:42.363
I'm going turn to
President Batjer first.
00:46:44.150 --> 00:46:47.370
Thank you very much
Commissioner Shiroma and Angie,
00:46:47.370 --> 00:46:48.530
thank you so much.
00:46:48.530 --> 00:46:53.090
The progress you and your
team has made is impressive.
00:46:53.090 --> 00:46:57.380
I know you and I used to
meet more regularly than,
00:46:57.380 --> 00:47:00.670
and I haven't been able to
see some of these stats slightly,
00:47:00.670 --> 00:47:02.790
but I'm very, very impressed.
00:47:02.790 --> 00:47:07.790
And I also want to thank
Rachel Peterson for her insight
00:47:09.500 --> 00:47:12.900
and her leadership in making
sure that you had the resources
00:47:12.900 --> 00:47:15.300
you needed and the support you needed
00:47:15.300 --> 00:47:20.300
to get your goals and
objectives to the place
00:47:20.870 --> 00:47:22.310
that you wanted.
00:47:22.310 --> 00:47:25.200
And I know you have
always set very high,
00:47:25.200 --> 00:47:26.410
high standards for yourself.
00:47:26.410 --> 00:47:28.523
So I really, really appreciate it.
00:47:30.390 --> 00:47:32.130
And thank you too,
00:47:32.130 --> 00:47:34.800
for the update on the internal
audits, that was helpful too.
00:47:34.800 --> 00:47:38.790
So very good job, hats
off to you and your team.
00:47:38.790 --> 00:47:43.490
I know you came into a steep
climb and it seems like you
00:47:43.490 --> 00:47:45.380
have a mounted the summit.
00:47:45.380 --> 00:47:47.123
So thank you very much.
00:47:48.440 --> 00:47:49.990
Thank you. I appreciate that.
00:47:51.790 --> 00:47:53.813
Thank you, President Batjer.
00:47:55.640 --> 00:47:58.550
Commissioner Guzman, did
I see you raise your hands?
00:47:58.550 --> 00:48:00.050
Yeah, Commissioner Shiroma.
00:48:00.050 --> 00:48:00.883
Thank you.
00:48:00.883 --> 00:48:03.670
And it's really nice
to see virtually Angie.
00:48:03.670 --> 00:48:05.033
It's been some time.
00:48:06.540 --> 00:48:09.320
I also wanted to just thank you.
00:48:09.320 --> 00:48:13.870
So just reflecting on
how on-point these risks
00:48:16.250 --> 00:48:18.610
identification of risks are,
00:48:18.610 --> 00:48:21.680
and to see some of these action plans,
00:48:21.680 --> 00:48:26.680
and it gives me so much,
peace of mind, I guess,
00:48:27.030 --> 00:48:29.480
to see that we're working
on these everything
00:48:29.480 --> 00:48:34.300
from I didn't know there was
a new communication section
00:48:34.300 --> 00:48:36.059
on the telecommunication carriers.
00:48:36.059 --> 00:48:40.130
That's like this, an example
of things that have been
00:48:40.130 --> 00:48:43.930
maybe a little chronic
that are getting the attention
00:48:43.930 --> 00:48:45.363
they really deserve.
00:48:46.798 --> 00:48:50.750
So really congratulations
on the process that you use
00:48:50.750 --> 00:48:54.560
to determine these,
obviously from my perspective,
00:48:54.560 --> 00:48:56.773
seems to have yielded
the right priorities.
00:48:58.140 --> 00:48:59.880
Also, I just was wondering
00:49:00.729 --> 00:49:03.560
who makes up the information
00:49:03.560 --> 00:49:05.513
technology governance committee.
00:49:07.510 --> 00:49:10.680
It's executive or Rachel,
did you want to answer?
00:49:10.680 --> 00:49:12.520
Okay. I can have the sure.
00:49:12.520 --> 00:49:13.353
Yes.
00:49:15.340 --> 00:49:17.080
It's a model that's used,
00:49:17.080 --> 00:49:20.000
I think private and public
sector Commissioner.
00:49:20.000 --> 00:49:23.740
And it does require
executive level sponsorship.
00:49:23.740 --> 00:49:27.980
So I'm involved on the sponsor probably,
00:49:27.980 --> 00:49:29.630
our IT department.
00:49:29.630 --> 00:49:34.350
And then all of the substantive
divisions are involved
00:49:34.350 --> 00:49:36.500
as well at the senior level
00:49:36.500 --> 00:49:39.570
because they are the
ones that are developing.
00:49:39.570 --> 00:49:42.850
They have IT needs and project ideas.
00:49:42.850 --> 00:49:47.850
So the model is one in
which at that senior level,
00:49:47.980 --> 00:49:52.980
you have a process by which
to propose projects that come
00:49:53.950 --> 00:49:58.950
through a consensus
driven decision-making matrix
00:49:59.130 --> 00:50:02.860
and then select which ones
will benefit the organization
00:50:02.860 --> 00:50:03.693
and our mission,
00:50:03.693 --> 00:50:07.213
and therefore rise to the
top of the priority list for IT.
00:50:09.790 --> 00:50:13.030
How often do you
guys meet, Rachel?
00:50:13.030 --> 00:50:15.530
How frequently does the
Governance Committee meet?
00:50:16.880 --> 00:50:20.940
President Batjer, we're
aiming towards more regular
00:50:20.940 --> 00:50:22.100
systematic meetings.
00:50:22.100 --> 00:50:26.550
I would like for it to be
either bi-monthly or quarterly,
00:50:26.550 --> 00:50:28.823
we're still getting our
feet on the ground.
00:50:30.330 --> 00:50:33.430
As Ryan Dulin, our
Deputy Executive Director
00:50:33.430 --> 00:50:36.820
for internal operations
started mid-year this year.
00:50:36.820 --> 00:50:40.380
And so getting him
incorporated and integrated
00:50:40.380 --> 00:50:42.160
into it has taken a little bit of time
00:50:42.160 --> 00:50:44.580
alongside all of the
other work we're doing.
00:50:44.580 --> 00:50:49.270
My aim would be probably
by monthly to get ourselves up
00:50:49.270 --> 00:50:51.710
and running and then move to quarterly.
00:50:51.710 --> 00:50:53.600
There's a lot of work
that happens in between
00:50:53.600 --> 00:50:54.733
those meetings too.
00:50:56.040 --> 00:50:57.810
And maybe Rachel,
00:50:57.810 --> 00:51:00.380
you can reflect a little bit
for the benefit of the other
00:51:00.380 --> 00:51:01.620
Commissioners that we did.
00:51:01.620 --> 00:51:03.770
And Angie too,
00:51:03.770 --> 00:51:08.360
that we did have an outside
consultant that came in
00:51:08.360 --> 00:51:12.143
and helped design the
best practices if you will.
00:51:13.090 --> 00:51:16.110
And we did early on, when I
first came on the Commission,
00:51:16.110 --> 00:51:18.670
we consulted with CDT.
00:51:18.670 --> 00:51:23.670
It identified this as a
vulnerability when they came in.
00:51:23.950 --> 00:51:26.860
And you might remember that
I had them do that quick review
00:51:26.860 --> 00:51:30.500
at the very beginning
of the fall of '19.
00:51:30.500 --> 00:51:35.300
And they said, you need a
greater governance structure
00:51:35.300 --> 00:51:40.300
and that wards off hopefully
any kind of sale management
00:51:42.010 --> 00:51:44.463
or excuse me, IT programs.
00:51:46.770 --> 00:51:50.700
So that it's been a work
from the last frankly two years.
00:51:50.700 --> 00:51:52.533
So just FYI.
00:51:54.950 --> 00:51:58.113
Yes, you provided the
capital history very well,
00:51:59.528 --> 00:52:00.361
President Batjer.
00:52:00.361 --> 00:52:03.980
In itself, you could call it
an audit recommendation
00:52:03.980 --> 00:52:06.630
and then a management
practice that we're instituting
00:52:06.630 --> 00:52:08.910
to meet that audit recommendation.
00:52:08.910 --> 00:52:11.760
So it is definitely a work
in progress and something
00:52:11.760 --> 00:52:13.340
I'm very committed to,
00:52:13.340 --> 00:52:15.700
even though we're
definitely in the crawl phase
00:52:15.700 --> 00:52:17.133
of crawl walk run.
00:52:21.470 --> 00:52:25.670
Commissioner Guzman
Aceves, can you say anything else?
00:52:25.670 --> 00:52:26.913
Okay. All right.
00:52:27.810 --> 00:52:29.193
Yes, Commissioner Houck.
00:52:30.920 --> 00:52:33.620
I just wanted to thank Angie
and her team and Rachel
00:52:33.620 --> 00:52:37.270
for all their work and the
briefings would be audit
00:52:37.270 --> 00:52:40.270
and Finance Committee
and for Commissioner Shiroma
00:52:40.270 --> 00:52:43.020
for her leadership and
helping me get up to speed
00:52:43.020 --> 00:52:45.180
as a newer member to the committee.
00:52:45.180 --> 00:52:47.090
And just again,
00:52:47.090 --> 00:52:51.010
lots of progress and
appreciate all of the hard work.
00:52:51.010 --> 00:52:51.843
So thank you.
00:52:52.914 --> 00:52:53.747
Thank you.
00:52:54.941 --> 00:52:56.383
Commissioner Rechtschaffen.
00:52:56.383 --> 00:52:58.920
Angie, could you talk
a little bit more about
00:52:58.920 --> 00:53:01.273
the data retention policies?
00:53:02.370 --> 00:53:05.100
I know that we were 2 to 3 years ago,
00:53:05.100 --> 00:53:10.100
we were simply out of
compliance with state rules about
00:53:10.680 --> 00:53:15.113
that, it sounds like we're
there, but not completely there.
00:53:17.570 --> 00:53:18.620
Yes.
00:53:18.620 --> 00:53:21.280
So actually we are in compliance now
00:53:21.280 --> 00:53:22.720
with the state requirements.
00:53:22.720 --> 00:53:27.310
We have the overarching
data retention policy.
00:53:27.310 --> 00:53:30.820
We actually have
created a whole, not me,
00:53:30.820 --> 00:53:34.940
but ASB division has created
a whole SharePoint side about
00:53:34.940 --> 00:53:38.810
record management and
on there shows the policies
00:53:38.810 --> 00:53:41.580
and any other relevant
documents that people might need
00:53:41.580 --> 00:53:43.670
for contracts and other items.
00:53:43.670 --> 00:53:45.808
So we've made a lot
of progress in that area.
00:53:45.808 --> 00:53:50.808
So this risk is actually
starting to touch on our storage
00:53:51.000 --> 00:53:52.950
for the data in our systems.
00:53:52.950 --> 00:53:55.760
And then also just ensuring
that we're compliant.
00:53:55.760 --> 00:53:57.980
Often you create a plan and a goal,
00:53:57.980 --> 00:54:00.930
but sometimes we forget to
go back and delete those old
00:54:00.930 --> 00:54:03.650
emails, delete those old
documents that we have saved.
00:54:03.650 --> 00:54:05.930
So we also need to go
back and ensure that we're
00:54:05.930 --> 00:54:09.990
implementing the retention
policy and following it to allow
00:54:09.990 --> 00:54:13.360
for more storage and for
PR requests and other legal
00:54:13.360 --> 00:54:15.970
concerns that may come up
with keeping documents for years
00:54:15.970 --> 00:54:17.287
and years and years.
00:54:18.290 --> 00:54:20.880
Well, that was a follow up
question I was gonna have,
00:54:20.880 --> 00:54:22.190
have we done training
00:54:22.190 --> 00:54:27.190
and are we monitoring
whether or not the divisions
00:54:28.170 --> 00:54:29.943
are complying with the new rules?
00:54:30.820 --> 00:54:33.330
That's something that the
risk and compliance branches
00:54:33.330 --> 00:54:34.540
and to talk about with Rachel
00:54:34.540 --> 00:54:37.990
'cause I kind of went out and
did some research to see...
00:54:37.990 --> 00:54:40.880
We have a retention policy,
but is everyone aware of it?
00:54:40.880 --> 00:54:42.710
And so maybe doing a one more training,
00:54:42.710 --> 00:54:45.370
letting people know that the
retention policy is available,
00:54:45.370 --> 00:54:46.460
it's out there.
00:54:46.460 --> 00:54:50.010
And then also updating some
divisions has a more detailed
00:54:50.010 --> 00:54:53.010
retention policy, but they
may need to be updated.
00:54:53.010 --> 00:54:54.830
So making sure that those are current.
00:54:54.830 --> 00:54:57.510
So I think the risk of clients
branch can certainly circle
00:54:57.510 --> 00:55:00.900
back and make sure that
we're implementing those
00:55:00.900 --> 00:55:03.700
recommendations that they
have for the retention policy.
00:55:05.810 --> 00:55:06.643
Thank you.
00:55:08.284 --> 00:55:09.284
Thank you.
00:55:10.170 --> 00:55:14.640
So Angie and Rachel, first of all,
00:55:14.640 --> 00:55:17.740
thank you for the
presentation, excellent.
00:55:17.740 --> 00:55:22.620
Really is important that
you're keeping a keen eye on
00:55:22.620 --> 00:55:26.990
resolving all of the pending
audit recommendations
00:55:28.350 --> 00:55:31.140
and pending in so far as resolving them.
00:55:31.140 --> 00:55:35.700
And he's heard recommendations
placed in final reports,
00:55:35.700 --> 00:55:40.700
assessing the CPUC
and the metrics are very,
00:55:42.470 --> 00:55:47.280
very, it's very important to
see the progress being made.
00:55:47.280 --> 00:55:49.120
Rachel, thank you.
00:55:49.120 --> 00:55:54.120
Now on risk five as a
Commissioner Guzman Aceves
00:55:56.200 --> 00:55:57.033
pointed out,
00:55:57.033 --> 00:55:59.810
it's really great to see
that there'll be a new
00:55:59.810 --> 00:56:04.680
communication section
for the utility audit branch
00:56:04.680 --> 00:56:06.630
to conduct and complete audits
00:56:06.630 --> 00:56:08.433
of telecommunication carriers.
00:56:09.350 --> 00:56:14.350
And I recall it's probably
been a year or more Angie,
00:56:16.160 --> 00:56:21.049
where you had indicated
at a resource need
00:56:21.049 --> 00:56:25.180
to have the resources
to conduct these audits.
00:56:25.180 --> 00:56:29.170
Do you have an update
on that in terms of
00:56:31.968 --> 00:56:35.928
what has been done since
then to assure that you can,
00:56:35.928 --> 00:56:38.300
that your branch can carry out,
00:56:38.300 --> 00:56:40.763
its very important requirements?
00:56:41.750 --> 00:56:45.190
Yeah, so kind of my other
hats that I wear is I'm also,
00:56:45.190 --> 00:56:48.610
I'm in charge of external
auditing and I believe that's what
00:56:48.610 --> 00:56:49.810
you're speaking on.
00:56:49.810 --> 00:56:51.630
So for external auditing, yes.
00:56:51.630 --> 00:56:55.210
I mean, resources are always
a concern, but we did receive.
00:56:55.210 --> 00:56:59.920
And the last round we
received three audit positions
00:56:59.920 --> 00:57:02.270
for communications specifically
00:57:02.270 --> 00:57:04.870
and we have filled those
positions and they have,
00:57:04.870 --> 00:57:06.710
when we've performed a risk assessment,
00:57:06.710 --> 00:57:09.850
we've determined our audit
objective and they are already
00:57:09.850 --> 00:57:14.760
currently out performing
spilled work on two companies
00:57:14.760 --> 00:57:15.593
right now.
00:57:16.970 --> 00:57:19.340
I'm very excited about the
progress that's been made with
00:57:19.340 --> 00:57:22.240
that 'cause we've never had a
communication section before
00:57:23.300 --> 00:57:24.133
for auditing.
00:57:25.380 --> 00:57:27.643
Congratulations
on that progress.
00:57:28.675 --> 00:57:29.925
That's very nice to hear.
00:57:31.430 --> 00:57:34.453
Any other questions or comments
from the Commissioners?
00:57:36.750 --> 00:57:37.730
All right.
00:57:37.730 --> 00:57:42.180
I'm going to return back to
Rachel for any concluding
00:57:42.180 --> 00:57:46.030
remarks and then
back to President Batjer.
00:57:46.030 --> 00:57:50.470
Should there be folks signed
up for public comments?
00:57:50.470 --> 00:57:51.303
Rachel.
00:57:52.440 --> 00:57:53.450
Thank you, Commissioner.
00:57:53.450 --> 00:57:57.810
Thank you all again for the
opportunity to have Angie
00:57:57.810 --> 00:58:00.580
and myself present today, as you seen,
00:58:00.580 --> 00:58:02.920
I find this work to be very important.
00:58:02.920 --> 00:58:06.560
It's very satisfying to
see the numbers of open
00:58:06.560 --> 00:58:08.630
recommendations tick downwards.
00:58:08.630 --> 00:58:12.340
So that's partly why I pursue it,
00:58:12.340 --> 00:58:14.200
but not really just because of that,
00:58:14.200 --> 00:58:16.550
but because it really is important.
00:58:16.550 --> 00:58:19.410
We have such a broad
mission and we incur risk
00:58:19.410 --> 00:58:21.483
in so many different ways that,
00:58:22.540 --> 00:58:26.330
audits are actually beneficial
in helping point out where
00:58:26.330 --> 00:58:31.210
risk occurs and how we can
requires us to become innovative
00:58:31.210 --> 00:58:33.020
and figure out how to address it.
00:58:33.020 --> 00:58:35.460
So I'm actually quite,
00:58:35.460 --> 00:58:37.490
I find it a very useful management tool.
00:58:37.490 --> 00:58:39.940
So I'm very happy to
present to you today.
00:58:39.940 --> 00:58:41.073
Thank you very much.
00:58:44.380 --> 00:58:46.270
Alright, thank you.
00:58:46.270 --> 00:58:49.213
President Batjer, the
microphone back to you.
00:58:50.280 --> 00:58:53.103
See if any books for helicopters.
00:58:55.250 --> 00:58:58.700
Again, want to thank Angie
so much for the progress.
00:58:58.700 --> 00:59:03.110
She's made always a
concern that internal controls
00:59:03.110 --> 00:59:06.970
and proper controls
within the organization.
00:59:06.970 --> 00:59:10.330
And I think again, we're
making a lot of progress.
00:59:10.330 --> 00:59:12.150
So with that,
00:59:12.150 --> 00:59:15.210
I will turn to the operator
and asked her to open up
00:59:15.210 --> 00:59:17.643
the phone lines for any public comment.
00:59:19.010 --> 00:59:19.970
Thank you.
00:59:19.970 --> 00:59:24.570
If you would like to
have a public comment,
00:59:24.570 --> 00:59:27.110
please press star one,
00:59:27.110 --> 00:59:29.900
un-mute youth and
record your name clearly.
00:59:29.900 --> 00:59:33.900
Your name is required to
introduce your comment.
00:59:33.900 --> 00:59:36.203
One moment please. Thank you.
00:59:46.660 --> 00:59:48.550
Once again it is star one.
00:59:48.550 --> 00:59:50.650
If you would like to
have a public comment
01:00:07.240 --> 01:00:09.853
I currently have no public
comments at this time.
01:00:11.930 --> 01:00:13.340
Okay.
01:00:13.340 --> 01:00:14.600
Thank you very much.
01:00:14.600 --> 01:00:17.620
Again, thank you to
everyone who's participated
01:00:17.620 --> 01:00:19.780
and listened in to the meeting today.
01:00:19.780 --> 01:00:24.410
Very important to topics
and I wanna thank Rachel
01:00:24.410 --> 01:00:25.690
and Commissioner Shiroma,
01:00:25.690 --> 01:00:28.960
Commissioner Houck,
Commissioner Guzman Aceves
01:00:28.960 --> 01:00:32.730
for bringing these very
important topics to us today.
01:00:32.730 --> 01:00:37.440
And I would recommend
as I'm walking out the door
01:00:38.690 --> 01:00:42.640
that we probably have
this type of a briefing
01:00:42.640 --> 01:00:46.810
on these very topics a
little bit more frequently,
01:00:46.810 --> 01:00:49.366
and I really do
appreciate them very much
01:00:49.366 --> 01:00:53.230
and nothing is more
important to the operations
01:00:53.230 --> 01:00:57.910
of an organization at making
sure that our risk assessment
01:00:57.910 --> 01:01:01.440
or our risk is well identified
and being addressed,
01:01:01.440 --> 01:01:04.390
whether that's in the cyber
security area or internal
01:01:04.390 --> 01:01:06.490
controls or just the auditing.
01:01:06.490 --> 01:01:08.083
And as Rachel said,
01:01:10.610 --> 01:01:14.860
we can only monitor our
progress as an organization
01:01:14.860 --> 01:01:17.240
when we have audits
to measure ourselves by.
01:01:17.240 --> 01:01:21.241
So with that, thank
you all very much again.
01:01:21.241 --> 01:01:23.767
And the meeting is now adjourned.