WEBVTT 00:00:16.684 --> 00:00:19.050 PUC Committee meeting on this date, 00:00:19.050 --> 00:00:22.890 Wednesday, December 8th, 2021. 00:00:22.890 --> 00:00:25.550 All parties are on listen only, 00:00:25.550 --> 00:00:28.510 during the public comment section, 00:00:28.510 --> 00:00:30.250 you can press star one. 00:00:30.250 --> 00:00:32.080 Today's call is being recorded. 00:00:32.080 --> 00:00:35.050 If you have any objections, please disconnect. 00:00:35.050 --> 00:00:37.750 I will turn today's call over to President Batjer. 00:00:37.750 --> 00:00:39.000 Thank you, you may begin. 00:00:40.090 --> 00:00:41.810 Thank you so much operator. 00:00:41.810 --> 00:00:43.890 Well, I'd like to say good morning to everyone 00:00:43.890 --> 00:00:46.500 and thank you for joining us today. 00:00:46.500 --> 00:00:50.980 I am calling the CPUC Commissioner Committee meeting 00:00:50.980 --> 00:00:54.680 of December 8th, 2021 to order. 00:00:54.680 --> 00:00:58.320 There are three committees here at the CPUC, 00:00:58.320 --> 00:01:00.680 the Finance and Administration Committee, 00:01:00.680 --> 00:01:02.930 the Policy and Governance Committee 00:01:02.930 --> 00:01:05.380 and the Emerging Trends Committee. 00:01:05.380 --> 00:01:07.240 Today, the Emerging Trends 00:01:07.240 --> 00:01:10.433 and the Finance Administration Committee will meet. 00:01:11.330 --> 00:01:13.530 Due to the Corona virus pandemic 00:01:13.530 --> 00:01:15.800 and the shelter in place order, 00:01:15.800 --> 00:01:19.060 we are conducting today's committee meeting online 00:01:19.060 --> 00:01:21.530 and by remote participation, 00:01:21.530 --> 00:01:25.860 the meeting is live-streamed on CPUC's website. 00:01:25.860 --> 00:01:27.090 You can view the meeting 00:01:27.090 --> 00:01:32.090 at www.adminmonitor.com/com/ca/cpuc. 00:01:41.747 --> 00:01:45.310 And adminmonitor is all one word. 00:01:45.310 --> 00:01:49.670 Closed captioning is available in English and Spanish 00:01:49.670 --> 00:01:51.140 through the webcast. 00:01:51.140 --> 00:01:54.800 You can click on the green button to select your language 00:01:54.800 --> 00:01:55.763 of choice. 00:01:57.010 --> 00:02:00.560 We will have an opportunity for the public to comment 00:02:00.560 --> 00:02:03.070 following the Q&A and discussion 00:02:03.070 --> 00:02:04.930 among the Commissioners. 00:02:04.930 --> 00:02:08.470 If you wish to make a public comment or ask a question, 00:02:08.470 --> 00:02:13.470 please dial 800-857-1917 00:02:13.550 --> 00:02:16.307 and enter code 5180519 pound 00:02:20.340 --> 00:02:23.230 and press star one. 00:02:23.230 --> 00:02:26.620 You will be placed into a queue and it will be called upon 00:02:26.620 --> 00:02:31.070 to speak when we get to the public comment period, 00:02:31.070 --> 00:02:32.530 we will be at the end, 00:02:32.530 --> 00:02:35.310 and which of course that will be the public comment period 00:02:35.310 --> 00:02:39.003 will be at the end of the committee. 00:02:43.350 --> 00:02:47.260 I will now turn the Commission to Commissioner Shiroma 00:02:47.260 --> 00:02:51.380 to introduce the items on the emerging trends agenda, 00:02:51.380 --> 00:02:52.470 Commissioner Shiroma. 00:02:53.950 --> 00:02:55.880 Yes, thank you, President Batjer. 00:02:55.880 --> 00:02:57.453 Good morning, everyone. 00:02:58.360 --> 00:03:02.320 For our emerging trends committee presentation, 00:03:02.320 --> 00:03:07.320 we will hear from Jim Chil, Program Manager in the Security 00:03:08.060 --> 00:03:12.570 and Resilience Branch of our Safety Policy Division 00:03:12.570 --> 00:03:17.470 and Dan Bouts, Director of the Safety Policy Division. 00:03:17.470 --> 00:03:22.470 Jim has a decade of experience at FEMA and a master's degree 00:03:23.720 --> 00:03:25.533 from University of Michigan. 00:03:28.140 --> 00:03:31.280 Dan, prior to joining the Commission 00:03:31.280 --> 00:03:33.840 served as Assistant Director 00:03:33.840 --> 00:03:37.710 at the California Governor's Office of Emergency Services, 00:03:37.710 --> 00:03:40.920 has an extensive background with the Armed Forces 00:03:40.920 --> 00:03:44.230 and obtained a PhD in industrial 00:03:44.230 --> 00:03:46.470 and organizational psychology 00:03:46.470 --> 00:03:48.023 from Walden University. 00:03:48.870 --> 00:03:50.750 Earlier this year, 00:03:50.750 --> 00:03:54.040 Commissioner (indistinct) and I were working 00:03:54.040 --> 00:03:56.513 on our Emerging Trends Committee work plan. 00:03:58.020 --> 00:04:03.020 Some folks will recall we did a survey with most staff 00:04:05.110 --> 00:04:07.880 and one of the topic areas 00:04:10.030 --> 00:04:14.590 we included is a cybersecurity into the work plan. 00:04:14.590 --> 00:04:16.930 As a result of all of these efforts, 00:04:16.930 --> 00:04:20.310 it's an important topic given the ever-changing state 00:04:20.310 --> 00:04:21.940 of affairs. 00:04:21.940 --> 00:04:26.840 And when we saw the colonial pipeline ransomware attack 00:04:26.840 --> 00:04:28.720 that occurred last may, 00:04:28.720 --> 00:04:32.090 we saw an opportunity to focus the cyber security 00:04:32.090 --> 00:04:35.250 presentation on this issue. 00:04:35.250 --> 00:04:40.000 So today Tim and Dan will present us information 00:04:40.000 --> 00:04:41.660 about ransomware, 00:04:41.660 --> 00:04:44.910 including the colonial pipeline incidents 00:04:44.910 --> 00:04:49.410 and overview of trends in ransomware and discussion 00:04:49.410 --> 00:04:52.223 of its relevance to our regulated utilities. 00:04:53.490 --> 00:04:56.403 All right, Jim and Dan, take it away. 00:04:58.160 --> 00:04:59.460 Thank you, Commissioner. 00:05:01.040 --> 00:05:03.760 So my name are Jim Chill. 00:05:03.760 --> 00:05:07.130 I'm the Program Manager for security and resilience. 00:05:07.130 --> 00:05:09.975 Dan, did you sorry to interrupt you. 00:05:09.975 --> 00:05:11.260 I didn't mean to cut you off. 00:05:11.260 --> 00:05:12.093 No, no, no. 00:05:12.093 --> 00:05:13.430 Please, go ahead. 00:05:13.430 --> 00:05:14.263 Okay. 00:05:14.263 --> 00:05:16.710 So we put together a presentation. 00:05:16.710 --> 00:05:20.190 This is one slice of cybersecurity and an issue. 00:05:20.190 --> 00:05:21.810 So it's, I just, 00:05:21.810 --> 00:05:24.493 before we get into the actual presentation itself, 00:05:25.400 --> 00:05:29.440 it's a very large area, very vast area. 00:05:29.440 --> 00:05:31.540 This is just one very specific look in. 00:05:31.540 --> 00:05:35.470 I think it helps to provide some insights to it by looking 00:05:35.470 --> 00:05:38.470 at a specific case such as colonial pipeline, 00:05:38.470 --> 00:05:40.453 the link to the next slide, 00:05:41.740 --> 00:05:43.910 just a quick overview of how this presentation 00:05:43.910 --> 00:05:44.870 is gonna go. 00:05:44.870 --> 00:05:49.160 One, we'll just give a very quick one-on-one on ransomware. 00:05:49.160 --> 00:05:50.770 We could spend days doing it, 00:05:50.770 --> 00:05:54.620 but just very quickly go into the mechanics of the colonial 00:05:54.620 --> 00:05:56.930 pipeline, ransomware attack, 00:05:56.930 --> 00:05:58.150 discuss some challenges 00:05:58.150 --> 00:06:02.580 and then field any questions as needed. 00:06:02.580 --> 00:06:05.733 So moving on to the next slide. 00:06:07.050 --> 00:06:11.130 So this is the ransomware overview and we have, 00:06:11.130 --> 00:06:12.590 these are common attack methods 00:06:12.590 --> 00:06:15.640 and this is terminology you'll hear getting thrown around 00:06:15.640 --> 00:06:20.640 a lot in the news by CNN, by Fox, depending on how, 00:06:21.540 --> 00:06:25.120 whatever news program, everybody watches. 00:06:25.120 --> 00:06:30.050 But we'll hear malware or phishing or zero day exploits. 00:06:30.050 --> 00:06:33.120 And these are all just different attack methods 00:06:33.120 --> 00:06:34.210 that are used. 00:06:34.210 --> 00:06:35.510 Now, they're not all of them, 00:06:35.510 --> 00:06:37.740 but they're probably the most commonly known 00:06:38.989 --> 00:06:41.573 and displayed out to the public. 00:06:42.520 --> 00:06:44.053 Going to the next slide. 00:06:48.020 --> 00:06:48.853 Okay. 00:06:48.853 --> 00:06:50.210 So ransomware, 00:06:51.170 --> 00:06:54.655 the basics of ransomware is that it's actually one of many 00:06:54.655 --> 00:06:56.943 different types of attacks. 00:06:58.310 --> 00:07:03.310 And essentially what happens is that data is usually 00:07:04.270 --> 00:07:08.970 encrypted and then held hostage until a ransom is paid. 00:07:08.970 --> 00:07:11.060 And sometimes there's something called a double hot, 00:07:11.060 --> 00:07:14.275 a double ransom, which is not only are 00:07:14.275 --> 00:07:15.860 they gonna decrypt it, 00:07:15.860 --> 00:07:18.712 but they also won't share it with everybody. 00:07:18.712 --> 00:07:21.133 So there's a lot of avenues to this. 00:07:22.562 --> 00:07:26.210 And it's evolved from this whole idea of just 00:07:27.252 --> 00:07:30.810 a single group that has the skillset to do it to also being 00:07:30.810 --> 00:07:32.380 done as a service too. 00:07:32.380 --> 00:07:36.040 So it's actually now available to maybe non-technical 00:07:36.040 --> 00:07:38.360 organizations for a price. 00:07:38.360 --> 00:07:43.360 And what we've have seen is that ransomware payments in 2020 00:07:43.760 --> 00:07:48.650 have climbed this year 82% and prior year 00:07:48.650 --> 00:07:50.940 to that was 171%. 00:07:50.940 --> 00:07:53.530 So we're seeing an increase in the average ransomware 00:07:53.530 --> 00:07:54.800 payments going up. 00:07:54.800 --> 00:07:59.403 Now, that's just to say that these numbers are pretty, 00:08:00.500 --> 00:08:04.430 it's not as clear and tightly calculate as GDP or things 00:08:04.430 --> 00:08:06.993 like that, because really there's a lot of, 00:08:08.500 --> 00:08:12.380 not a lot of sharing of the information widely and publicly. 00:08:12.380 --> 00:08:14.980 So this is just one of the publicly available numbers 00:08:14.980 --> 00:08:18.500 that we feel has some that can provide a range 00:08:18.500 --> 00:08:20.723 in terms of how much this actually costs. 00:08:22.080 --> 00:08:24.263 Moving to the next slide. 00:08:27.100 --> 00:08:29.200 So this is the ransomware methods. 00:08:29.200 --> 00:08:33.560 And one thing that I really liked this slide, 00:08:33.560 --> 00:08:36.510 because what this definitely shows is, 00:08:36.510 --> 00:08:40.190 there's all these methods in terms of how people use code 00:08:40.190 --> 00:08:43.640 and computers to create a situation 00:08:43.640 --> 00:08:46.260 where they can actually demand a ransom. 00:08:46.260 --> 00:08:48.480 But what this shows that a lot of this shows 00:08:48.480 --> 00:08:50.970 is at the center of it, there's a human element. 00:08:50.970 --> 00:08:55.160 There's a person element to ransomware where it can be 00:08:55.160 --> 00:08:57.370 prevented by people. 00:08:57.370 --> 00:09:01.410 And good computer hygiene, good cybersecurity hygiene. 00:09:01.410 --> 00:09:04.140 And so it doesn't, I think 00:09:04.140 --> 00:09:07.430 there's a lot of focus on the technical hardware aspect 00:09:07.430 --> 00:09:10.030 of ransomware and cyber security, 00:09:10.030 --> 00:09:12.160 but really a lot of it comes down to the people 00:09:12.160 --> 00:09:16.490 and this shows that things like spam and phishing emails 00:09:16.490 --> 00:09:21.490 to weak passwords and account management 00:09:21.640 --> 00:09:26.520 and access management are all human-driven 00:09:26.520 --> 00:09:27.860 types of situations. 00:09:27.860 --> 00:09:31.356 So it puts a kind of a face 00:09:31.356 --> 00:09:34.450 to the security as well as the attack to, 00:09:34.450 --> 00:09:36.883 so moving on to the next slide. 00:09:40.602 --> 00:09:42.640 So we get a little bit into the colonial pipeline 00:09:42.640 --> 00:09:45.023 ransomware attack, and just to start off with, 00:09:46.060 --> 00:09:48.510 colonial pipeline did not have any direct effects 00:09:48.510 --> 00:09:49.763 on California. 00:09:51.336 --> 00:09:53.470 Most of the in which all the infrastructure goes 00:09:53.470 --> 00:09:56.940 from west to east. 00:09:56.940 --> 00:10:01.940 And so that was something that we saw and we actually under 00:10:02.040 --> 00:10:05.240 supported the calcium in the analysis of the infrastructure, 00:10:05.240 --> 00:10:08.123 which is the state lead for cybersecurity. 00:10:10.140 --> 00:10:12.173 Moving to the next slide. 00:10:14.240 --> 00:10:17.490 So we're gonna go over kind of who was involved, 00:10:17.490 --> 00:10:20.530 what were the impacts and then challenges exposed. 00:10:20.530 --> 00:10:22.263 So gonna the next slide. 00:10:26.876 --> 00:10:31.170 So colonial pipeline, just a quick overview of what it is, 00:10:31.170 --> 00:10:34.510 basically it it basically supplies fuel, 00:10:34.510 --> 00:10:37.480 including gasoline, diesel, heating oil, jet fuel 00:10:37.480 --> 00:10:42.480 and military supplies basically from pretty much primarily 00:10:43.220 --> 00:10:48.220 the Gulf of Mexico and into the Eastern seaboard 00:10:48.430 --> 00:10:50.450 of the country. 00:10:50.450 --> 00:10:52.820 And so it's one of the largest pipeline operators 00:10:52.820 --> 00:10:57.010 and they deliver 2.5 million barrels a day 00:10:57.010 --> 00:10:59.430 over 55 other miles of pipeline, 00:10:59.430 --> 00:11:02.220 which makes it a very large piece of infrastructure. 00:11:02.220 --> 00:11:07.220 And in terms of delivery of key fuels to an operations, 00:11:08.910 --> 00:11:12.470 and that could impact anywhere from airports to home 00:11:12.470 --> 00:11:17.470 heating, to transportation delivery logistics companies. 00:11:17.970 --> 00:11:22.250 So that's kind of the larger kind of tangible impacts 00:11:22.250 --> 00:11:25.740 that could happen even with short-term disruptions. 00:11:25.740 --> 00:11:27.113 Moving to the next slide. 00:11:34.280 --> 00:11:38.260 So the group that was allegedly responsible for this 00:11:38.260 --> 00:11:39.970 is a group called DarkSide Hacking Group. 00:11:39.970 --> 00:11:43.510 And here, I don't wanna focus too much on who they are, 00:11:43.510 --> 00:11:46.100 but this is just an example of that 00:11:46.100 --> 00:11:48.933 they're pretty well-organized as an organization. 00:11:50.060 --> 00:11:54.170 They've been around probably about a year or so, 00:11:54.170 --> 00:11:56.530 they have a website that has a press room, 00:11:56.530 --> 00:11:59.763 a mailing list and hotline for victims to call. 00:12:01.070 --> 00:12:03.790 They have a code of ethics from what we can tell from open 00:12:03.790 --> 00:12:06.520 source information that's out on the web. 00:12:06.520 --> 00:12:09.290 And so that they don't always, 00:12:09.290 --> 00:12:12.330 they don't attack hospitals from what we understand 00:12:12.330 --> 00:12:15.823 and schools or universities or non-profits. 00:12:16.670 --> 00:12:19.730 So that's just, and this is not to say, 00:12:19.730 --> 00:12:23.480 a question about their ethical values here, 00:12:23.480 --> 00:12:27.060 but they're a much more or sophisticated group in terms 00:12:27.060 --> 00:12:30.700 of they have an ethos, they have organizations 00:12:30.700 --> 00:12:33.940 for communication, and obviously 00:12:35.022 --> 00:12:36.848 they have the capability 00:12:36.848 --> 00:12:39.053 of conducting the ransomware operations. 00:12:41.193 --> 00:12:42.026 So, there's-- 00:12:43.372 --> 00:12:45.260 Sorry to cut you off here, but I'm not. 00:12:45.260 --> 00:12:48.970 So, I mean, is this a legal thing I'm confused? 00:12:48.970 --> 00:12:51.520 Like why are they allowed to have a website 00:12:51.520 --> 00:12:54.660 and like have a code of ethics? 00:12:54.660 --> 00:12:56.440 Like, is this something is like, 00:12:56.440 --> 00:12:57.790 I'm missing something here. 00:12:58.630 --> 00:13:01.852 Well, it's more of, there really, 00:13:01.852 --> 00:13:05.100 what this slide is to say is that they're organized, 00:13:05.100 --> 00:13:06.900 much more organized than just a group 00:13:06.900 --> 00:13:08.363 of people with computers. 00:13:09.500 --> 00:13:10.980 They have, 00:13:10.980 --> 00:13:14.220 nothing is actually prevents them from having a website 00:13:14.220 --> 00:13:15.800 per se, 00:13:15.800 --> 00:13:18.140 and nothing actually prevents them from having an ethos 00:13:18.140 --> 00:13:20.180 or a mission statement as an organization. 00:13:20.180 --> 00:13:21.593 So it's just, 00:13:22.870 --> 00:13:25.190 when we think about kind of an organization going 00:13:25.190 --> 00:13:28.980 from playing Sandlot baseball to maybe, 00:13:28.980 --> 00:13:30.746 minor league pro baseball, 00:13:30.746 --> 00:13:33.310 they have mission statements, you have coaching, 00:13:33.310 --> 00:13:35.967 you have a whole infrastructure around it, 00:13:35.967 --> 00:13:37.110 not just the ball bat. 00:13:37.110 --> 00:13:42.110 And so that's really, we're talking about, sorry. 00:13:42.360 --> 00:13:43.193 Oh, you do. 00:13:43.193 --> 00:13:44.950 But just to answer your question, also, 00:13:44.950 --> 00:13:46.610 a lot of these companies, 00:13:46.610 --> 00:13:48.890 existing countries without extradition treaties 00:13:48.890 --> 00:13:50.400 to the United States. 00:13:50.400 --> 00:13:53.200 So this is like an international environment, 00:13:53.200 --> 00:13:56.130 and they're very peculiar about where they host 00:13:56.130 --> 00:13:58.590 their services to provide them the greatest amount 00:13:58.590 --> 00:14:01.693 of flexibility based on local laws. 00:14:03.210 --> 00:14:04.579 Wow. Okay. 00:14:04.579 --> 00:14:05.412 Thank you. 00:14:09.156 --> 00:14:09.989 Okay. 00:14:11.447 --> 00:14:15.640 So this dark side is organized group, 00:14:15.640 --> 00:14:18.310 and there are other organized groups like DarkSide, 00:14:18.310 --> 00:14:20.739 this is just to demonstrate that 00:14:20.739 --> 00:14:23.360 it's an organization behind these groups. 00:14:23.360 --> 00:14:26.150 There's a level of professionalism behind these groups, 00:14:26.150 --> 00:14:28.460 regardless of whether their service or products that they're 00:14:28.460 --> 00:14:31.780 actually providing. 00:14:31.780 --> 00:14:34.243 So moving to the next slide. 00:14:38.810 --> 00:14:40.610 Just that we wanted to show this slide, 00:14:40.610 --> 00:14:44.250 because we wanted to give people a feel for how these things 00:14:44.250 --> 00:14:46.550 kind of potentially happen. 00:14:46.550 --> 00:14:50.530 This is not a screenshot from the DarkSide ransomware 00:14:50.530 --> 00:14:53.090 during event with colonial pipeline, 00:14:53.090 --> 00:14:55.790 but it is kind of what the thing that people will see. 00:14:56.740 --> 00:14:59.980 And we just wanted to ground it a little bit with this image 00:14:59.980 --> 00:15:03.690 where it kind of notifies that files have been encrypted. 00:15:03.690 --> 00:15:05.280 There's a ransom amount, 00:15:05.280 --> 00:15:07.160 and then time until the ransom is increased, 00:15:07.160 --> 00:15:09.330 or files are encrypted permanently, 00:15:09.330 --> 00:15:11.190 as well as potentially any other demands 00:15:11.190 --> 00:15:13.950 that are part of what the group wants. 00:15:13.950 --> 00:15:16.380 And this is something that somebody would see 00:15:16.380 --> 00:15:17.233 on their screen. 00:15:18.640 --> 00:15:23.640 So it's not a subtle email or a large press announcement. 00:15:25.380 --> 00:15:28.190 It's pretty targeted in terms of the communication from what 00:15:28.190 --> 00:15:29.023 we've seen. 00:15:29.920 --> 00:15:31.323 Going to the next slide. 00:15:34.430 --> 00:15:37.520 So just to walk through the timeline of events, 00:15:37.520 --> 00:15:42.290 and so on May 6th, there was an initial intrusion and theft, 00:15:42.290 --> 00:15:44.960 meaning that they got access to the network, 00:15:44.960 --> 00:15:49.960 and they were able to encrypt data and then threatened 00:15:49.970 --> 00:15:51.630 to leak it to the internet. 00:15:51.630 --> 00:15:56.630 On May 7th, they continue, there was an assessment done 00:15:59.100 --> 00:16:01.690 there was network, I'm sorry, the brand, 00:16:01.690 --> 00:16:05.230 some were effective billing and accounting systems. 00:16:05.230 --> 00:16:08.970 And so what colonial pipeline did is basically they took 00:16:08.970 --> 00:16:12.650 certain systems offline to contain the threat. 00:16:12.650 --> 00:16:17.060 And so, the colonial pipeline ransomware attack 00:16:17.060 --> 00:16:20.420 primarily effected information technology. 00:16:20.420 --> 00:16:25.160 It did not affect the actual operational technology, 00:16:25.160 --> 00:16:29.600 meaning that the programs and the machines 00:16:29.600 --> 00:16:34.600 that impacts the direct physical operation of the pipeline. 00:16:35.850 --> 00:16:38.320 And so this was really more billing and accounting 00:16:38.320 --> 00:16:39.950 information pieces, 00:16:39.950 --> 00:16:44.680 but what was happening is that because they couldn't bill 00:16:44.680 --> 00:16:47.223 and then they can really deliver either. 00:16:49.200 --> 00:16:53.410 And so on the seventh colonial pipeline paid the ransom, 00:16:56.040 --> 00:16:58.813 and it was valued approximately at $4.4 million. 00:16:59.760 --> 00:17:04.053 And that allowed the company to get the decryption key 00:17:04.053 --> 00:17:07.070 and then became the recovery process. 00:17:07.070 --> 00:17:09.180 Now one would think, oh you know what, 00:17:09.180 --> 00:17:11.550 it's really great to just, 00:17:11.550 --> 00:17:13.830 we got decrypted the data, 00:17:13.830 --> 00:17:15.880 and now we can be back up and running, 00:17:15.880 --> 00:17:18.820 but there's a tail to this in terms of the recovery 00:17:18.820 --> 00:17:21.980 where just because the data was decrypted, 00:17:21.980 --> 00:17:26.860 that does the group, also the company go back and assess, 00:17:26.860 --> 00:17:29.160 actually do a full assessment of their network 00:17:30.210 --> 00:17:32.130 and their systems to make sure that things 00:17:32.130 --> 00:17:34.230 are not still embedded there, 00:17:34.230 --> 00:17:37.500 or they're not gonna be vulnerable to another attack again. 00:17:37.500 --> 00:17:42.500 So there's a bit of a lag in terms of the ransom is paid 00:17:42.800 --> 00:17:45.420 and then there's time that's gonna happen. 00:17:45.420 --> 00:17:47.340 Usually, like for an example, if, 00:17:47.340 --> 00:17:50.350 to make it analogous to a kidnapping situation, 00:17:50.350 --> 00:17:52.060 you pay the ransom and usually the person 00:17:52.060 --> 00:17:52.893 you get the person back. 00:17:52.893 --> 00:17:55.990 And then the situation is pretty much over for the most part 00:17:55.990 --> 00:17:57.980 in terms of the hostage situation, 00:17:57.980 --> 00:18:01.350 but here there's a lot more recovery that's involved. 00:18:01.350 --> 00:18:05.320 So what happened on May 9th is that the department of 00:18:05.320 --> 00:18:09.480 transportation issued a regional emergency declaration, 00:18:09.480 --> 00:18:12.530 which allowed for just the relaxation of labor laws, 00:18:13.570 --> 00:18:14.660 governing drivers, 00:18:14.660 --> 00:18:17.890 and allowed them to keep fuel supplies open 00:18:17.890 --> 00:18:19.210 for that period of time. 00:18:19.210 --> 00:18:23.000 And then on the 12th colonial pipeline restarts 00:18:23.000 --> 00:18:24.890 the operations. 00:18:24.890 --> 00:18:28.950 What was interesting also about this is about fast-forward 00:18:28.950 --> 00:18:33.950 about maybe a month and US Department of Justice recovers, 00:18:35.110 --> 00:18:39.490 probably about 2.3 million of that ransom, 00:18:39.490 --> 00:18:40.980 which was very interesting. 00:18:40.980 --> 00:18:44.050 There's very little actually about that. 00:18:44.050 --> 00:18:46.200 But the fact that they were able to do that 00:18:47.310 --> 00:18:51.820 was kind of a situation where a lot of people didn't think 00:18:51.820 --> 00:18:55.168 that Department of Justice or ransoms could be recovered, 00:18:55.168 --> 00:18:59.180 but means and methods are not, 00:18:59.180 --> 00:19:02.330 or have not been widely shared on how that was done, 00:19:02.330 --> 00:19:04.553 but they did report that that was done. 00:19:06.140 --> 00:19:08.433 Moving on to the next slide. 00:19:10.490 --> 00:19:14.020 So just to take this outside of just colonial pipeline 00:19:14.020 --> 00:19:15.300 and their systems, 00:19:15.300 --> 00:19:19.650 what we did see as a short-term price increase and shortages 00:19:19.650 --> 00:19:23.220 that were driven by panic rather than supply, 00:19:23.220 --> 00:19:26.470 given that it was about a five day event where the pipelines 00:19:26.470 --> 00:19:31.470 were down, we saw demand spike about 20% for gasoline. 00:19:32.100 --> 00:19:37.100 And then also the national average push the up 00:19:37.520 --> 00:19:41.900 7 cents for gasoline to $3 and 3 cents, 00:19:41.900 --> 00:19:45.820 which is I'd love to pay $3 and 3 cents for gasoline 00:19:45.820 --> 00:19:47.450 in California. 00:19:47.450 --> 00:19:49.310 But that's just to put that in context, 00:19:49.310 --> 00:19:50.390 that's the national average, 00:19:50.390 --> 00:19:52.620 and it increased that in person to 7 cents. 00:19:55.170 --> 00:19:59.410 Okay. So moving on to the next slide. 00:19:59.410 --> 00:20:04.290 So what this colonial pipeline case study, 00:20:04.290 --> 00:20:08.760 as well as other ransom cybersecurity events have 00:20:08.760 --> 00:20:11.453 brought up is some challenges. 00:20:13.175 --> 00:20:16.230 And so we just kind of picked two of the bigger ones that 00:20:16.230 --> 00:20:21.230 we've seen in our interactions and just looking at various 00:20:22.070 --> 00:20:25.593 other cyber security incidents out there, 00:20:27.280 --> 00:20:30.513 and to go into the next slide here, 00:20:32.220 --> 00:20:35.640 the first one is really the ransom payments, right. 00:20:35.640 --> 00:20:39.210 To pay, not to pay and who has to pay. 00:20:39.210 --> 00:20:42.110 Those are really the three questions associated with that. 00:20:43.402 --> 00:20:47.010 The Columbia pipeline paid, they paid the ransom, 00:20:47.010 --> 00:20:48.830 and then however, 00:20:48.830 --> 00:20:51.280 the federal government and government stance has been don't 00:20:51.280 --> 00:20:52.900 pay the ransom. 00:20:52.900 --> 00:20:56.360 So then the quandary there is, okay, well, do I pay, 00:20:56.360 --> 00:20:58.830 or do I let this piece of infrastructure just sit there 00:20:58.830 --> 00:21:01.320 and not operate right. 00:21:01.320 --> 00:21:02.763 And have national impacts? 00:21:04.100 --> 00:21:06.610 The other side of this is that actually insurance companies 00:21:06.610 --> 00:21:08.060 have a major role in this 00:21:09.201 --> 00:21:12.360 and a lot of it has to do with how the ransom gets paid 00:21:12.360 --> 00:21:14.640 and what the company does and the things 00:21:14.640 --> 00:21:17.690 that they need to do actually govern whether or not 00:21:18.530 --> 00:21:21.320 they're covered under their cyber security insurance. 00:21:21.320 --> 00:21:26.320 So it's a big thing in terms of creating a preparedness, 00:21:26.360 --> 00:21:30.140 but also they do have a very large thing in this who gets 00:21:30.140 --> 00:21:31.340 paid and how they get paid, 00:21:31.340 --> 00:21:34.203 but also how the companies go about their business too. 00:21:36.070 --> 00:21:38.520 So any questions about this challenge number one? 00:21:42.290 --> 00:21:44.333 Okay. Moving to challenge number two. 00:21:48.320 --> 00:21:52.003 So this is really the big piece, not just, 00:21:53.540 --> 00:21:55.810 it's not just computers going back to the people's 00:21:55.810 --> 00:21:59.830 situations and the organizational situation where there's 00:21:59.830 --> 00:22:01.980 a multitude of players and processes 00:22:01.980 --> 00:22:04.400 associated with cybersecurity. 00:22:04.400 --> 00:22:08.100 And that is one of the big challenges in terms of 00:22:09.070 --> 00:22:13.400 how we work forward, how we respond, recover, prepare, 00:22:13.400 --> 00:22:18.400 and mitigate, and then evolve in that cycle to actually, 00:22:19.170 --> 00:22:20.640 be prepared for cyber security, 00:22:20.640 --> 00:22:25.640 because that mitigation is a sort of a never ending cycle. 00:22:27.400 --> 00:22:30.420 There's always someone who's gonna be smarter and better. 00:22:30.420 --> 00:22:34.890 And then you got to match that, or be better than that. 00:22:34.890 --> 00:22:37.810 And so, it's an ongoing cycle with that, 00:22:37.810 --> 00:22:41.630 but it does show a large set of kind of what we call 00:22:41.630 --> 00:22:45.610 the alphabet soup of, DOD FEMA, 00:22:48.910 --> 00:22:53.163 DOE, Department of Energy, DHS, cyber security. 00:22:54.724 --> 00:22:55.557 You can see. 00:22:57.960 --> 00:23:00.800 There's the NIST who's provides frameworks 00:23:00.800 --> 00:23:03.090 and guidance, and then there's UL. 00:23:03.090 --> 00:23:04.050 And there's, there's, 00:23:04.050 --> 00:23:06.520 there's a lot of people involved with this and there's, 00:23:06.520 --> 00:23:09.970 it's not just one person that has the silver bullet 00:23:11.928 --> 00:23:15.530 in terms of cyber security and ensuring that, 00:23:15.530 --> 00:23:18.623 we're mitigating and ready for cyber attacks. 00:23:19.694 --> 00:23:22.020 And so that is kind of a big challenge because we have 00:23:22.020 --> 00:23:24.170 technology evolving very quickly. 00:23:24.170 --> 00:23:27.640 And then we also have this wide range of stakeholders 00:23:27.640 --> 00:23:32.630 that may not have a full ownership stake in the issue 00:23:32.630 --> 00:23:34.123 or that specific issue. 00:23:35.290 --> 00:23:39.170 Let's say it's a piece of critical infrastructure, 00:23:39.170 --> 00:23:43.570 but they do have a stake in sometimes the consequences 00:23:43.570 --> 00:23:46.790 of that infrastructure, not being operational. 00:23:46.790 --> 00:23:49.860 So a lot of people involved, which is great, 00:23:49.860 --> 00:23:52.900 but also getting our arms around and hurting those cats 00:23:52.900 --> 00:23:56.830 is also very critical in terms of making sure 00:23:56.830 --> 00:24:00.330 that we're installed and ready for things 00:24:00.330 --> 00:24:02.470 and able to mitigate or respond 00:24:02.470 --> 00:24:04.593 and recover from cyber attacks. 00:24:06.000 --> 00:24:08.750 So what that means for us as sort of our IOUs 00:24:08.750 --> 00:24:13.750 and as a regulator and IOUs 00:24:15.680 --> 00:24:19.030 and a lot of it is bringing these folks together 00:24:19.030 --> 00:24:24.030 and ensuring that they're coordinated, they're connected. 00:24:25.250 --> 00:24:27.670 If there's a response that they've met each other before 00:24:27.670 --> 00:24:29.270 that they have process and procedures 00:24:29.270 --> 00:24:31.250 that they're integrated, 00:24:31.250 --> 00:24:34.070 obviously working with DOD is very different than working 00:24:34.070 --> 00:24:38.500 with someone like Department of Energy, different cultures, 00:24:38.500 --> 00:24:41.720 different ways of doing business, different resources too. 00:24:41.720 --> 00:24:44.350 And so bringing everybody together early on, 00:24:44.350 --> 00:24:46.060 and we've been working with Calla, 00:24:46.060 --> 00:24:48.740 we asked the council to do that, 00:24:48.740 --> 00:24:52.300 is to bring all these players together, 00:24:52.300 --> 00:24:54.060 all the best thinking the process 00:24:54.060 --> 00:24:58.530 and the players and the processes together to make sure 00:24:58.530 --> 00:25:00.920 that one, everybody's working together 00:25:00.920 --> 00:25:04.070 because there's stakes, everybody has a stake in it. 00:25:04.070 --> 00:25:06.255 FEMA has consequence management. 00:25:06.255 --> 00:25:09.800 DHS has very specific technical cyber security 00:25:09.800 --> 00:25:13.360 responsibilities, Calloway acts as consequence management. 00:25:13.360 --> 00:25:18.330 And the council has also very specific cyber security 00:25:18.330 --> 00:25:21.350 responsibilities to as lead agency within our state 00:25:21.350 --> 00:25:22.830 of California. 00:25:22.830 --> 00:25:24.630 So really what it is, 00:25:24.630 --> 00:25:27.180 is bringing the stakeholders together 00:25:27.180 --> 00:25:30.590 and bringing our IOUs and giving them access, 00:25:30.590 --> 00:25:33.770 but also helping build that team that we need 00:25:34.794 --> 00:25:37.044 to be able to respond, recover, and mitigate. 00:25:39.110 --> 00:25:43.313 So that is all I have for this. 00:25:44.530 --> 00:25:45.363 Any questions? 00:25:48.030 --> 00:25:49.880 Thank you, Jay. 00:25:49.880 --> 00:25:50.990 Dan, anything else? 00:25:50.990 --> 00:25:52.140 And then we'll open up. 00:25:58.220 --> 00:25:59.850 Nothing additional. 00:25:59.850 --> 00:26:01.053 Okay. All right. 00:26:02.237 --> 00:26:05.900 Commissioner Shiroma I have a question it's Maribel. 00:26:05.900 --> 00:26:07.780 Yes, what about it? 00:26:07.780 --> 00:26:10.100 I don't mean to jump ahead if I'm interrupting you, 00:26:10.100 --> 00:26:11.063 I apologize. 00:26:12.959 --> 00:26:14.480 No, you're fine. 00:26:14.480 --> 00:26:18.220 Okay, Jim, I was just wondering, 00:26:18.220 --> 00:26:23.113 you mentioned coordinating with Cal sec at the end. 00:26:24.030 --> 00:26:26.460 And Dan and I kind of lived through a little bit 00:26:26.460 --> 00:26:30.610 of this together when it all happened with colonial. 00:26:30.610 --> 00:26:34.990 And I'm just wondering if you could explain the coordination 00:26:34.990 --> 00:26:38.110 without obviously revealing things that we can't publicly, 00:26:38.110 --> 00:26:41.170 but if you could reveal a little bit how the coordination 00:26:41.170 --> 00:26:45.933 works at the state level with Calloway yes. 00:26:47.234 --> 00:26:50.097 And the SEC and what the SEC does 00:26:50.097 --> 00:26:52.830 and who is the lead agency. 00:26:52.830 --> 00:26:56.340 I think the Commissioners would benefit from hearing that. 00:26:56.340 --> 00:26:57.290 Absolutely. Okay. 00:26:58.240 --> 00:27:00.420 So the tell seasick, 00:27:00.420 --> 00:27:04.174 based out of California is the state agency lead 00:27:04.174 --> 00:27:06.840 for cybersecurity at large, 00:27:06.840 --> 00:27:10.720 but they are also a combination of multiple agencies. 00:27:10.720 --> 00:27:12.430 So they have the California Military Department, 00:27:12.430 --> 00:27:14.680 the California Highway Patrol, 00:27:14.680 --> 00:27:17.370 the California Department of Technology 00:27:17.370 --> 00:27:21.400 among many other agencies included, excuse me, 00:27:21.400 --> 00:27:25.500 included in that group are several of Jim's P analyst, 00:27:25.500 --> 00:27:29.810 as well as Jim have the security clearances to allow them 00:27:29.810 --> 00:27:32.040 to have those discussions. 00:27:32.040 --> 00:27:35.030 And there's an important additional aspect 00:27:35.030 --> 00:27:35.863 of the Cal Cizik, 00:27:35.863 --> 00:27:40.390 which is embedded federal cybersecurity entities. 00:27:40.390 --> 00:27:44.570 And so as these incidents start to unfold, 00:27:44.570 --> 00:27:47.850 we can provide our expertise to the Cal Cizik to help them 00:27:47.850 --> 00:27:50.920 understand what the potential impacts are to ensure 00:27:50.920 --> 00:27:52.650 that they get to the right point of contact 00:27:52.650 --> 00:27:55.083 if they don't have them with the IOUs. 00:27:56.070 --> 00:27:57.643 And then also just to ensure, 00:27:59.240 --> 00:28:01.820 that those coordinations have happened beforehand. 00:28:01.820 --> 00:28:04.320 So when everyone pulls out their phone books, 00:28:04.320 --> 00:28:06.263 they know exactly who to dial to. 00:28:07.474 --> 00:28:08.550 And there's not this like, 00:28:08.550 --> 00:28:12.370 who should I call, I'm uncertain because that hesitation 00:28:12.370 --> 00:28:14.693 obviously can be a big impediment to respond. 00:28:18.530 --> 00:28:23.530 So then Dan let's go into real time as we can 00:28:23.650 --> 00:28:24.483 for a second. 00:28:24.483 --> 00:28:26.880 So when there is say a ransom attack, 00:28:26.880 --> 00:28:29.593 and we're notified of it by FBI, 00:28:29.593 --> 00:28:33.810 and hopefully not the media first, but whatever, 00:28:33.810 --> 00:28:38.323 our first reach out, my understanding is to Cal Cizik. 00:28:39.230 --> 00:28:44.000 And then we do the real fast reach out to those entities 00:28:44.000 --> 00:28:47.240 we regulate who may be impacted, is that correct? 00:28:47.240 --> 00:28:48.896 Or is that the wrong sequence? 00:28:48.896 --> 00:28:50.173 That's correct. 00:28:53.490 --> 00:28:56.690 I just wanted to make sure that my fellow Commissioners 00:28:56.690 --> 00:28:59.260 knew that because that sequence, 00:28:59.260 --> 00:29:02.620 I know currently there may be changes in the future, 00:29:02.620 --> 00:29:05.280 but currently that that sequence is very important 00:29:05.280 --> 00:29:10.280 to the Cal Czic and then that we're immediately, 00:29:10.420 --> 00:29:13.870 as soon as we possibly know it are in the loop 00:29:13.870 --> 00:29:14.770 with CalCzec. 00:29:14.770 --> 00:29:15.670 So thank you, Dan. 00:29:15.670 --> 00:29:16.960 And thank you, Jim. 00:29:16.960 --> 00:29:18.620 And thank you, Commissioner Shiroma 00:29:18.620 --> 00:29:20.270 for letting me ask that question. 00:29:22.070 --> 00:29:23.057 Thank you, President Batjer, 00:29:23.057 --> 00:29:28.057 that's very important and helpful information in any of us, 00:29:28.550 --> 00:29:33.290 maybe loosely aware of some of these things in the media 00:29:33.290 --> 00:29:34.223 and so forth. 00:29:35.317 --> 00:29:40.317 It's important for our team to be able to respond quickly. 00:29:41.370 --> 00:29:44.710 And it's good to know that there is a team there's a set of 00:29:44.710 --> 00:29:48.990 protocols, that's phone numbers and working relationships, 00:29:48.990 --> 00:29:51.100 rather than just calling somebody that you've never talked 00:29:51.100 --> 00:29:54.330 to before never met before those working relationships 00:29:54.330 --> 00:29:56.170 are really key. 00:29:56.170 --> 00:30:01.170 This information today from Jim and Dan as to here in this 00:30:01.490 --> 00:30:03.920 fashion is, is quite stunning, 00:30:03.920 --> 00:30:06.400 but it's important for us to know. 00:30:06.400 --> 00:30:08.963 Other Commissioners, questions or comments. 00:30:16.340 --> 00:30:17.453 Okay. 00:30:18.980 --> 00:30:20.100 Thank you. 00:30:20.100 --> 00:30:21.630 Thank you, Dan. 00:30:21.630 --> 00:30:22.470 Thank you, Jim. 00:30:22.470 --> 00:30:24.803 Keep up the good work or catalog it. 00:30:27.370 --> 00:30:28.743 Thank you both very much. 00:30:33.614 --> 00:30:37.490 All right. Back to your President Batjer. 00:30:37.490 --> 00:30:42.490 Okay. I think we're now moving on to the risk and compliance 00:30:43.840 --> 00:30:47.863 branch for their briefing. 00:30:48.890 --> 00:30:52.870 I believe I saw Angie coming on earlier. 00:30:52.870 --> 00:30:56.130 I'm not quite sure who's going to do this presentation. 00:30:56.130 --> 00:30:59.463 Rachel, are you sorry, I don't have those notes. 00:31:01.170 --> 00:31:04.450 I'll introduce President Batjer. 00:31:04.450 --> 00:31:07.483 And then we will hear from Rachel and Angie. 00:31:11.300 --> 00:31:14.840 So, again, thanks to Jim and Dan 00:31:14.840 --> 00:31:17.670 for the Emerging Trends Committee presentation. 00:31:17.670 --> 00:31:22.670 Now we will turn to Finance and Administration Committee. 00:31:23.380 --> 00:31:27.650 We have a presentation from director Angie Williams 00:31:27.650 --> 00:31:31.420 on the Commission's risks identified as part of the State 00:31:31.420 --> 00:31:35.063 Leadership and Accountability act or SLAA. 00:31:36.800 --> 00:31:40.220 I'm gonna introduce Director Williams. 00:31:40.220 --> 00:31:44.290 We will then hear from Executive Director, Rachel Pearson, 00:31:44.290 --> 00:31:48.190 and then hear Angie's presentation. 00:31:48.190 --> 00:31:50.880 So Director Williams we'll walk us through the identified 00:31:50.880 --> 00:31:55.880 SLAA risks, our response action plans and milestones. 00:31:56.150 --> 00:31:59.880 We will also hear about the status of implementing audit 00:31:59.880 --> 00:32:03.830 recommendations from our control agencies and audits 00:32:03.830 --> 00:32:05.363 that are in progress. 00:32:06.400 --> 00:32:09.160 How can I, as co-chairs of the Finance 00:32:09.160 --> 00:32:10.990 and Administration Committee 00:32:10.990 --> 00:32:14.720 received a pre-brief from director Williams as part 00:32:14.720 --> 00:32:18.573 of the work towards strategic directive 12 on this, 00:32:19.770 --> 00:32:21.650 Andy Williams has served as Director 00:32:21.650 --> 00:32:23.800 of the Commissioners Utility Audits, 00:32:23.800 --> 00:32:28.800 risks and compliance division since April of 2019. 00:32:28.910 --> 00:32:30.360 Prior to joining the Commission, 00:32:30.360 --> 00:32:34.040 Angie worked at the California Department of Finance 00:32:34.040 --> 00:32:35.510 for 19 years, 00:32:35.510 --> 00:32:39.470 leading complex audits and revamping the state leadership 00:32:39.470 --> 00:32:41.500 and accountability act. 00:32:41.500 --> 00:32:46.140 And Angie holds a bachelor's of arts in accounting 00:32:46.140 --> 00:32:48.960 from California State University at Chico. 00:32:48.960 --> 00:32:49.900 Now, at this point, 00:32:49.900 --> 00:32:53.210 I'm gonna turn the mic over to our Executive Director, 00:32:53.210 --> 00:32:54.760 Rachel Pearson, 00:32:54.760 --> 00:32:57.600 for some additional introductory remarks 00:32:57.600 --> 00:32:59.970 and both executive director Pearson, 00:32:59.970 --> 00:33:02.863 and Angie will be available during the Q7A. 00:33:05.070 --> 00:33:06.420 Executive Director Pearson. 00:33:08.170 --> 00:33:09.970 Good morning, Commissioner Shiroma, 00:33:09.970 --> 00:33:11.500 President Batjer and Commissioners. 00:33:11.500 --> 00:33:14.280 Thank you very much for the opportunity to be here 00:33:14.280 --> 00:33:15.113 this morning. 00:33:15.113 --> 00:33:20.010 I actually can't let the last presentation go 00:33:20.010 --> 00:33:22.400 without just two connecting points. 00:33:22.400 --> 00:33:23.350 Number one, 00:33:23.350 --> 00:33:27.160 where James chose spoke about the human elements 00:33:27.160 --> 00:33:30.670 of our vulnerability to cyber security threats, 00:33:30.670 --> 00:33:35.210 our own IT department sends out and requires 00:33:35.210 --> 00:33:40.210 all staff and take an annual cyber security awareness 00:33:40.530 --> 00:33:42.730 training in order to cut down on the risk 00:33:42.730 --> 00:33:43.960 that we will fall subject 00:33:43.960 --> 00:33:47.100 to one of those phishing email scams. 00:33:47.100 --> 00:33:49.060 So small plug all staff, 00:33:49.060 --> 00:33:51.660 please complete your cyber security awareness training 00:33:51.660 --> 00:33:53.800 for 2021. 00:33:53.800 --> 00:33:58.770 And then just as we turn to Angie and her presentation, 00:33:58.770 --> 00:34:02.270 cybersecurity is one of those emerging threats. 00:34:02.270 --> 00:34:04.380 We've all become much more familiar with it 00:34:04.380 --> 00:34:06.660 over the last several years, 00:34:06.660 --> 00:34:10.400 but it is one of those threats to the CPCs ability 00:34:10.400 --> 00:34:12.410 to execute on our mission. 00:34:12.410 --> 00:34:16.730 It's both a threat to us as an agency and to the utilities 00:34:16.730 --> 00:34:17.793 that we regulate. 00:34:18.900 --> 00:34:23.900 And so that's just one example of the importance of work 00:34:24.015 --> 00:34:28.710 by director Angie Williams, as she works with 00:34:28.710 --> 00:34:30.380 myself and our senior management, 00:34:30.380 --> 00:34:34.490 and with you Commissioners to use different tools, 00:34:34.490 --> 00:34:38.303 different cycles, different reports to assess risks, 00:34:38.303 --> 00:34:42.620 establish management practices that mitigate against 00:34:42.620 --> 00:34:46.850 those risks and then drill down and see how well we're doing 00:34:46.850 --> 00:34:49.523 on actual achievement of that mitigation. 00:34:51.166 --> 00:34:53.700 So I really thank you for asking 00:34:53.700 --> 00:34:55.490 for this presentation today. 00:34:55.490 --> 00:34:58.500 I think Angie's work is very important and I'm very glad 00:34:58.500 --> 00:35:01.420 that she'll be able to give you the snapshot 00:35:01.420 --> 00:35:05.670 of this year's State Leadership Accountability Act, 00:35:05.670 --> 00:35:08.470 risk assessment that we're about to submit. 00:35:08.470 --> 00:35:09.690 Thank you very much. All right. 00:35:09.690 --> 00:35:10.683 Over to you, Angie. 00:35:12.530 --> 00:35:14.390 Hey, good morning, thank you. 00:35:14.390 --> 00:35:17.180 Again, my name is Angie Williams and I'm the Director 00:35:17.180 --> 00:35:20.363 of the Utility Audits, Risk and Compliance Division. 00:35:21.580 --> 00:35:23.313 We go to the next slide. 00:35:26.350 --> 00:35:29.910 Today, I'm gonna be discussing the background of the State 00:35:29.910 --> 00:35:32.320 Leadership Accountability Act in case some of you are not 00:35:32.320 --> 00:35:33.250 familiar with it. 00:35:33.250 --> 00:35:35.640 And the walk you through the risk process that we went 00:35:35.640 --> 00:35:36.910 through this year, 00:35:36.910 --> 00:35:40.550 I'll also discuss the five sleigh risks that we identified, 00:35:40.550 --> 00:35:43.640 the action plans and the milestone date. 00:35:43.640 --> 00:35:46.220 I'll also provide a status update for the internal 00:35:46.220 --> 00:35:48.723 and external audit recommendations that we have, 00:35:49.630 --> 00:35:52.623 and also discuss the audits that are currently in progress. 00:35:59.560 --> 00:36:02.130 So just a quick background, as you guys mentioned, 00:36:02.130 --> 00:36:05.500 the State Leadership Accountability Act is known as SLAA. 00:36:05.500 --> 00:36:08.620 It's a requirement and the government code. 00:36:08.620 --> 00:36:10.793 So all state departments must comply. 00:36:12.467 --> 00:36:16.673 The report is due December 31st, 2021 and every odd year. 00:36:18.220 --> 00:36:21.550 And then we also will submit implementation plans 00:36:21.550 --> 00:36:24.890 that are due every six months to Department of Finance 00:36:24.890 --> 00:36:28.450 and other control agencies are CC'd on that as well. 00:36:28.450 --> 00:36:32.290 And then our risk process was a collaborative effort with 00:36:32.290 --> 00:36:35.840 the executive director and senior management team where we 00:36:35.840 --> 00:36:39.360 sat down and we identified our goals for the year and what 00:36:39.360 --> 00:36:43.190 risks could prevent us from meeting those goals. 00:36:43.190 --> 00:36:45.730 And that's how we came up with the risks that I'll share 00:36:45.730 --> 00:36:46.743 the next few slides. 00:36:53.110 --> 00:36:57.040 So risk one is the staff recruitment retention 00:36:57.040 --> 00:36:58.413 and staffing levels. 00:37:00.280 --> 00:37:02.450 Just so when I talk about action plans, 00:37:02.450 --> 00:37:04.790 I'm kind of using the word action plan and controls 00:37:04.790 --> 00:37:08.030 interchangeably here in this situation, 00:37:08.030 --> 00:37:11.580 and may not read every action plan just due to time. 00:37:11.580 --> 00:37:12.860 So if you have any questions, 00:37:12.860 --> 00:37:15.760 please feel free to stop me and ask. 00:37:15.760 --> 00:37:19.800 So in order to address this risk of recruitment, retention, 00:37:19.800 --> 00:37:20.870 and staffing levels, 00:37:20.870 --> 00:37:23.743 we plan to update and implement a recruitment plan. 00:37:24.690 --> 00:37:26.830 We want to update and implement our workforce 00:37:26.830 --> 00:37:28.283 in succession plan. 00:37:29.120 --> 00:37:31.985 We're also doing activities like changing our remaining 00:37:31.985 --> 00:37:35.200 in-person job exams to make sure that they're online 00:37:35.200 --> 00:37:38.550 so we can hopefully get more people participating. 00:37:38.550 --> 00:37:40.860 And then we also want to support activities that have been 00:37:40.860 --> 00:37:44.373 developed by the diversity equity and inclusion work group. 00:37:46.710 --> 00:37:47.543 Next. 00:37:51.423 --> 00:37:54.930 Two is workforce in succession planning. 00:37:54.930 --> 00:37:56.031 Oh, yes. 00:37:56.031 --> 00:37:57.540 Please go ahead. 00:37:57.540 --> 00:38:01.735 Commissioner (indistinct) wanted to ask the question. 00:38:01.735 --> 00:38:02.913 Yeah. 00:38:03.780 --> 00:38:05.080 And none of the Commissioners wrong, 00:38:05.080 --> 00:38:06.930 if you prefer, we wait until the end, 00:38:06.930 --> 00:38:09.730 but I just had a very quick question on that last slide, 00:38:15.090 --> 00:38:19.160 how many exams do you happen to know how many exams 00:38:19.160 --> 00:38:20.623 are still not online? 00:38:22.490 --> 00:38:26.450 I believe we have two last that we still wanna put online. 00:38:26.450 --> 00:38:30.200 I know for sure that we have the financial examiner one that 00:38:30.200 --> 00:38:31.693 is not online currently. 00:38:32.660 --> 00:38:36.870 Okay. So we've gotten most of exams are now online. 00:38:36.870 --> 00:38:38.510 Just a couple of them remaining. 00:38:38.510 --> 00:38:39.343 Yeah. 00:38:39.343 --> 00:38:42.500 So we have the engineer one that was a big push last year 00:38:42.500 --> 00:38:45.000 that we worked on getting that one online. 00:38:45.000 --> 00:38:47.300 And this year I know we're working hard to get the financial 00:38:47.300 --> 00:38:48.533 examiner one online. 00:38:49.490 --> 00:38:50.860 Okay. Thank you. 00:38:57.425 --> 00:38:58.258 Thank you. 00:38:58.258 --> 00:38:59.133 Beck to you, Angie. 00:39:00.590 --> 00:39:01.767 Next slide, risk two. 00:39:02.952 --> 00:39:03.785 Thank you. 00:39:03.785 --> 00:39:06.660 Here, we have workforce and succession planning. 00:39:06.660 --> 00:39:09.530 So this is where really where we want to reduce the risk 00:39:09.530 --> 00:39:11.680 of having a key person dependency issue, 00:39:11.680 --> 00:39:14.720 where maybe there's only one person or one small group 00:39:14.720 --> 00:39:16.210 of people who know how to do something. 00:39:16.210 --> 00:39:17.860 So we really wanna plan for this. 00:39:19.130 --> 00:39:21.880 Here, we wanna finalize and distribute our technical 00:39:21.880 --> 00:39:23.950 advice on knowledge management guide. 00:39:23.950 --> 00:39:27.610 That's it's a very detailed knowledge transfer guide 00:39:27.610 --> 00:39:28.883 that we're drafting. 00:39:30.040 --> 00:39:30.873 We also, again, 00:39:30.873 --> 00:39:33.210 wanna update and implement our workforce in succession 00:39:33.210 --> 00:39:34.430 plan items. 00:39:34.430 --> 00:39:35.920 And then we also hope to relaunch 00:39:35.920 --> 00:39:37.763 our Strategic Mentoring Program. 00:39:42.050 --> 00:39:42.883 Next. 00:39:47.236 --> 00:39:49.030 Here, risk three technology. 00:39:49.030 --> 00:39:50.920 This is a very common one, 00:39:50.920 --> 00:39:54.360 identify and usually through all the state departments 00:39:54.360 --> 00:39:56.890 have this as one of their highest risks usually. 00:39:56.890 --> 00:39:59.030 So for technology, we have support tools, 00:39:59.030 --> 00:40:00.230 design, and maintenance. 00:40:01.450 --> 00:40:04.930 We wanna finalize our scoring criteria and create 00:40:04.930 --> 00:40:09.620 an initial IT project prioritization portfolios utilized 00:40:09.620 --> 00:40:12.060 by the Information Technology Governance Committee 00:40:12.060 --> 00:40:13.363 that we have in place now. 00:40:14.540 --> 00:40:17.489 We will also wanna make sure that we've updated 00:40:17.489 --> 00:40:21.180 our policies and procedures, and we have them. 00:40:21.180 --> 00:40:24.140 We also want to establish a uniform data retention policy 00:40:24.140 --> 00:40:25.160 for the Commission. 00:40:25.160 --> 00:40:28.720 We do have a data retention policy and overarching one 00:40:28.720 --> 00:40:30.280 already in place, 00:40:30.280 --> 00:40:33.860 but we want to ensure that each division has a more detailed 00:40:33.860 --> 00:40:37.840 plan that can really focus on what we have stored 00:40:37.840 --> 00:40:41.123 on our systems in order to create more storage. 00:40:44.749 --> 00:40:45.582 Next. 00:40:48.340 --> 00:40:52.010 risk four, is internal controls and oversight, 00:40:52.010 --> 00:40:57.010 here we wanna complete an enterprise wide safety program, 00:40:57.210 --> 00:40:59.730 assessment of CPUC's, organizational, 00:40:59.730 --> 00:41:01.960 and business safety systems. 00:41:01.960 --> 00:41:04.260 And then once we've completed that assessment, 00:41:04.260 --> 00:41:06.900 we wanna initiate a health and safety policies 00:41:06.900 --> 00:41:10.750 and programs to respond to the findings that we identified 00:41:10.750 --> 00:41:12.460 in that assessment. 00:41:12.460 --> 00:41:15.470 And then we also want to ensure through that assessment 00:41:15.470 --> 00:41:17.180 and the findings that we implement that were 00:41:17.180 --> 00:41:20.130 in accordance with OSHA and Cal/OSHA. 00:41:20.130 --> 00:41:22.610 So those are two big pushes for this internal controls 00:41:22.610 --> 00:41:23.443 and oversight. 00:41:28.210 --> 00:41:33.210 Risk five, this one is addressing CPUC's oversight 00:41:34.410 --> 00:41:36.980 of regulated utilities. 00:41:36.980 --> 00:41:41.040 Here, we're looking to develop new water citation procedures 00:41:41.040 --> 00:41:44.150 to establish a patient programs for water companies 00:41:44.150 --> 00:41:48.410 that are in violation of either our public utility code, 00:41:48.410 --> 00:41:50.293 Commission orders or general orders. 00:41:51.380 --> 00:41:54.220 We also really have been working hard to implement audit 00:41:54.220 --> 00:41:57.723 recommendations to improve our fiscal safety oversight. 00:41:59.180 --> 00:42:02.350 We also wanna refine our reporting requirements 00:42:02.350 --> 00:42:05.580 for the utility risk spending accountability reports. 00:42:05.580 --> 00:42:08.380 That's something that the Energy Division is working on. 00:42:09.350 --> 00:42:12.300 Also, we have the utility audits branch. 00:42:12.300 --> 00:42:14.718 There's a new section and that branch 00:42:14.718 --> 00:42:16.510 with communication section. 00:42:16.510 --> 00:42:19.010 And so they're gonna be completing some audits 00:42:19.010 --> 00:42:21.290 on different carriers this year. 00:42:21.290 --> 00:42:23.460 And then we're also gonna implement 00:42:23.460 --> 00:42:25.133 enforcement committee activities. 00:42:26.440 --> 00:42:29.490 We already have a enforcement committee in place. 00:42:29.490 --> 00:42:31.890 So now we're working on the detailed of the activities 00:42:31.890 --> 00:42:34.140 and the action plans that we wanna implement. 00:42:38.486 --> 00:42:39.319 Next. 00:42:41.680 --> 00:42:45.420 Next I'll provide an update on our audit recommendations. 00:42:45.420 --> 00:42:49.910 These are audits that has been performed on the CPUC 00:42:49.910 --> 00:42:52.270 by either our internal audit group, 00:42:52.270 --> 00:42:54.820 known as IAS internal audit services 00:42:54.820 --> 00:42:56.533 or by control agencies. 00:43:00.920 --> 00:43:02.380 We've been tracking, 00:43:02.380 --> 00:43:04.490 as you can see on the pie chart on the left, 00:43:04.490 --> 00:43:07.653 the internal audit ones since 2018, 00:43:08.815 --> 00:43:10.750 let's see, for internal audits, 00:43:10.750 --> 00:43:15.750 we've had a total of 49 audit recommendations since 2018, 00:43:16.440 --> 00:43:20.210 and we've been able to implement 32 of those already. 00:43:20.210 --> 00:43:22.090 We still have 15 of them in progress. 00:43:22.090 --> 00:43:24.070 That's what the orange shows. 00:43:24.070 --> 00:43:26.810 And then two that will not be implemented 00:43:28.577 --> 00:43:32.090 just to give an example of the will not implement it. 00:43:32.090 --> 00:43:35.500 In case you're curious is for example, 00:43:35.500 --> 00:43:38.040 our internal audit services has suggested that we purchased 00:43:38.040 --> 00:43:42.270 some software to help us track our inventory. 00:43:42.270 --> 00:43:44.450 And we've decided that purchasing the software 00:43:44.450 --> 00:43:45.520 really isn't necessary. 00:43:45.520 --> 00:43:48.110 At this point, we can really implement the control 00:43:48.110 --> 00:43:50.020 and have a good solid system in place 00:43:50.020 --> 00:43:52.300 by just utilizing Excel and expanding 00:43:52.300 --> 00:43:55.340 some more columns on there that we track. 00:43:55.340 --> 00:43:57.820 So we've decided to use a more cost effective approach 00:43:57.820 --> 00:43:59.970 there, and that's why it's not implemented. 00:44:01.990 --> 00:44:05.260 And then for external auditing, 00:44:05.260 --> 00:44:10.140 we've had 237 audit recommendations, 00:44:10.140 --> 00:44:13.150 but this does go back to since 2012. 00:44:13.150 --> 00:44:17.490 And we've been very aggressive lately and we've been 00:44:17.490 --> 00:44:19.740 cleaning up a lot of the audit recommendations 00:44:19.740 --> 00:44:21.880 and implementing them and strengthening our controls. 00:44:21.880 --> 00:44:26.880 So we're up to implementing 161 now, we have 68 remaining, 00:44:27.960 --> 00:44:30.383 and then we have eight that will not implement. 00:44:36.440 --> 00:44:37.543 And then next, 00:44:38.670 --> 00:44:40.920 this is kind of the same information presented 00:44:40.920 --> 00:44:41.753 a little different. 00:44:41.753 --> 00:44:44.540 This shows a little bit more detail about the difference 00:44:44.540 --> 00:44:46.630 control agencies that perform the audits 00:44:46.630 --> 00:44:50.750 and when they perform them, as you can see, 00:44:50.750 --> 00:44:55.730 there's quite a job in 2020 and 2021 for implementation. 00:44:55.730 --> 00:44:58.810 And that's really due to the executive director 00:44:58.810 --> 00:45:00.350 Rachel's leadership. 00:45:00.350 --> 00:45:04.020 She has implemented and new process of accountability 00:45:04.020 --> 00:45:05.870 and reporting, 00:45:05.870 --> 00:45:08.900 and just her support with risk and compliance branch has 00:45:08.900 --> 00:45:11.740 really made this successful effort and we continue 00:45:11.740 --> 00:45:12.950 to implement the control. 00:45:12.950 --> 00:45:15.290 So I greatly appreciate her support 00:45:24.010 --> 00:45:24.933 Next slide. 00:45:27.357 --> 00:45:30.330 Is, these are the audits that are in progress. 00:45:30.330 --> 00:45:35.069 So our internal audit shop here at the CPUC has finishing up 00:45:35.069 --> 00:45:39.490 two of them, those are the top two that started in 2019. 00:45:39.490 --> 00:45:41.190 Those are currently being reviewed 00:45:41.190 --> 00:45:43.550 by the chief acting chief. 00:45:43.550 --> 00:45:45.610 And then the other four below, 00:45:45.610 --> 00:45:47.868 there are ones that I've just begun. 00:45:47.868 --> 00:45:49.790 We've held entrance conferences. 00:45:49.790 --> 00:45:51.930 So they're just starting those audits 00:45:51.930 --> 00:45:53.570 in progress right now. 00:45:53.570 --> 00:45:56.550 And then we currently have two extern audits being performed 00:45:56.550 --> 00:45:57.383 right now. 00:45:57.383 --> 00:46:00.620 We have the State Controller's Office is here doing 00:46:00.620 --> 00:46:03.800 a routine audit on the payroll process 00:46:03.800 --> 00:46:08.020 and their audit period is covering July, 2018 00:46:08.020 --> 00:46:10.830 to June 30th, 2021, 00:46:10.830 --> 00:46:13.660 and they'll test their standard nine areas. 00:46:13.660 --> 00:46:15.710 So that one's in progress right now. 00:46:15.710 --> 00:46:18.040 And then the other audit going on right now 00:46:18.040 --> 00:46:21.580 is the California State Auditors is here performing an audit 00:46:21.580 --> 00:46:24.650 on electrical system safety oversight, 00:46:24.650 --> 00:46:27.400 and their audit period is covering the last five years. 00:46:29.280 --> 00:46:32.263 And again, they are both in progress. 00:46:34.790 --> 00:46:36.090 Do you have any questions? 00:46:38.410 --> 00:46:39.260 Thank you, Angie. 00:46:39.260 --> 00:46:42.363 I'm going turn to President Batjer first. 00:46:44.150 --> 00:46:47.370 Thank you very much Commissioner Shiroma and Angie, 00:46:47.370 --> 00:46:48.530 thank you so much. 00:46:48.530 --> 00:46:53.090 The progress you and your team has made is impressive. 00:46:53.090 --> 00:46:57.380 I know you and I used to meet more regularly than, 00:46:57.380 --> 00:47:00.670 and I haven't been able to see some of these stats slightly, 00:47:00.670 --> 00:47:02.790 but I'm very, very impressed. 00:47:02.790 --> 00:47:07.790 And I also want to thank Rachel Peterson for her insight 00:47:09.500 --> 00:47:12.900 and her leadership in making sure that you had the resources 00:47:12.900 --> 00:47:15.300 you needed and the support you needed 00:47:15.300 --> 00:47:20.300 to get your goals and objectives to the place 00:47:20.870 --> 00:47:22.310 that you wanted. 00:47:22.310 --> 00:47:25.200 And I know you have always set very high, 00:47:25.200 --> 00:47:26.410 high standards for yourself. 00:47:26.410 --> 00:47:28.523 So I really, really appreciate it. 00:47:30.390 --> 00:47:32.130 And thank you too, 00:47:32.130 --> 00:47:34.800 for the update on the internal audits, that was helpful too. 00:47:34.800 --> 00:47:38.790 So very good job, hats off to you and your team. 00:47:38.790 --> 00:47:43.490 I know you came into a steep climb and it seems like you 00:47:43.490 --> 00:47:45.380 have a mounted the summit. 00:47:45.380 --> 00:47:47.123 So thank you very much. 00:47:48.440 --> 00:47:49.990 Thank you. I appreciate that. 00:47:51.790 --> 00:47:53.813 Thank you, President Batjer. 00:47:55.640 --> 00:47:58.550 Commissioner Guzman, did I see you raise your hands? 00:47:58.550 --> 00:48:00.050 Yeah, Commissioner Shiroma. 00:48:00.050 --> 00:48:00.883 Thank you. 00:48:00.883 --> 00:48:03.670 And it's really nice to see virtually Angie. 00:48:03.670 --> 00:48:05.033 It's been some time. 00:48:06.540 --> 00:48:09.320 I also wanted to just thank you. 00:48:09.320 --> 00:48:13.870 So just reflecting on how on-point these risks 00:48:16.250 --> 00:48:18.610 identification of risks are, 00:48:18.610 --> 00:48:21.680 and to see some of these action plans, 00:48:21.680 --> 00:48:26.680 and it gives me so much, peace of mind, I guess, 00:48:27.030 --> 00:48:29.480 to see that we're working on these everything 00:48:29.480 --> 00:48:34.300 from I didn't know there was a new communication section 00:48:34.300 --> 00:48:36.059 on the telecommunication carriers. 00:48:36.059 --> 00:48:40.130 That's like this, an example of things that have been 00:48:40.130 --> 00:48:43.930 maybe a little chronic that are getting the attention 00:48:43.930 --> 00:48:45.363 they really deserve. 00:48:46.798 --> 00:48:50.750 So really congratulations on the process that you use 00:48:50.750 --> 00:48:54.560 to determine these, obviously from my perspective, 00:48:54.560 --> 00:48:56.773 seems to have yielded the right priorities. 00:48:58.140 --> 00:48:59.880 Also, I just was wondering 00:49:00.729 --> 00:49:03.560 who makes up the information 00:49:03.560 --> 00:49:05.513 technology governance committee. 00:49:07.510 --> 00:49:10.680 It's executive or Rachel, did you want to answer? 00:49:10.680 --> 00:49:12.520 Okay. I can have the sure. 00:49:12.520 --> 00:49:13.353 Yes. 00:49:15.340 --> 00:49:17.080 It's a model that's used, 00:49:17.080 --> 00:49:20.000 I think private and public sector Commissioner. 00:49:20.000 --> 00:49:23.740 And it does require executive level sponsorship. 00:49:23.740 --> 00:49:27.980 So I'm involved on the sponsor probably, 00:49:27.980 --> 00:49:29.630 our IT department. 00:49:29.630 --> 00:49:34.350 And then all of the substantive divisions are involved 00:49:34.350 --> 00:49:36.500 as well at the senior level 00:49:36.500 --> 00:49:39.570 because they are the ones that are developing. 00:49:39.570 --> 00:49:42.850 They have IT needs and project ideas. 00:49:42.850 --> 00:49:47.850 So the model is one in which at that senior level, 00:49:47.980 --> 00:49:52.980 you have a process by which to propose projects that come 00:49:53.950 --> 00:49:58.950 through a consensus driven decision-making matrix 00:49:59.130 --> 00:50:02.860 and then select which ones will benefit the organization 00:50:02.860 --> 00:50:03.693 and our mission, 00:50:03.693 --> 00:50:07.213 and therefore rise to the top of the priority list for IT. 00:50:09.790 --> 00:50:13.030 How often do you guys meet, Rachel? 00:50:13.030 --> 00:50:15.530 How frequently does the Governance Committee meet? 00:50:16.880 --> 00:50:20.940 President Batjer, we're aiming towards more regular 00:50:20.940 --> 00:50:22.100 systematic meetings. 00:50:22.100 --> 00:50:26.550 I would like for it to be either bi-monthly or quarterly, 00:50:26.550 --> 00:50:28.823 we're still getting our feet on the ground. 00:50:30.330 --> 00:50:33.430 As Ryan Dulin, our Deputy Executive Director 00:50:33.430 --> 00:50:36.820 for internal operations started mid-year this year. 00:50:36.820 --> 00:50:40.380 And so getting him incorporated and integrated 00:50:40.380 --> 00:50:42.160 into it has taken a little bit of time 00:50:42.160 --> 00:50:44.580 alongside all of the other work we're doing. 00:50:44.580 --> 00:50:49.270 My aim would be probably by monthly to get ourselves up 00:50:49.270 --> 00:50:51.710 and running and then move to quarterly. 00:50:51.710 --> 00:50:53.600 There's a lot of work that happens in between 00:50:53.600 --> 00:50:54.733 those meetings too. 00:50:56.040 --> 00:50:57.810 And maybe Rachel, 00:50:57.810 --> 00:51:00.380 you can reflect a little bit for the benefit of the other 00:51:00.380 --> 00:51:01.620 Commissioners that we did. 00:51:01.620 --> 00:51:03.770 And Angie too, 00:51:03.770 --> 00:51:08.360 that we did have an outside consultant that came in 00:51:08.360 --> 00:51:12.143 and helped design the best practices if you will. 00:51:13.090 --> 00:51:16.110 And we did early on, when I first came on the Commission, 00:51:16.110 --> 00:51:18.670 we consulted with CDT. 00:51:18.670 --> 00:51:23.670 It identified this as a vulnerability when they came in. 00:51:23.950 --> 00:51:26.860 And you might remember that I had them do that quick review 00:51:26.860 --> 00:51:30.500 at the very beginning of the fall of '19. 00:51:30.500 --> 00:51:35.300 And they said, you need a greater governance structure 00:51:35.300 --> 00:51:40.300 and that wards off hopefully any kind of sale management 00:51:42.010 --> 00:51:44.463 or excuse me, IT programs. 00:51:46.770 --> 00:51:50.700 So that it's been a work from the last frankly two years. 00:51:50.700 --> 00:51:52.533 So just FYI. 00:51:54.950 --> 00:51:58.113 Yes, you provided the capital history very well, 00:51:59.528 --> 00:52:00.361 President Batjer. 00:52:00.361 --> 00:52:03.980 In itself, you could call it an audit recommendation 00:52:03.980 --> 00:52:06.630 and then a management practice that we're instituting 00:52:06.630 --> 00:52:08.910 to meet that audit recommendation. 00:52:08.910 --> 00:52:11.760 So it is definitely a work in progress and something 00:52:11.760 --> 00:52:13.340 I'm very committed to, 00:52:13.340 --> 00:52:15.700 even though we're definitely in the crawl phase 00:52:15.700 --> 00:52:17.133 of crawl walk run. 00:52:21.470 --> 00:52:25.670 Commissioner Guzman Aceves, can you say anything else? 00:52:25.670 --> 00:52:26.913 Okay. All right. 00:52:27.810 --> 00:52:29.193 Yes, Commissioner Houck. 00:52:30.920 --> 00:52:33.620 I just wanted to thank Angie and her team and Rachel 00:52:33.620 --> 00:52:37.270 for all their work and the briefings would be audit 00:52:37.270 --> 00:52:40.270 and Finance Committee and for Commissioner Shiroma 00:52:40.270 --> 00:52:43.020 for her leadership and helping me get up to speed 00:52:43.020 --> 00:52:45.180 as a newer member to the committee. 00:52:45.180 --> 00:52:47.090 And just again, 00:52:47.090 --> 00:52:51.010 lots of progress and appreciate all of the hard work. 00:52:51.010 --> 00:52:51.843 So thank you. 00:52:52.914 --> 00:52:53.747 Thank you. 00:52:54.941 --> 00:52:56.383 Commissioner Rechtschaffen. 00:52:56.383 --> 00:52:58.920 Angie, could you talk a little bit more about 00:52:58.920 --> 00:53:01.273 the data retention policies? 00:53:02.370 --> 00:53:05.100 I know that we were 2 to 3 years ago, 00:53:05.100 --> 00:53:10.100 we were simply out of compliance with state rules about 00:53:10.680 --> 00:53:15.113 that, it sounds like we're there, but not completely there. 00:53:17.570 --> 00:53:18.620 Yes. 00:53:18.620 --> 00:53:21.280 So actually we are in compliance now 00:53:21.280 --> 00:53:22.720 with the state requirements. 00:53:22.720 --> 00:53:27.310 We have the overarching data retention policy. 00:53:27.310 --> 00:53:30.820 We actually have created a whole, not me, 00:53:30.820 --> 00:53:34.940 but ASB division has created a whole SharePoint side about 00:53:34.940 --> 00:53:38.810 record management and on there shows the policies 00:53:38.810 --> 00:53:41.580 and any other relevant documents that people might need 00:53:41.580 --> 00:53:43.670 for contracts and other items. 00:53:43.670 --> 00:53:45.808 So we've made a lot of progress in that area. 00:53:45.808 --> 00:53:50.808 So this risk is actually starting to touch on our storage 00:53:51.000 --> 00:53:52.950 for the data in our systems. 00:53:52.950 --> 00:53:55.760 And then also just ensuring that we're compliant. 00:53:55.760 --> 00:53:57.980 Often you create a plan and a goal, 00:53:57.980 --> 00:54:00.930 but sometimes we forget to go back and delete those old 00:54:00.930 --> 00:54:03.650 emails, delete those old documents that we have saved. 00:54:03.650 --> 00:54:05.930 So we also need to go back and ensure that we're 00:54:05.930 --> 00:54:09.990 implementing the retention policy and following it to allow 00:54:09.990 --> 00:54:13.360 for more storage and for PR requests and other legal 00:54:13.360 --> 00:54:15.970 concerns that may come up with keeping documents for years 00:54:15.970 --> 00:54:17.287 and years and years. 00:54:18.290 --> 00:54:20.880 Well, that was a follow up question I was gonna have, 00:54:20.880 --> 00:54:22.190 have we done training 00:54:22.190 --> 00:54:27.190 and are we monitoring whether or not the divisions 00:54:28.170 --> 00:54:29.943 are complying with the new rules? 00:54:30.820 --> 00:54:33.330 That's something that the risk and compliance branches 00:54:33.330 --> 00:54:34.540 and to talk about with Rachel 00:54:34.540 --> 00:54:37.990 'cause I kind of went out and did some research to see... 00:54:37.990 --> 00:54:40.880 We have a retention policy, but is everyone aware of it? 00:54:40.880 --> 00:54:42.710 And so maybe doing a one more training, 00:54:42.710 --> 00:54:45.370 letting people know that the retention policy is available, 00:54:45.370 --> 00:54:46.460 it's out there. 00:54:46.460 --> 00:54:50.010 And then also updating some divisions has a more detailed 00:54:50.010 --> 00:54:53.010 retention policy, but they may need to be updated. 00:54:53.010 --> 00:54:54.830 So making sure that those are current. 00:54:54.830 --> 00:54:57.510 So I think the risk of clients branch can certainly circle 00:54:57.510 --> 00:55:00.900 back and make sure that we're implementing those 00:55:00.900 --> 00:55:03.700 recommendations that they have for the retention policy. 00:55:05.810 --> 00:55:06.643 Thank you. 00:55:08.284 --> 00:55:09.284 Thank you. 00:55:10.170 --> 00:55:14.640 So Angie and Rachel, first of all, 00:55:14.640 --> 00:55:17.740 thank you for the presentation, excellent. 00:55:17.740 --> 00:55:22.620 Really is important that you're keeping a keen eye on 00:55:22.620 --> 00:55:26.990 resolving all of the pending audit recommendations 00:55:28.350 --> 00:55:31.140 and pending in so far as resolving them. 00:55:31.140 --> 00:55:35.700 And he's heard recommendations placed in final reports, 00:55:35.700 --> 00:55:40.700 assessing the CPUC and the metrics are very, 00:55:42.470 --> 00:55:47.280 very, it's very important to see the progress being made. 00:55:47.280 --> 00:55:49.120 Rachel, thank you. 00:55:49.120 --> 00:55:54.120 Now on risk five as a Commissioner Guzman Aceves 00:55:56.200 --> 00:55:57.033 pointed out, 00:55:57.033 --> 00:55:59.810 it's really great to see that there'll be a new 00:55:59.810 --> 00:56:04.680 communication section for the utility audit branch 00:56:04.680 --> 00:56:06.630 to conduct and complete audits 00:56:06.630 --> 00:56:08.433 of telecommunication carriers. 00:56:09.350 --> 00:56:14.350 And I recall it's probably been a year or more Angie, 00:56:16.160 --> 00:56:21.049 where you had indicated at a resource need 00:56:21.049 --> 00:56:25.180 to have the resources to conduct these audits. 00:56:25.180 --> 00:56:29.170 Do you have an update on that in terms of 00:56:31.968 --> 00:56:35.928 what has been done since then to assure that you can, 00:56:35.928 --> 00:56:38.300 that your branch can carry out, 00:56:38.300 --> 00:56:40.763 its very important requirements? 00:56:41.750 --> 00:56:45.190 Yeah, so kind of my other hats that I wear is I'm also, 00:56:45.190 --> 00:56:48.610 I'm in charge of external auditing and I believe that's what 00:56:48.610 --> 00:56:49.810 you're speaking on. 00:56:49.810 --> 00:56:51.630 So for external auditing, yes. 00:56:51.630 --> 00:56:55.210 I mean, resources are always a concern, but we did receive. 00:56:55.210 --> 00:56:59.920 And the last round we received three audit positions 00:56:59.920 --> 00:57:02.270 for communications specifically 00:57:02.270 --> 00:57:04.870 and we have filled those positions and they have, 00:57:04.870 --> 00:57:06.710 when we've performed a risk assessment, 00:57:06.710 --> 00:57:09.850 we've determined our audit objective and they are already 00:57:09.850 --> 00:57:14.760 currently out performing spilled work on two companies 00:57:14.760 --> 00:57:15.593 right now. 00:57:16.970 --> 00:57:19.340 I'm very excited about the progress that's been made with 00:57:19.340 --> 00:57:22.240 that 'cause we've never had a communication section before 00:57:23.300 --> 00:57:24.133 for auditing. 00:57:25.380 --> 00:57:27.643 Congratulations on that progress. 00:57:28.675 --> 00:57:29.925 That's very nice to hear. 00:57:31.430 --> 00:57:34.453 Any other questions or comments from the Commissioners? 00:57:36.750 --> 00:57:37.730 All right. 00:57:37.730 --> 00:57:42.180 I'm going to return back to Rachel for any concluding 00:57:42.180 --> 00:57:46.030 remarks and then back to President Batjer. 00:57:46.030 --> 00:57:50.470 Should there be folks signed up for public comments? 00:57:50.470 --> 00:57:51.303 Rachel. 00:57:52.440 --> 00:57:53.450 Thank you, Commissioner. 00:57:53.450 --> 00:57:57.810 Thank you all again for the opportunity to have Angie 00:57:57.810 --> 00:58:00.580 and myself present today, as you seen, 00:58:00.580 --> 00:58:02.920 I find this work to be very important. 00:58:02.920 --> 00:58:06.560 It's very satisfying to see the numbers of open 00:58:06.560 --> 00:58:08.630 recommendations tick downwards. 00:58:08.630 --> 00:58:12.340 So that's partly why I pursue it, 00:58:12.340 --> 00:58:14.200 but not really just because of that, 00:58:14.200 --> 00:58:16.550 but because it really is important. 00:58:16.550 --> 00:58:19.410 We have such a broad mission and we incur risk 00:58:19.410 --> 00:58:21.483 in so many different ways that, 00:58:22.540 --> 00:58:26.330 audits are actually beneficial in helping point out where 00:58:26.330 --> 00:58:31.210 risk occurs and how we can requires us to become innovative 00:58:31.210 --> 00:58:33.020 and figure out how to address it. 00:58:33.020 --> 00:58:35.460 So I'm actually quite, 00:58:35.460 --> 00:58:37.490 I find it a very useful management tool. 00:58:37.490 --> 00:58:39.940 So I'm very happy to present to you today. 00:58:39.940 --> 00:58:41.073 Thank you very much. 00:58:44.380 --> 00:58:46.270 Alright, thank you. 00:58:46.270 --> 00:58:49.213 President Batjer, the microphone back to you. 00:58:50.280 --> 00:58:53.103 See if any books for helicopters. 00:58:55.250 --> 00:58:58.700 Again, want to thank Angie so much for the progress. 00:58:58.700 --> 00:59:03.110 She's made always a concern that internal controls 00:59:03.110 --> 00:59:06.970 and proper controls within the organization. 00:59:06.970 --> 00:59:10.330 And I think again, we're making a lot of progress. 00:59:10.330 --> 00:59:12.150 So with that, 00:59:12.150 --> 00:59:15.210 I will turn to the operator and asked her to open up 00:59:15.210 --> 00:59:17.643 the phone lines for any public comment. 00:59:19.010 --> 00:59:19.970 Thank you. 00:59:19.970 --> 00:59:24.570 If you would like to have a public comment, 00:59:24.570 --> 00:59:27.110 please press star one, 00:59:27.110 --> 00:59:29.900 un-mute youth and record your name clearly. 00:59:29.900 --> 00:59:33.900 Your name is required to introduce your comment. 00:59:33.900 --> 00:59:36.203 One moment please. Thank you. 00:59:46.660 --> 00:59:48.550 Once again it is star one. 00:59:48.550 --> 00:59:50.650 If you would like to have a public comment 01:00:07.240 --> 01:00:09.853 I currently have no public comments at this time. 01:00:11.930 --> 01:00:13.340 Okay. 01:00:13.340 --> 01:00:14.600 Thank you very much. 01:00:14.600 --> 01:00:17.620 Again, thank you to everyone who's participated 01:00:17.620 --> 01:00:19.780 and listened in to the meeting today. 01:00:19.780 --> 01:00:24.410 Very important to topics and I wanna thank Rachel 01:00:24.410 --> 01:00:25.690 and Commissioner Shiroma, 01:00:25.690 --> 01:00:28.960 Commissioner Houck, Commissioner Guzman Aceves 01:00:28.960 --> 01:00:32.730 for bringing these very important topics to us today. 01:00:32.730 --> 01:00:37.440 And I would recommend as I'm walking out the door 01:00:38.690 --> 01:00:42.640 that we probably have this type of a briefing 01:00:42.640 --> 01:00:46.810 on these very topics a little bit more frequently, 01:00:46.810 --> 01:00:49.366 and I really do appreciate them very much 01:00:49.366 --> 01:00:53.230 and nothing is more important to the operations 01:00:53.230 --> 01:00:57.910 of an organization at making sure that our risk assessment 01:00:57.910 --> 01:01:01.440 or our risk is well identified and being addressed, 01:01:01.440 --> 01:01:04.390 whether that's in the cyber security area or internal 01:01:04.390 --> 01:01:06.490 controls or just the auditing. 01:01:06.490 --> 01:01:08.083 And as Rachel said, 01:01:10.610 --> 01:01:14.860 we can only monitor our progress as an organization 01:01:14.860 --> 01:01:17.240 when we have audits to measure ourselves by. 01:01:17.240 --> 01:01:21.241 So with that, thank you all very much again. 01:01:21.241 --> 01:01:23.767 And the meeting is now adjourned.