TN Utilities Mandate Cyber Security Program

  • Author | Heather Hughes
  • 3/9/2023 7:00 am

The Tennessee State Legislature enacted an amendment to TCA Code Annotated, Title 7, Chapter 51 – Consolidated Governments and Local Governmental Functions and Entities. This amendment affects certain municipal utilities in Tennessee and has an implementation mandate of July 1, 2023.


Public utilities that provide electric, water, wastewater or natural gas services will now be required to prepare and implement a cyber security plan to provide for the protection of the utilities’ facilities from unauthorized use, alteration, ransom or destruction of electronic data. In addition, the amendment requires utilities to assess and update the cyber security plan every two years to address new threats.


A cyber security plan specifies the security policies, procedures and controls required to protect an organization against threats and risk. It can also outline the specific steps to take for responding to a breach. It should include day-to-day policies, measures and protocols for managing specific situations.


 A well-developed cyber security plan includes the following:

  • Security Risk Assessment
  • Security Goals
  • Evaluation of Technology
  • Security Framework
  • Security Policies
  • Risk Management Plan
  • Implementation of a Security Strategy
  • Evaluation of the Security Strategy

Even if your entity does not provide utility services, there are several basic cyber security practices that are highly recommended, which include:

  • Backup of Data
  • Cyber Security Awareness Training
  • Patch Management
  • Discontinuing End-of-Life Software
  •  Firewall Management
  •  Security Gap Audit or Analysis
  • Multifactor Authentication

Public Entity Partners offers Privacy and Network Liability Coverage to its members. This coverage provides protection for third-party actions against members related to the failure to properly protect confidential information, or the failure of network security that results in a breach. It also includes the Data Breach Fund Coverage, which provides coverage for first-party expenses related to an information breach. In addition, PEP offers the Cyber Extension option, which expands the Data Breach Fund sublimit to include ransomware and social engineering coverage.