58:31-4.2 Purveyor's water report; audit.
4. a. Beginning 90 days after the effective date of P.L.2021, c.262 (C.58:31-4.1 et al.), a water purveyor shall report to the New Jersey Cybersecurity and Communications Integration Cell, promptly after an employee is made aware of a cybersecurity incident, and in accordance with all applicable laws, rules , and regulations:
(1) any cybersecurity incident that results in the compromise of the confidentiality, integrity, availability, or privacy of the water purveyor's utility billing, communications, data management, or business information systems, or the information thereon; and
(2) any cybersecurity incident against the water purveyor's industrial control system, including monitoring, operations, and centralized control systems, that adversely impact, disable, or manipulate infrastructure, resulting in loss of service, contamination of finished water, or damage to infrastructure.
b. No later than 30 days after receiving a report of a cybersecurity incident from a water purveyor pursuant to subsection a. of this section, the New Jersey Cybersecurity and Communications Integration Cell shall cause to be audited the water purveyor's cybersecurity program and any actions the water purveyor took in response to the cybersecurity incident. The audit shall identify cyber threats and vulnerabilities to the public community water system, weaknesses in the public community water system's cybersecurity program, and strategies to address those weaknesses so as to protect the public community water system from the threat of future cybersecurity incidents. Any audit shall be conducted by a qualified and independent cybersecurity company, at the water purveyor's expense. Following the audit, the water purveyor shall submit the audit and any corrective action plans derived from the audit to the New Jersey Cybersecurity and Communications Integration Cell.
L.2021, c.262, s.4.