1. Home
  2. |Insights
  3. |Delayed Self-Report and Poor Internal Controls Lead to Greater Penalties

Delayed Self-Report and Poor Internal Controls Lead to Greater Penalties

Client Alert | 2 min read | 05.07.19

The North American Electric Reliability Corporation (NERC) proposes to assess an unidentified entity a $356,000 penalty for violations of the CIP-006-3c NERC reliability standard which governs physical security of cyber assets. The violation lasted 13 months and was determined to pose a serious risk to reliability. The case highlights the importance of following up promptly with NERC when violations are identified. Although the violations were self-reported, the entity received no credit for self-reporting because it waited too long to do so. The case also highlights the importance of having effective internal controls to ensure compliance.

According to NERC’s Notice of Penalty (NOP), the entity did not deploy security patches to systems that controlled physical access to several substations thereby allowing the potential for unauthorized access to vulnerable systems. There were multiple process failures. First, an incorrect setting in the system that deploys patches led to the failure to identify available patches upon release. Second, when those patches were identified a year later, the push package to deploy them failed due to unspecified operability issues. Finally, when manual installation was identified as a necessary step, the entity chose not to install the patches because it was concerned that rebooting the system that controlled physical access―which was at its end-of-life―would result in the system failing and there was no backup. 

A key benefit of self-reporting a violation is to potentially obtain a reduced penalty. According to NERC, the entity waited 210 days before self-reporting, which made it ineligible for any self-report credit. NERC has stated that self-reports should be submitted “as soon as practical but typically within three months of discovery.” NERC-registered entities should keep this window in mind when they are considering whether and when to self-report a potential violation.

Additionally, this NOP reaffirms the importance of NERC-registered entities having effective internal controls―an ongoing compliance theme as discussed here. According to the NOP, the entity’s patch management program initially failed to identify necessary patches until one year after their release, and should have, but did not, identify the missing patches throughout that one-year period. Together, these infirmities called the entire patch process into question. These inadequate procedures led to the violations, which were deemed to have posed a serious risk to reliability due to the potential for unauthorized access to vulnerable systems. NERC-registered entities should periodically reassess their internal controls to confirm that they remain effective to ensure compliance.

Insights

Client Alert | 4 min read | 08.07.25

File First, Facts Later? Eleventh Circuit Says That Discovery Can Inform False Claims Act Allegations in Amended Complaints

On July 25, 2025, the Eleventh Circuit Court of Appeals issued its decision in United States ex. rel. Sedona Partners LLC v. Able Moving & Storage Inc. et al., holding that a district court cannot ignore new factual allegations included in an amended complaint filed by a False Claims Act qui tam relator based on the fact that those additional facts were learned in discovery, even while a motion to dismiss for failure to comply with the heightened pleading standard under Federal Rule of Civil Procedure 9(b) is pending.  Under Rule 9(b), allegations of fraud typically must include factual support showing the who, what, where, why, and how of the fraud to survive a defendant’s motion to dismiss.  And while that standard has not changed, Sedona gives room for a relator to file first and seek out discovery in order to amend an otherwise deficient complaint and survive a motion to dismiss, at least in the Eleventh Circuit.  Importantly, however, the Eleventh Circuit clarified that a district court retains the discretion to dismiss a relator’s complaint before or after discovery has begun, meaning that district courts are not required to permit discovery at the pleading stage.  Nevertheless, the Sedona decision is an about-face from precedent in the Eleventh Circuit, and many other circuits, where, historically, facts learned during discovery could not be used to circumvent Rule 9(b) by bolstering a relator’s factual allegations while a motion to dismiss was pending.  While the long-term effects of the decision remain to be seen, in the short term the decision may encourage relators to engage in early discovery in hopes of learning facts that they can use to survive otherwise meritorious motions to dismiss....