FERC has issued its final rule paving the way for incentive-based rate treatment for electric utilities that make certain voluntary cybersecurity investments. As we first noted in 2020 when describing the proposed rule, the final rule provides a new mechanism for promoting cybersecurity of the bulk-power system by rewarding utilities for proactively enhancing their cybersecurity programs beyond the mandatory requirements of the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) reliability standards.
This new pathway offers a “carrot” to utilities that have historically only received the “stick” of enforcement actions under mandatory NERC CIP reliability standards and, at least in theory, could help the electric industry implement current, leading-edge advancements in cybersecurity detection and abatement on an expedited basis.
NERC CIP reliability standards, in contrast, typically take years to draft and approve, creating an inherit lag between threat awareness and mandated solutions. While this works well for setting a baseline of cyber protections for electric utilities, the proposed incentives can support a much faster implementation of additional cyber protections.
It remains to be seen whether the Commission’s proposal—which excludes from eligibility most nonpublic utilities and utilities selling at market-based rates and reduces the proposed incentives—will drive meaningful enhancements. The first few years of execution will likely reveal whether the Commission has begun to achieve the stated goal of the legislation.
Background
FERC issued Order 893, Incentives for Advanced Cybersecurity Investment, pursuant to the Infrastructure Investment and Jobs Act of 2021, which amended the Federal Power Act (FPA) to add Section 219A requiring FERC to establish a framework for incentive-based treatments for investments by utilities in Advanced Cybersecurity Technology and participation by utilities in cybersecurity threat information (including Advanced Cybersecurity Technology Information) sharing programs.
“Advanced Cybersecurity Technology” is defined by Section 219A of the FPA as any technology, operational capability, or service, including computer hardware, software, or a related asset, that enhances the security posture of public utilities through improvements in the ability to protect against, detect, respond to, or recover from a cybersecurity threat.
“Advanced Cybersecurity Technology Information” is defined as information relating to Advanced Cybersecurity Technology or proposed Advanced Cybersecurity Technology that is generated by or provided to the Commission or another federal agency.
While the final rule largely tracks the Notice of Proposed Rulemaking (NOPR) issued in September 2022 in Docket No. RM22-19-000, there are several key changes, as described below.
Eligibility for Incentive-Based Rate Treatment
FERC added Section 35.48(c) to its regulations to authorize incentive-based rate treatment for utilities that have or will have a rate on file with FERC. The incentives are only permitted for recovery through cost-of-service rates and not through market-based rates.
Cybersecurity investments eligible for incentives could include investments in Advanced Cybersecurity Technology, voluntary participation in a cybersecurity threat information-sharing program, or both. Improvements to cybersecurity can apply to any or all of the NERC-defined “impact levels” for BES Cyber Assets (i.e., Low Impact, Medium Impact, and High Impact).
Cybersecurity Investment
FERC established two eligibility criteria instructing that each cybersecurity investment (1) materially improve cybersecurity through either Advanced Cybersecurity Technology or participation in a cybersecurity threat information-sharing program and (2) not be already mandated by the reliability standards or otherwise mandated by local, state, or federal law, decision, or directive.
The second criterion also requires that the investment not be the result of an action taken in response to a federal or state agency merger condition, consent decree from a federal or state agency, or settlement agreement that resolves a dispute between a utility and a public or private party.
FERC recognizes that determining whether an investment “materially improves” cybersecurity, a requirement FERC stated was necessary to ensure just and reasonable rates, requires the Commission’s subject-matter expertise and judgment. As such, FERC states that it will also take into account the findings of other federal agencies to inform its decisions.
Cybersecurity Threat Information Sharing Program
As first introduced in the NOPR, FERC recognizes the Cybersecurity Risk Information Sharing Program as an eligible cybersecurity threat information-sharing program. In addition, FERC will consider other cybersecurity threat information-sharing programs for incentive treatment qualification.
In evaluating any proposed relevant cybersecurity threat information-sharing program, FERC will determine whether the program (1) is sponsored by the federal or a state government; (2) provides two-way communications from and to electric industry and government entities; and (3) delivers relevant and actionable cybersecurity information to program participants from the electricity industry.
Cybersecurity Investment Incentive Requests
FERC established a framework for evaluating whether certain cybersecurity investments, including expenses and capitalized costs, are eligible for incentives and set forth three approved approaches.
First, FERC included a list of pre-qualified investments (a PQ List) to identify certain cybersecurity investments that the Commission finds warrant the rebuttable presumption of eligibility for all utilities and are therefore eligible for incentive-based rate treatment. FERC will be able to update the PQ List to add additional investments. Protestors may seek to rebut the presumption of eligibility for individual applications.
Second, investments may be approved that are not among the first two categories but nevertheless are “tailored to their specific situations” and approved by FERC on a case-by-case basis. Applications under this case-by-case approach would not receive a presumption of eligibility, and an applicant would bear the full burden to demonstrate in its filing that its cybersecurity investment meets the eligibility criteria.
Third, FERC investments may be approved if they are needed to establish compliance with NERC’s mandatory CIP reliability standards that have been approved by FERC but are not yet enforceable. Incentives for investments to achieve early compliance may only be collected until the associated NERC reliability standards become enforceable.
Incentive-Based Rate Incentives
FERC approved only one of the two rate incentive options for utilities that make cybersecurity investments eligible as proposed by the NOPR. FERC approved the Cybersecurity Regulatory Asset Incentive, which allows a utility to seek deferred cost recovery for cybersecurity investments that are eligible for incentives, enabling the costs to be part of rate base such that a return can be earned on the unamortized portion. Such costs may be amortized for up to five years from the date the incentive receives Commission approval.
FERC found that, in limited circumstances specific to cybersecurity investments, it is appropriate to allow a utility to defer recovery of certain cybersecurity costs that are generally expensed as they are incurred and treat them as regulatory assets, while also allowing such regulatory assets to be included in the utility’s rate base.
Utilities may seek this incentive for a range of expenses including operation and maintenance expenses, labor costs, implementation costs, network monitoring, and training costs, as well as certain software-as-a-service expenses. The incentive is limited to new cybersecurity investments that occur after the Order 893 effective date and that are materially different from cybersecurity investments already incurred by the utilities more than three months prior to the incentive request.
FERC declined to approve the NOPR’s proposed Cybersecurity Return on Equity (ROE) Incentive, an ROE adder of 200 basis points that would be applied to the incentive-eligible investments. FERC stated that the Cybersecurity Regulatory Asset Incentive was sufficient to fulfill its statutory obligations of FPA Section 219A.