On September 22, 2022, the Federal Energy Regulatory Commission (FERC or the “Commission”) issued a Notice of Proposed Rulemaking (NOPR) proposing revisions to its regulations to establish rate incentives for public utilities to make investments in advanced cybersecurity technologies and participate in cybersecurity threat sharing information.1
The NOPR represents the Commission’s latest step towards implementing the requirements of the Infrastructure Investment and Jobs Act of 2021, which amended the Federal Power Act (FPA) to add Section 219A, “Incentives for Cybersecurity Investments.”2 Section 219A of the FPA requires the Commission to establish a framework for incentive-based rate treatments for the transmission and sale of electric energy at wholesale in interstate commerce to encourage investments in advanced cybersecurity technology and participation in threat information sharing programs.3 In May 2022, FERC delivered a report to congress outlining the potential advantages and limitations of an incentive-based rate approach to addressing cybersecurity risks.4 Under Section 219A, the Commission is required to issue a final rule establishing a framework for utilities to obtain incentive-based rate treatment for investments in advanced cybersecurity technologies and information sharing no later than May 2023.5
As described further below, in the NOPR, the Commission outlines a proposed framework for giving public utilities and non-public utilities the option of seeking incentive-based rate treatment, including a return on equity (ROE) adder, for expenditures incurred in connection with investments in advanced cybersecurity technologies and information sharing programs. The NOPR also supersedes and terminates a rulemaking proceeding that the Commission commenced in December 2020 proposing to make incentive-based rates available to utilities that adopted cybersecurity protections that exceeded the requirements set out in the North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection (CIP) Reliability Standards.
When approving the NOPR, several FERC commissioners expressed skepticism about the proposed framework’s ability to mitigate cybersecurity threats. While each commissioner emphasized the importance of cybersecurity to the reliability of the grid, certain commissioners expressed concern about the potential efficacy of an incentive-based approach. For instance, Chairman Richard Glick noted that a voluntary, incentive-based approach necessarily means that certain utilities may elect not to make the investments that are the focus of the NOPR, resulting in vulnerabilities that could be exploited by adversaries. Commissioners Mark Christie and James Danly questioned whether providing a generous ROE adder—often derisively referred to as “FERC candy”—is an appropriate tool for maintaining cybersecurity. At the same time, the commissioners also acknowledged that implementation of mandatory standards, such as amendments to the NERC CIP standards, could take significant time and that an appropriate, incentive-based approach has the potential to represent a positive step towards addressing existing cybersecurity vulnerabilities.
The following sections provide a high-level overview of the framework proposed in the NOPR. Initial comments on the NOPR are due within 30 days of publication of the NOPR in the Federal Register, with reply comments due 15 days thereafter.6
A. Eligibility for Incentive-Based Rate Treatment
The framework set out in the NOPR would allow utilities to seek incentive-based rates for investments that materially improve cybersecurity through investments in advanced technology or participation in information sharing programs that are not already mandated by the NERC CIP Reliability Standards or applicable law.7 In order to qualify for incentive-based rate treatment, the Commission proposes to require that:
- The benefits of the expenditure exceed the combined costs of the expenditure and incentive.
- The expenditure will materially improve a utility’s security posture considering security controls and requirements recommended by the National Institute of Standards and Technology, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, and certain other federal agencies and programs.8
In the NOPR, the Commission also outlines two potential approaches to evaluating cybersecurity expenditures.
- Pre-Qualified approach: Utilities that make expenditures identified in a “pre-qualified list” of expenditures set out in the Commission’s regulations would be entitled to a rebuttable presumption that the expenditure is eligible for incentive-based rates. Initially, FERC proposes to include expenditures associated with participation in the Department of Energy’s Cybersecurity Risk Sharing Program, and expenditures associated with internal network security monitoring with the utility’s cyber systems. The Commission explains that the pre-qualified list of expenditures would be updated on a regular basis to reflect changes in cybersecurity threats and solutions, and to remove expenditures that become mandatory under applicable law.9
- Case-by-case approach: Rather than prejudging the merits of any expenditure, the Commission would evaluate cybersecurity expenditures on a case-by-case basis to determine whether they meet the requirements for incentive-based treatment.10
B. Available Rate Incentives
In the NOPR, the Commission outlines three types of potential incentives that could be available for recovering eligible expenses: (1) a ROE adder; (2) regulatory asset incentive; and (3) performance-based rates.11 Any utility seeking to implement incentive-based rates would need to obtain prior approval from the Commission under Section 205 of the FPA as well as submit informational filings on an annual basis following implementation of the incentive to provide the Commission and customers with visibility into how the incentive is being implemented in rates.12
1. Return on Equity Adder
This incentive would permit a utility that makes qualifying cybersecurity investments to request an ROE adder of 200 basis points that would be applied to its investment in cybersecurity technologies.13 In effect, this incentive would allow a public utility to earn a ROE on cybersecurity investments that is 2 percent higher than the ROE approved for its existing rates. This incentive would be available for investments in transmission or company-wide expenditures that are recovered through transmission rates (e.g., costs incurred at the corporate level that are allocated to the transmission function). The Commission explains that the combination of the base ROE and adder could not exceed the zone of reasonableness for an individual utility. Acknowledging that the proposed 200-basis point adder exceeds the ROE incentives that currently are available under existing policy for transmission rates, the Commission explains that this is appropriate given the relatively small cost of cybersecurity investments relative to conventional transmission projects and investments.
2. Regulatory Asset Incentive
As an alternative to the 200 basis point adder, utilities also could request approval for a regulatory asset incentive that would allow them to defer recovery of certain cybersecurity costs that typically are expensed as they are incurred and to treat these expenses as a regulatory asset that would be included in transmission rate base.14 Eligible expenses could be deferred up to five years prior to being placed into a regulatory asset, the costs of which would be amortized over a five-year period. The Commission proposes to exempt expenses associated with participation in cybersecurity threat programs from the five-year limit on amortization; these expenses could be incorporated into rates on an ongoing basis as long as the utility continues to incur costs for its participation in an eligible program.
The Commission explains that a range of investments could qualify for treatment as a regulatory asset, including:
- Training costs to implement new cybersecurity practices and systems that are distinct from pre-existing trainings.
- Costs associated with internal system evaluations and assessments by third parties to the extent associated with capital items.
- Costs associated with software subscriptions, service agreements and post-implementation training costs.
- Dues for participation in cybersecurity threat information sharing programs.15
The Commission seeks comments on whether it should limit the availability of the regulatory asset incentive by limiting recovery to 50 percent of incentive-eligible expenses; preclude utilities that already are participating in an eligible cybersecurity threat information sharing program from seeking to recover the incentive; and limiting eligible costs to only directly assigned transmission costs or the company-wide expenses allocated in accordance with standard cost allocation rules (e.g., wage and salary allocators).16
The NOPR also seeks comment on whether the Commission should establish performance-based rate treatments that would tie the availability of incentive rates to a utility’s performance.17 In particular, the Commission explains that it is seeking input on what metrics could be used for establishing performance-based rate incentives and what rate recovery mechanisms could accompany such metrics.18