Introduction

On September 22, the Federal Energy Regulatory Commission (FERC or Commission) issued a Notice of Proposed Rulemaking to establish rules providing incentive-based rate treatment for utilities making certain voluntary cybersecurity investments (Cybersecurity NOPR or NOPR). [1] According to FERC, the Cybersecurity NOPR seeks to benefit consumers and national security by encouraging investments in advanced cybersecurity technology and participation by utilities in cybersecurity threat information sharing programs, as directed by Congress in the Infrastructure Investment and Jobs Act of 2021 (Infrastructure and Jobs Act or Act). [2] While the Cybersecurity NOPR supersedes FERC's December 2020 cybersecurity NOPR (whose docket is being terminated), the instant Cybersecurity NOPR generally retains the incentive provisions outlined in the December 2020 NOPR. Under the Cybersecurity NOPR, FERC proposes that:

• Cybersecurity expenditures, including both expenses and capital investments associated with advanced cybersecurity technology and participation in a cybersecurity threat information sharing program, would be eligible for an incentive.

• Eligible cybersecurity expenditures would be voluntary and have to materially improve the utility's cybersecurity posture. FERC proposes to establish a pre-qualified list (PQ List) of cybersecurity expenditures that are eligible for incentives.

• The incentives would take two forms:

  • A return on equity (ROE) adder of 200 basis points (ROE Incentive), or

  • Deferred cost recovery that would enable the utility to defer expenses and include the unamortized portion in its rate base (Regulatory Asset Incentive).

• Approved incentives, with certain exceptions, would remain in effect for up to five years from the date on which the investments enter service or expenses are incurred.

Background

On November 15, 2021, the Infrastructure and Jobs Act was signed into law in which Congress, among other things, directed FERC to revise its regulations to establish incentive-based –– including performance-based –– rate treatments by encouraging utilities to invest in advanced cybersecurity technology and participate in cybersecurity threat information sharing programs. [3] The Act directed FERC to conduct a study in consultation with the Secretary of Energy, the North American Electric Reliability Corporation (NERC), the Electricity Subsector Coordinating Council, and the National Association of Regulatory Utility Commissioners to identify potential incentive treatments and to submit a proposed implementation plan to Congress within 180 days (May 2022 Report). [4] The Act requires FERC to establish its incentive-based rate treatments within one year of submitting the May 2022 Report, meaning FERC must issue a final rule by May 2023.

The Cybersecurity NOPR supersedes a December 2020 NOPR that represented the Commission's first attempt to create an incentive framework for public utilities to make additional investments in cybersecurity that exceed the requirements of the mandatory and enforceable NERC Critical Infrastructure Protection (CIP) Reliability Standards. [5] The December 2020 NOPR proposed two incentive approaches: (1) the NERC CIP Incentives approach; and (2) the National Institute of Standards and Technology (NIST) Framework approach. [6] Under the NERC CIP Incentives approach, utilities would have been eligible to receive incentive-based rate treatment for voluntarily applying certain CIP Reliability Standards to their facilities. [7] Similarly, under the NIST Framework approach, utilities would have been eligible to receive incentive treatment for implementing certain security controls included in the NIST Framework that exceed the CIP Reliability Standards. [8] While the Cybersecurity NOPR generally retains the rate incentive provisions outlined in the December 2020 NOPR, i.e., the ROE and Regulatory Asset Incentives (discussed below), it jettisons the specific NERC CIP and NIST-based eligibility evaluations and replaces them with new standards to qualify for a cybersecurity incentive.

The Cybersecurity NOPR

Proposed Approaches to Request an Incentive

a) Eligibility Criteria

FERC proposes new approaches to request a cybersecurity incentive under the NOPR. First, FERC proposes certain threshold eligibility criteria to determine whether a cybersecurity expenditure qualifies for an incentive: A utility seeking an incentive must demonstrate that the expenditure would materially improve cybersecurity through either an investment in advanced cybersecurity technology [9] or participation in a cybersecurity threat information sharing program, and is not already mandated by CIP Reliability Standards, or otherwise mandated by local, state, or federal law. [10] The NOPR does not define what it means to "materially improve" cybersecurity, but FERC proposes to consider various sources in determining which cybersecurity expenditures will materially improve a utility's security posture. [11] With respect to the first criterion, FERC seeks comment on whether and how the Commission should evaluate the benefits of the cybersecurity expenditure relative to the costs of the expenditure and incentive to ensure the proposed rates are just and reasonable. [12] FERC also seeks comment on whether these are the appropriate two eligibility criteria and whether there are additional criteria or limitations that it should consider. [13]

To identify the types of cybersecurity expenditures that the Commission will find eligible for an incentive, FERC proposes to use a list of pre-qualified investments, the so-called "PQ List," or an alternative case-by-case evaluation approach. [14] Under either approach, FERC proposes that a utility make a filing pursuant to FPA Section 205 for incentive-based rate treatment, even if a utility preliminarily files a petition for declaratory order seeking a ruling on its eligibility for an incentive. [15]

b) PQ List Approach

Under the PQ List approach to determining incentive eligibility, a utility would be required to demonstrate that its cybersecurity expenditure qualifies as one or more of the PQ List items in which case the expenditure would be entitled to a rebuttable presumption of eligibility for an incentive. [16] FERC proposes to include two eligible expenditures on the PQ List initially: (1) expenditures associated with participation in the DOE CRISP, a threat awareness and information sharing program; [17] and (2) expenditures associated with internal network security monitoring within the utility's cyber systems. [18] FERC seeks comment on these and any additional cybersecurity expenditures to consider for inclusion on the initial PQ List. [19] FERC stressed that if a cybersecurity expenditure on the PQ List becomes mandatory, it would no longer be eligible for an incentive as of the effective date of the mandate. [20] FERC also noted that it would update the PQ List by adding, removing, or modifying cybersecurity expenditures, as needed via a rulemaking, whether sua sponte or in response to a petition. [21]

c) Case-by-Case Approach

Recognizing that the PQ List approach may limit expenditures eligible for incentives, FERC proposes an alternative case-by-case approach in which it would allow a utility to file for incentive-based rate treatment for any cybersecurity expenditure that satisfies the eligibility criteria. [22] Under the case-by-case approach, there would be no presumption of eligibility for any given expenditure; utilities would bear the burden of demonstrating that the expenditure is voluntary and materially improves cybersecurity through either an investment in advanced cybersecurity technology or participation in a cybersecurity threat information sharing program. [23]

Proposed Rate Incentives

FERC proposes two rate incentives for utilities that make eligible cybersecurity investments: an ROE adder of 200 basis points that would be applied only to the incentive-eligible investments (ROE Incentive); and a deferral of eligible cybersecurity expenses, enabling them to be part of rate base such that a return can be earned on the unamortized portion (Regulatory Asset Incentive). [24] FERC proposed that the same expenditure should not be eligible for both the ROE Incentive and the Regulatory Asset Incentive. [25]

a) ROE Incentive

FERC proposes to allow a utility that makes eligible cybersecurity investments to request an ROE adder of 200 basis points that would be applied only to the incentive-eligible investments. [26] FERC proposes that any incentive granted would be subject to the total base and incentive return capped at the top of the utility's zone of reasonableness. [27] FERC explained that enterprise-wide investments –– not just transmission-specific cybersecurity expenditures –– would be eligible for the 200 basis-point ROE adder even if only a portion of those investments are allocated to the transmission function. [28]

b) Regulatory Asset Incentive

FERC proposes to allow a utility to defer recovery of eligible cybersecurity expenditures that are generally expensed and treat them as regulatory assets, while also allowing such regulatory assets to be included in transmission rate base. [29] Consistent with its rules associated with the Uniform System of Accounts, FERC proposes to require utilities to maintain sufficient records to support the distinction of any expenditures that are afforded incentive-based rate treatment as a regulatory asset. [30] FERC seeks comment on whether it would be preferable to permit only 50% of incentive-eligible expenses to be treated as regulatory assets. [31] Critically, FERC also seeks comment on whether it should allow utilities that are already participating in an eligible cybersecurity threat information sharing program (such as CRISP) to seek to recover this incentive. [32]

c) Performance-Based Rates

Additionally, FERC proposes to consider performance-based rate treatments and seeks comment on whether and how the principles of performance-based regulation could apply to utilities with respect to cybersecurity investments. [33] Specifically, FERC seeks comment on widely accepted metrics for cybersecurity performance and whether they could be benchmarks for performance-based rates, or whether new appropriate metrics could be developed. [34] FERC also seeks comment on what rate mechanisms could accompany such performance metrics, minding that any proposed mechanisms must rely on cybersecurity performance benchmarks and not expenditures or practices and that proposed mechanisms consider ratepayer impacts. [35]

Proposed Incentive Implementation

a) ROE Incentive

FERC proposes various ways to determine what the duration of an ROE Incentive should be. FERC proposes to allow an ROE Incentive granted to a utility to remain in effect until the conclusion of the depreciable life of the underlying asset, five years, or when eligibility for the incentive terminates, whichever occurs earliest. [36] For assets with a depreciable life exceeding five years, FERC proposes to terminate the ROE Incentive after the first five years of the asset's service life because, according to FERC, the majority of information technology-related investments have expected useful lives of no longer than five years. [37] FERC, however, seeks comment on whether the proposed duration should be shortened to three years. [38]

b) Regulatory Asset Incentive

The Cybersecurity NOPR also proposes that a utility granted a Regulatory Asset Incentive must amortize the regulatory asset over five years. [39] FERC also proposes that a utility granted the Regulatory Asset Incentive may defer eligible expenses for up to five years from the date of Commission approval of the incentive. [40] That is, eligible expenses could be added to the regulatory asset that is allowed in rate base and amortized over five subsequent years. [41] FERC, however, proposes an exception for cybersecurity threat information sharing programs. [42] Specifically, because the costs of participating in such threat information sharing programs are distinct from discrete cybersecurity investments, FERC proposes to allow utilities to continue deferring these expenses and including them in rate base for as long as the utility continues incurring costs for its participation in the program, and the program remains eligible for incentives. [43]

c) Filing Process

The Cybersecurity NOPR also describes the procedures to obtain incentive rate treatment. Utilities will be required to make an FPA Section 205 [44] filing to request incentive rate treatment, explaining in detail how it plans to implement the proposed incentive rate treatment, the cybersecurity expenditures for which it seeks incentives, and how its expenditures meet the incentive eligibility criteria. [45] Utilities with transmission formula rates would need to propose conforming revisions to their formula rates, as appropriate, to reflect incentive rate treatment granted. [46] For utilities with stated rates, FERC proposed that they may seek incentives as part of a larger rate case or make a request for single issue ratemaking that the Commission will evaluate on a case-by-case basis. [47] FERC also provided that a utility requesting the ROE Incentive must provide the anticipated cost of the capital investment and identify the tariff or rate schedule under which it will recover the increased ROE. [48] Similarly, a utility requesting the Regulatory Asset Incentive must provide a description of the covered expenses, including whether they are associated with the third-party provision of hardware, software, and computing network services or incurred for training to implement network analysis and monitoring programs, as well as an estimate of the expenses and when it is expected to be incurred. [49]

d) Reporting Requirement

Once awarded incentive rate treatment, FERC proposes to require utilities to submit annual informational reports to the Commission by June 1. [50] FERC proposes that the annual filing should detail the specific investments made pursuant to the Commission's approval and the corresponding FERC account for which expenditures are booked. [51] For recipients of the ROE Incentive, FERC proposes that each annual informational filing describe the parts of its network that it upgraded in addition to the nature and cost of the various investments. [52] For recipients of the Regulatory Asset Incentive, FERC proposes the annual informational filings describe the expenses in sufficient detail to demonstrate that they are specifically related to the eligible cybersecurity investment underlying the incentives. [53] Finally, FERC proposes that these annual informational filings will be subject to periodic Commission verification via requests for further informational filings, audits, or other similar means. [54]

Comments on the Cybersecurity NOPR are due 30 days after publication in the Federal Register. Reply comments are due 45 days after publication in the Federal Register.

A copy of the Cybersecurity NOPR is available here.

[1] Incentives for Advanced Cybersecurity Investment; Cybersecurity Incentives, 180 FERC ¶ 61,189 (2022) (NOPR).

[2] Id. P 1.

[3] Infrastructure Investment and Jobs Act, Pub. L. 117-58, 135 Stat. 429 (to be codified at 16 U.S.C. § 824s-1).

[4] FERC, Incentives for Advanced Cybersecurity Technology Investment (May 2022) (May 2022 Report).

[5] Cybersecurity Incentives, Notice of Proposed Rulemaking, 86 FR 8309 (Feb. 5, 2021), 173 FERC ¶ 61,240 (2020).

[6] NOPR at P 11.

[7] Id.

[8] Id.

[9] FPA Section 219A(a)(1) defines the term advanced cybersecurity technology to mean any technology, operational capability, or service, including computer hardware, software, or a related asset, that enhances the security posture of public utilities through improvements in the ability to protect against, detect, respond to, or recover from a cybersecurity threat. Id. at n.7 (citing Infrastructure and Jobs Act, Pub. L. 117-58, Section 40123, 135 Stat. 429, 951).

[10] Id. at P 20.

[11] FERC specified that it will consider the following sources: (1) security controls enumerated in the NIST SP 800-53 "Security and Privacy Controls for Information Systems and Organizations" catalog; (2) security controls satisfying an objective found in the NIST Cybersecurity Framework; (3) a specific recommendation from the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency or from the Department of Energy (DOE); (4) a specific recommendation from the CISA Shields Up Campaign;[11] (5) participation in the DOE Cybersecurity Risk information Sharing Program (CRISP) or similar information sharing program; and/or (6) the Cybersecurity Capability Maturity Model Domains at the highest Maturity Indicator Level. Id. at P 21.

[12] Id. at P 20.

[13] Id.

[14] Id. at P 23.

[15] Id.

[16] Id. at P 26.

[17] See DOE, Energy Sector Cybersecurity Preparedness, https://www.energy.gov/ceser/energy-sector-cybersecurity-preparedness.

[18] These internal network security monitoring expenditures would include information technology cyber systems and/or operational technology cyber systems and that could be associated with cyber systems that may or may not be subject to the CIP Reliability Standards. NOPR at P 28.

[19] Id. at P 30.

[20] Id. at P 31.

[21] Id.

[22] Id. at P 32.

[23] Id.

[24] Id. at P 33.

[25] Id. at P 38.

[26] Id. at P 36.

[27] Id.

[28] Id. at P 37.

[29] Id. at PP 39-40. FERC identified such expenses as including those that are associated with third-party provision of hardware, software, and computing and networking services, as well as subscriptions, service agreements, post-implementation training costs, and ongoing dues for participation by utilities in cybersecurity threat information sharing programs.

[30] Id. at P 42.

[31] Id. at P 39.

[32] Id. at P 41.

[33] Id. at P 45.

[34] Id.

[35] Id.

[36] Id. at P 46.

[37] Id.

[38] Id.

[39] Id. at P 47.

[40] Id. at P 48.

[41] Id.

[42] Id. at P 49.

[43] Id.

[44] 16 U.S.C. § 824d (2018).

[45] NOPR at P 50.

[46] Id. at P 51.

[47] Id. at P 51, n.47.

[48] Id. at P 53.

[49] Id.

[50] Id. at PP 54-55.

[51] Id. at P 55.

[52] Id.

[53] Id.

[54] Id. at P 56.