FERC puts forward incentives for voluntary cybersecurity investments, participates in threat information sharing programs

The Federal Energy Regulatory Commission (FERC) issued a Notice of Proposed Rulemaking (NOPR) to establish rules providing incentive-based rate treatment for utilities making certain voluntary cybersecurity investments. The Commission also analyzes the participation by utilities in cybersecurity threat information sharing programs, as directed by the Infrastructure Investment and Jobs Act (IIJA) of 2021.

The NOPR said that cybersecurity expenditures would be eligible for an incentive including both expenses and capital investments associated with advanced cybersecurity technology and participation in a cybersecurity threat information sharing program. It also added that eligible cybersecurity expenditures would be voluntary and have to materially improve the utility’s cybersecurity posture. FERC proposes to establish a pre-qualified (PQ) list of cybersecurity expenditures that are eligible for incentives that would be publicly maintained on the FERC.gov website.

Furthermore, the incentives would take two forms – a return on equity adder of 200 basis points, or deferred cost recovery that would enable the utility to defer expenses and include the unamortized portion in its rate base. It also adds that approved incentives, with certain exceptions, would remain in effect for up to five years from the date on which the investments enter service or expenses are incurred.

In light of the Congressional mandate in the IIJA directing the Commission to establish cybersecurity incentives, last week’s FERC NOPR supersedes the December 2020 cybersecurity incentives NOPR, and thereby terminates it. 

The IIJA directs the Commission to revise its regulations to establish, by rule, incentive-based, including performance-based, rate treatments for the transmission of electric energy in interstate commerce and the sale of electric energy at wholesale in interstate commerce by public utilities, by encouraging investments by public utilities in advanced cybersecurity technology and participation by public utilities in cybersecurity threat information sharing programs. 

The IIJA directed FERC to conduct a study, in consultation with certain entities, in order to identify incentive-based rate treatments, including performance-based rates, for the jurisdictional transmission and sale of electric energy that could support investments in advanced cybersecurity technology and participation by public utilities in cybersecurity threat information sharing programs. The act also required the Commission to submit a report to Congress.

In May this year, the FERC submitted a report to Congress, which among other things, outlined prior Commission efforts to address incentives for cybersecurity initiatives. The report provided information regarding potential incentive-based rate treatments and the Commission’s general ratemaking authority, including the prior adoption of rate incentives and performance-based ratemaking in other contexts. 

Additionally, the report discussed challenges associated with adopting an incentive-based rate structure to enhance the security posture of the Bulk-Power System (BPS). It also noted that, while advanced technologies that address cybersecurity threats may be innovative and/or above and beyond industry standards at one time, they may subsequently become conventional, mandatory, or even antiquated and therefore may be less deserving of an incentive over time. 

The IIJA also directed FERC to participate in cybersecurity threat information sharing programs. Engagement with the entities as directed in the IIJA informed the Commission of the existing barriers faced by utilities seeking to participate in these information sharing programs, which include the high costs associated with implementing monitoring technology and maintenance of sensor technology, the amount of time and effort required to share information, incurring fees to participate in information sharing programs, and concerns regarding the confidentiality of the information once shared. 

The Commission proposes under section 219A of the Federal Power Act (FPA) to establish rules for incentive-based rate treatments for certain voluntary cybersecurity investments by utilities, according to documents released by the FERC. “These rules would make incentives available to utilities that make certain cybersecurity expenditures that enhance their security posture by improving their ability to protect against, detect, respond to, or recover from a cybersecurity threat and to utilities that participate in cybersecurity threat information sharing programs to the benefit of ratepayers and national security,” it adds.

The agency said that under the framework, it proposes that eligible cybersecurity expenditures must materially improve cybersecurity through either an investment in advanced cybersecurity technology or participation in a cybersecurity threat information sharing program. It also added that the eligible cybersecurity expenditures must not already be mandated by Critical Infrastructure Protection (CIP) Reliability Standards, or local, state, or federal law. A utility would seek an incentive in a filing pursuant to FPA section 205 and the incentive would be effective no earlier than the date of the Commission order approving the incentive request, it adds. 

FERC also proposes to evaluate cybersecurity investments using a list of pre-qualified expenditures that are eligible for incentives determined by the Commission and publicly maintained on the Commission’s website (PQ List). “With the Commission having evaluated expenditures to include on the PQ List in advance, we believe that the PQ List approach would provide an efficient and transparent mechanism for determining appropriate cybersecurity expenditures that are eligible for incentives,” it adds. 

“We propose that any cybersecurity expenditure that is on the PQ List would be entitled to a rebuttable presumption of eligibility for an incentive,” the FERC said. “We also discuss and seek comment on a potential alternative approach, whereby a utility’s cybersecurity expenditure would be evaluated on a case-by-case basis to determine if it is eligible for an incentive,” it adds. 

The FERC also proposed two options for the type of incentive a utility could receive for an eligible cybersecurity expenditure. These include a return on equity (ROE) adder of 200 basis points, or deferred cost recovery for certain cybersecurity expenditures that enables the utility to defer expenses and include the unamortized portion in rate base. 

The agency also put forward that any approved incentive(s) will remain in effect for five years from the date on which the cybersecurity investment(s) enters service or expenses are incurred, or expire earlier if other conditions discussed in this NOPR are met before the end of that five year period. “We seek comment on the proposed duration and expiration conditions for incentives granted under this proposal,” it adds.

FERC finally proposes that a utility that has received a cybersecurity incentive under this section must make an annual informational filing on Jun. 1. The annual filing should detail the specific investments that were made pursuant to the Commission’s approval and the corresponding FERC account used.

The FERC invites interested persons to submit comments on the matters and issues proposed in this NOPR to be adopted, including any related matters or alternative proposals that commenters may wish to discuss. Comments are due 30 days after the date of publication in the Federal Register, and reply comments are due 45 days after the date of publication in the Federal Register. 

The Commission encourages comments to be filed electronically using the eFiling link on its website. The agency accepts most standard word processing formats. Documents created electronically using word processing software must be filed in native applications or print-to-PDF format and not in a scanned format. Commenters filing electronically do not need to make a paper filing. Further, those commenters that are not able to file comments electronically may file an original of their comments by USPS mail or by courier-or other delivery services.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.