Cyberattacks continue to threaten the reliability of the electric grid. In response to a congressional directive to address this threat, the Federal Energy Regulatory Commission (FERC) issued a Final Rule (Order No. 893), establishing incentive-based rate treatments for utilities' investment in advanced cybersecurity technologies and participation in cybersecurity threat information sharing programs. FERC issued Order No. 893 pursuant to its authority under the Infrastructure Investment and Jobs Act of 2021 (IIJA). Order No. 893, approved by a 3-1 vote and issued on April 21, 2023 — one month ahead of the May 20, 2023, deadline established in the IIJA — follows a Notice of Proposed Rulemaking (NOPR) issued by the agency last fall, which was discussed in a prior DWT blog post.
With one major exception noted below, Order No. 893 largely tracks the proposals in the NOPR. The order offers a Regulatory Asset Incentive—an incentive for qualifying cybersecurity investments. This incentive will allow utilities to seek deferred cost recovery for eligible cybersecurity investments, allowing utilities to include the unamortized portion in its rate base. Eligible expenses under this incentive include operation and maintenance expenses, labor costs, implementation costs, network monitoring, training costs, and software-as-a-service expenses.
Order No. 893's most significant deviation from the NOPR is its exclusion of the NOPR's 200-basis point return on equity (ROE) incentive (referred to by FERC as an "adder"). The NOPR would have granted an additional 200 basis points to the allowed ROE for utilities that make certain cybersecurity investments above and beyond the mandatory cybersecurity rules under the North American Electric Reliability Corporation's (NERC) Critical Infrastructure Protection (CIP) reliability standards and other requirements. FERC decided not to include that proposal in the Final Rule.
FERC, in abandoning the 200-basis point ROE adder incentive option, explained that the Regulatory Asset Incentive alone satisfies the IIJA's intent to induce utilities to invest in cybersecurity without unduly increasing costs to consumers. In addition, after soliciting comments about whether and how to introduce performance-based rates, FERC determined that adopting performance-based rates for cybersecurity investments in this proceeding would be "premature."
Both public and non-public utilities that have or will have a cost-of-service rate on file with FERC can seek incentive-based rate treatment for their eligible cybersecurity investments. To be eligible for an incentive under the Final Rule, an expenditure must both (i) "materially improve" cybersecurity either through an investment in Advanced Cybersecurity Technology or participation in cybersecurity threat information sharing programs; and (ii) be voluntary, i.e., not mandated by CIP reliability standards or local, state, or federal law. FERC will consider several federal government cybersecurity resources in determining whether an expenditure will "materially improve" cybersecurity, including NIST 800-53, the NIST Cybersecurity Framework and guidance from the Cybersecurity and Infrastructure Security Agency, the Department of Energy, the Federal Bureau of Investigation, and the National Security Agency.
Order No. 893 establishes two methods for evaluating a utility's eligibility for rate incentives: (i) a list of prequalified (PQ) expenditures that would be entitled to a rebuttable presumption of eligibility for incentives; and (ii) a case-by-case eligibility determination process. The initial PQ List includes two types of investments: expenditures associated with participation in Cybersecurity Risk Information Sharing Program (CRISP); and cybersecurity investments associated with internal network security monitoring within the utility's cyber systems. The PQ List will be posted on FERC's website and updated subject to a notice and comment period or in a rulemaking.
Under the case-by-case approach, utilities may file for incentive-based rate treatment for any cybersecurity expenditure that satisfies the eligibility criteria, i.e., the expenditures must be voluntary and materially improve cybersecurity. There is, however, no presumption of eligibility for any expenditure under this approach. The case-by-case approach does offer utilities greater flexibility than the PQ List approach alone, and will help keep FERC informed about expenditures that could be added to the PQ List in future proceedings. Under an alternative application of the case-by-case approach, FERC will allow utilities to seek incentives for early compliance by undertaking cybersecurity investments to comply with reliability standards already approved by FERC, prior to the date such investments are required.
Duration of Incentives and Reporting Requirements
Consistent with FERC's approach to other incentive-based rate treatments, a utility seeking an incentive for eligible cybersecurity investments must make a filing pursuant to FPA Section 205 or seek a ruling on eligibility by filing a petition for declaratory order followed by an FPA section 205 filing. Utilities awarded the incentive will be required to submit informational reports to FERC by June 1 annually for the duration of the incentive detailing the specific investments made, starting in 2024. A utility may defer its costs under the Regulatory Asset Incentive for no longer than five years after FERC approval of that incentive. For utilities with qualified cybersecurity threat information sharing programs, there is no duration limitation for those expenses.
Despite his endorsement of the NOPR as a means of "gap filling" to address rapidly evolving threats until mandatory standards can be established, Commissioner Danly issued the lone dissent on the Final Rule. Commissioner Danly argued that the Final Rule is not in line with congressional directives because it only provides cybersecurity incentives to select energy sector participants, i.e., only those with cost-based rates, and only covers a select few cybersecurity investments. Specifically, Commissioner Danly voiced concerns over the inclusion of a materiality requirement and the elimination of the 200-basis point ROE adder. Citing to Chairman Phillips' concurrence in the NOPR that stated a 5-year, 200-basis point adder is adequate to properly incent utilities to invest in cybersecurity, Commissioner Danly contends that the Regulatory Asset Incentive alone will be insufficient to incent any action by utilities.
Order No. 893 takes effect 60 days after publication in the Federal Register. DWT's energy team regularly advises clients on FERC incentives proceedings, while DWT's information security team regularly advises clients on compliance with cybersecurity requirements and response to security incidents and data breaches. Utilities interested in taking advantage of the incentives provided in Order No. 893 are encouraged to contact DWT for expert guidance.