May 10, 2023

FERC Issues Final Rule Establishing Incentive Rate Treatment for Eligible Cybersecurity Investments

Miles Kiger, S. Jennifer Panahi, Sahara Shrestha

Troutman Pepper

+ Follow Contact

Facebook

Send

Embed

Troutman Pepper

Introduction

On April 21, pursuant to FPA Section 219A(c), the Federal Energy Regulatory Commission (FERC or Commission) established rules, providing incentive-based rate treatment for utilities making certain voluntary cybersecurity investments (Final Rule). [1] The Final Rule mostly follows the framework set out in the Commission's Notice of Proposed Rulemaking (NOPR) issued September 22, 2022 (September 2022 NOPR or NOPR), but makes some important changes. According to FERC, the Final Rule aims to benefit consumers and national security by encouraging investments in advanced cybersecurity technology and participation in cybersecurity threat information sharing programs, as directed by Congress in the Infrastructure Investment and Jobs Act of 2021 (Infrastructure and Jobs Act or Act). [2]

As explained in more detail below, the Final Rule adopts some important changes to the NOPR. The Final Rule:

Declines to permit market-based rate sellers to separately receive cost-based recovery and incentive-based rate treatment of eligible cybersecurity investments.
Declines to adopt a return on equity (ROE) incentive adder.
Declines to adopt generic performance-based incentive rate
Modifies the NOPR proposal on cybersecurity investment eligibility criteria. In addition to the NOPR proposal, the Commission will:
- Consider specific recommendations from the Federal Bureau of Investigation (FBI) and the National Security Administration (NSA) as part of its evaluation of whether a cybersecurity investment would materially improve a utility's security posture; and
- Expand the list of potential eligible cybersecurity threat information sharing programs beyond Department of Energy's (DOE) Cybersecurity Risk information Sharing Program (CRISP) and will evaluate any proposed cybersecurity threat information-sharing program for rate incentive treatment under three additional criteria.
Adopts an application of the case-by-case approach of satisfying the incentives eligibility criteria to allow utilities to seek incentives for early compliance with new cybersecurity reliability standards.
Modifies the NOPR to require utilities to attest that the cybersecurity investments that are the basis for the incentive-based rate treatments are new cybersecurity investments and not duplicative or materially similar to preexisting expenses.

Background

The Commission has been exploring potential cybersecurity incentives since 2020. On June 18, 2020, FERC staff issued a white paper on potential frameworks for transmission incentives for cybersecurity investments, [3] and in December 2020, FERC issued a NOPR, proposing to allow utilities to request incentives for investments that exceed the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards requirement (December 2020 NOPR).

On November 15, 2021, while the December 2020 NOPR was pending, the Infrastructure and Jobs Act was signed into law. The Act directed FERC to revise its regulations to establish incentive-based –– including performance-based –– rate treatments designed to encourage utilities to invest in advanced cybersecurity technology and participate in cybersecurity threat information sharing programs. [4] The Act also directed FERC to conduct a study in consultation with the secretary of energy, NERC, the Electricity Subsector Coordinating Council, and the National Association of Regulatory Utility Commissioners to identify potential incentive treatments and to submit a proposed implementation plan to Congress within 180 days (May 2022 Report). [5] The Act required FERC to establish its incentive-based rate treatments within one year of submitting the May 2022 Report.

Consistent with the Act's directive, on September 22, 2022, FERC issued the September 2022 NOPR, which superseded the December 2020 NOPR. [6] On April 21, 2023, after receiving comments and responses from industry participants, FERC issued the Final Rule. While the Final Rule is generally consistent with the September 2022 NOPR, it modifies the initial proposal in light of the comments received from industry participants.

Final Rule

Cybersecurity Investments

a. Utilities Eligible to Request Rate Incentives for Cybersecurity Investments

The Final Rule adopted the NOPR's proposal to allow both public and nonpublic utilities that have or will have a cost-of-service rate on file with the Commission to seek incentive-based rate treatment for their eligible cybersecurity investments. [7] Notably, the Commission excluded public utilities that make sales of energy, capacity, or ancillary services at market-based rates from receiving incentive-based rate treatments unless those sellers seek to recover their entire cost of service exclusively under cost-based rates. [8] In response, Commissioner James Danly argued that the Final Rule is "a tepid response to a clear Congressional mandate" that only provides cybersecurity incentives to select energy sector participants and a few cybersecurity investments. [9]

b. Cybersecurity Investment Definitions

The Final Rule adopted the NOPR's proposed definitions of cybersecurity investments eligible for incentives. The first category includes "advanced cybersecurity technology," which is defined as "any technology, operational capability, or service, including computer hardware, software, or a related asset, that enhances the security posture of public utilities through improvements in the ability to protect against, detect, respond to, or recover from a cybersecurity threat." [10] The second category is "advanced cybersecurity technology information," which is defined as "information relating to Advanced Cybersecurity Technology or proposed Advanced Cybersecurity Technology that is generated by or provided to the Commission or another Federal agency." [11]

c. Eligibility Criteria

The Final Rule adopted and modified the NOPR proposal regarding eligibility criteria. The Final Rule maintains the NOPR's proposed two eligibility requirements that a cybersecurity investment must satisfy to be considered for incentive treatment. The first criterion requires a utility to demonstrate that the expenditure would "materially improve" cybersecurity through either an investment in advanced cybersecurity technology or participation in a cybersecurity threat information sharing program. [12] The second criterion requires that the investment be made voluntarily –– that is, the investment cannot not already be mandated by NERC Reliability Standards or otherwise mandated by local, state, or federal law or directive. [13]

To evaluate whether a particular investment "materially improves" cybersecurity, the Final Rule modified the NOPR proposal by expanding the group of reference authorities the Commission will consider to five sources. The expanded group includes recommendations from the FBI and the NSA. [14] Additionally, the Commission modified the NOPR to permit consideration of other cybersecurity threat information sharing programs beyond DOE's CRISP for rate-incentive treatment, and established additional eligibility criteria for evaluating such programs. [15] The Commission explained it will evaluate the material impact of a cybersecurity threat information-sharing program by considering whether the program: (1) is sponsored by the federal or state government; (2) provides two-way communications from and to electric industry and government entities; and (3) delivers relevant and actionable cybersecurity information to program participants from the U.S. electricity industry. [16]

The Final Rule also clarified that if a single advanced cybersecurity technology both meets and exceeds compliance with a mandatory reliability standard, then only the incremental investment that goes beyond compliance with the reliability standard is eligible for the incentive. [17]

Finally, the Final Rule clarified the time period during which a utility may seek incentive treatment for a particular investment: A utility may not request incentive treatment if it has already been incurring costs for the investment for more than three months prior to the utility filing its incentive application, unless the investment is for participation in an eligible cybersecurity threat information sharing program. [18]

Cybersecurity Investment Incentive Requests

To identify the types of expenditures eligible for an incentive, the NOPR proposed, and the Final Rule adopted, a dual framework. First, the Commission will use a list of pre-qualified investments (PQ List) that identifies which expenditures merit a rebuttable presumption of eligibility for incentive treatment. [19] Second, as an alternative to the PQ List approach, the Commission adopted a case-by-case approach, which does not provide a rebuttable presumption of eligibility. [20]

a. PQ List Approach

The Final Rule adopted and modified the NOPR's PQ List approach. The Final Rule adopted the NOPR's proposal that a utility investing in a PQ List item would enjoy a rebuttable presumption of eligibility for incentive treatment, although the utility is still required to show that its investment was made voluntarily. [21] The Final Rule modified the NOPR by including the following items on the PQ List: (1) expenditures associated with participation in DOE CRISP, [22] including utilities that currently participate in CRISP; [23] and (2) expenditures associated with internal network security monitoring within the utility's cyber systems. [24]

The Final Rule also adopted the NOPR's approach to modify the PQ List from time to time via rulemaking –– whether sua sponte or in response to a petition –– to allow the Commission to post the PQ List on its website and update it subject to a notice-and-comment period or in a rulemaking after periodic reviews. [25]

b. Case-by-Case Approach

The Final Rule also adopts the NOPR's case-by-case approach to evaluating incentive eligibility as an alternative to the PQ List approach. The case-by-case approach allows a utility to file for incentive treatment for any cybersecurity expenditure and to affirmatively demonstrate that it satisfies the two eligibility criteria (i.e., show the expenditure materially improves cybersecurity and is made voluntarily). [26] Under this approach, there is no presumption of eligibility. To ensure consistency in evaluating applications under this approach:

[T]he Commission will consider evidence showing that the utility would invest in cybersecurity improvements that: (1) are based on a documented and recommended technical cybersecurity mitigation action published in an alert or advisory by a relevant federal agency (e.g., CISA, DOE, FBI, DOD, NSA); and (2) respond to an alert or advisory that meets the objective of a subcategory of the NIST Cybersecurity Framework, or its successor, and references the related NIST 800-53 Security Control, or its successor. [27]

That is, to determine whether an investment "materially improves" cybersecurity, the Commission will consider how the investment aligns with the mitigation actions included in the above agencies' alerts and advisories. [28]

c. Early Compliance With Approved Reliability Standards

The Final Rule further modified the NOPR by establishing an application of the case-by-case approach for investments made to comply with a cybersecurity-related CIP Reliability Standard before it becomes mandatory. [29] The Commission clarified that, generally, cybersecurity investments made before a newly-approved reliability standard becomes effective are "voluntary" for purposes of the Final Rule and thus eligible for incentive treatment, but investments made after the reliability standard becomes effective are ineligible for incentives. [30]

Cybersecurity Investment Rate Incentives

The NOPR proposed two rate incentives for utilities that make qualifying investments, including enterprisewide investments: [31] (1) an ROE adder of 200 basis points that would be applied only to the incentive-eligible portion of a capital investment (ROE Incentive); and (2) a deferral of eligible expenses that would enable the costs of the investment to be included in rate base, such that a return could be earned on the unamortized portion of the investment (Regulatory Asset Incentive). [32]

In the Final Rule, the Commission declined to adopt an ROE Incentive adder, concluding that the Regulatory Asset Incentive satisfies the Commission's statutory obligation to encourage cybersecurity investment without unduly increasing costs on customers –– particularly since expenses constitute a large portion of overall expenditures for many cybersecurity investments. [33]

a. Regulatory Asset Incentive

The Final Rule adopts the NOPR's proposal to include a cybersecurity Regulatory Asset Incentive, finding it appropriate for utilities to defer recovery of certain cybersecurity costs that are generally expensed as they are incurred, and treat them as regulatory assets, while also allowing such regulatory assets to be included in the utility's rate base. [34] The Commission declined to adopt the NOPR's proposal to limit the incentive to 50% of eligible expenses, finding that such a limitation may not adequately incentivize utilities to improve their cybersecurity posture. [35]

The Commission clarified that the Regulatory Asset Incentive is available for a range of expenses, including operation and maintenance expenses, labor costs, implementation costs, network monitoring, and training costs. [36] Ongoing expenses incurred by utility employees or utility payments to third parties may also be eligible; however, the Commission cautioned that software purchases may not be eligible, as they are generally considered "capital investments" (although the Commission notes that software-as-a-service expenses could potentially qualify). [37]

Lastly, the Final Rule limits the eligibility for Regulatory Asset Incentive treatment to new investments that: (1) occur after the effective date of the Commission's approval of incentive-based treatment; and (2) are materially different from cybersecurity investments previously incurred more than three months prior to the incentive request. [38] The Final Rule, however, provides an exception to this three-month rule by allowing a utility to seek incentive treatment for its future cybersecurity investment in a cybersecurity threat information sharing program even if the utility began its participation and made qualifying investments more than three months prior to filing its request. [39]

The Final Rule also adopts the NOPR's proposal to require public utilities to maintain records supporting their accounting entries to the applicable regulatory asset account so that the public utility can justify each regulatory asset recorded in the account. [40] The Final Rule also provides "only costs directly assigned to a function or the conventionally allocated portion of enterprise-wide expenses (e.g., using the wages and salaries allocator) would be eligible for the Cybersecurity Regulatory Asset Incentive in rates specific to that function." [41]

b. Performance-Based Rates

The September 2022 NOPR proposed to consider performance-based rate treatments and sought comment on whether and how the principles of performance-based regulation could apply to utilities to encourage cybersecurity investment. [42]

In the Final Rule, the Commission declined to adopt a performance-based incentive, noting the difficulty in trying to observe the success of a cybersecurity investment, and concluding that it would be premature to adopt generic performance-based rate measures at this time. [43]

Incentive Implementation

a. Regulatory Asset Incentive Duration and Amortization Period

The Final Rule adopts the NOPR's approach regarding the duration and amortization period of a Regulatory Asset Incentive with one modification: The Final Rule permits a requesting utility to amortize an approved regulatory asset for up to five years, [44] while the NOPR had proposed that a utility amortize the regulatory asset over five years. [45] Consistent with the NOPR, the Final Rule provides that a utility with a Regulatory Asset Incentive may defer eligible expenses for up to five years from the date of Commission approval of the incentive. [46] The Commission clarified that eligible expenses for each of the five years may be included in rate base and amortized for up to five years. [47] The Commission also provided an exception to this sunsetting requirement by excluding investments made in cybersecurity threat information sharing programs.

b. Filing Process

As proposed in the NOPR, the Final Rule provides that utilities may apply for incentive treatment by submitting a filing under FPA Section 205 filing or by submitting a petition for a declaratory order followed by an FPA Section 205 filing. [48] The Commission clarified that applications made pursuant to the case-by-case approach must provide a detailed description of how the investment satisfies the eligibility criteria. [49] In addition to describing the investment, the Commission stated that filings under the case-by-case approach should: (1) describe their prevailing cybersecurity posture, including existing equipment, processes, and ongoing expenses; and (2) describe how the cybersecurity investment for which an incentive is sought would elevate the utility's cybersecurity posture. [50]

The Final Rule also adopts the NOPR's proposal that utilities with transmission formula rates include in conforming revisions to their formula rates to reflect the requested incentive treatment. [51] For utilities with stated rates, the Final Rule provides that utilities may seek incentive treatment as part of a larger rate case or in a single issue filing. [52] The Final Rule also modified the NOPR by requiring that each incentive application include an attestation that the subject cybersecurity investments are not mandatory and that the utility has not already been incurring materially similar cybersecurity expenses for more than three months. [53] Lastly, FERC clarified that utilities may request CEII treatment on portions of their filings that contain CEII. [54]

c. Reporting Requirements

In the NOPR, FERC proposed to require utilities awarded incentive treatment to submit annual informational reports to the Commission by June 1. [55] FERC proposed that the annual filing detail the specific investments that were made pursuant to Commission approval and the corresponding FERC account to which expenditures are booked. [56] For recipients of the Regulatory Asset Incentive, the NOPR proposed the annual filing describe the expenses in sufficient detail to demonstrate that they are specifically related to the eligible cybersecurity investment underlying the incentive. [57] Finally, FERC proposed that these annual filings may be subject to periodic Commission verification via requests for further informational filings, audits, or other similar means. [58]

The Final Rule adopts the NOPR's proposal, and further requires utilities to submit informational reports to the Commission for the duration of the cybersecurity incentive. [59] The Final Rule also noted that the annual filing should specify whether the utility experiences any material changes in ongoing expenses. [60]

Conclusion

The Final Rule will become effective July 3, 2023.

A copy of the Final Rule, issued in Docket No. RM22-19-000, is available here.

[1] Incentives for Advanced Cybersecurity Investment, Order No. 893, 183 FERC ¶ 61,033 (2023) (Final Rule).

[2] Id. at P 1.

[3] Cybersecurity Incentives Policy White Paper; Docket No. AD20-19-000.

[4] Infrastructure Investment and Jobs Act of 2021, Pub. L. 117-58, 135 Stat. 429 (to be codified at 16 U.S.C. § 824s-1) (Act).

[5] FERC, Incentives for Advanced Cybersecurity Technology Investment (May 2022) (May 2022 Report).

[6] Incentives for Advanced Cybersecurity Investment; Cybersecurity Incentives, 180 FERC ¶ 61,189 (2022) (September 2022 NOPR or NOPR).

[7] Id. at PP 20, 23, 26.

[8] Id. at P 26.

[9] Id. (Danly, Comm'r, dissenting at P 1).

[10] Id. at P 27 (as defined at section 102 of the Cybersecurity Act of 2015 (6 U.S.C. § 1501)).

[11] Id. Advanced cybersecurity technology information is considered critical electric infrastructure information (CEII).

[12] Id. at P 38.

[13] Id. Additionally, the Final Rule will now require that a rate-incentives applicant must include an attestation in its filing that the specific cybersecurity investment for which the utility is seeking an incentive is voluntary. Id. at PP 46, 185.

[14] Id. at P 40. Those sources include: (1) security controls enumerated in the NIST SP 800-53 "Security and Privacy Controls for Information Systems and Organizations" catalog; (2) security controls satisfying an objective found in the NIST cybersecurity framework technical subcategory; (3) a specific cybersecurity recommendation from a relevant federal authority, such as DHS's CISA, the FBI, NSA, or DOE; (4) participation in a relevant cybersecurity threat information sharing program; and/or (5) achieving and sustaining one or more of the C2M2 domains at the highest maturity indicator level. Id.

[15] Id. at P 42.

[16] Id.

[17] Id. at P 47.

[18] Id. at P 53.

[19] Id. at P 54.

[20] Id. at PP 54, 66.

[21] Id. at P 64.

[22] Id. at P 84; see DOE, Energy Sector Cybersecurity Preparedness, https://www.energy.gov/ceser/energy-sector-cybersecurity-preparedness.

[23] Final Rule at P 86.

[24] Id. P 84. These internal network security monitoring expenditures would include information technology cyber systems and/or operational technology cyber systems, and which could be associated with cyber systems that may or may not be subject to the CIP Reliability Standards.

[25] Id. at PP 57, 67, 69, 91, 99.

[26] Id. at P 107.

[27] Id. at P 109 (citations omitted).

[28] Id.

[29] Id. at P 117.

[30] Id.

[31] Per the Final Rule, "enterprisewide investments" refers "not specific to transmission of the sale for resale of electric energy in interstate commerce, but a portion of which are recovered through rates on file with the Commission." Id. at P 123.

[32] Id. at P 120.

[33] Id. at P 134.

[34] Id. at P 145.

[35] Id. at P 146.

[36] Id. at P 147.

[37] Id.

[38] Id. at P 148. The Final Rule also clarified that "[a] utility's cybersecurity expenses that began more than three months before the date that the Commission order or final rule approving a new or modified Reliability Standard becomes effective will not be considered new and will be considered materially similar and duplicative" and thus ineligible for incentive treatment. Id. at P 149.

[39] Id.

[40] Id. at P 153.

[41] Id. at P 154.

[42] Id. at P 155.

[43] Id. at P 160.

[44] Id. at P 172.

[45] Id. at P 165.

[46] Id. at P 172.

[47] Id.

[48] Id. at P 183.

[49] Id. at P 185.

[50] Id.

[51] Id. at P 175.

[52] Id.

[53] Id. at P 185.

[54] Id. at P 191.

[55] Id. at P 193.

[56] Id.

[57] Id.

[58] Id. at P 194.

[59] Id. at P 199.

[60] Id. at P 200.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.