U.S. FERC Proposes Revisions to Cybersecurity Incentives for Utilities
On September 22, 2022, the Federal Energy Regulatory Commission (FERC) issued a Notice of Proposed Rulemaking (NOPR) regarding Incentives for Advanced Cybersecurity Investment, requesting comment on proposed revisions to regulations implementing the Federal Power Act (FPA). The revisions would provide incentive-based rate treatments for the transmission of electric energy in interstate commerce and the sale of electric energy at wholesale in interstate commerce by utilities for certain voluntary cybersecurity investments. The NOPR was issued in response to a Congressional mandate set forth in the Infrastructure Investment and Jobs Act of 2021, which directed FERC to establish cybersecurity incentives that would encourage investments by utilities in advanced cybersecurity technology and participation in cybersecurity threat information sharing programs. This NOPR replaces a prior cybersecurity incentives NOPR from December 2020.
The incentives would be available to utilities that make certain cybersecurity expenditures that enhance their security posture by improving their ability to protect against, detect, respond to, or recover from a cybersecurity threat and to utilities that participate in cybersecurity threat information sharing programs to the benefit of ratepayers and national security.
FERC has clarified that the proposed rulemaking is intended to include both public and non-public utilities that have or will have a rate on file with FERC. Utilities would file a request for the incentive pursuant to FPA section 205.
Under the proposed rule, “investments” in cybersecurity technology means expenditures that can be either capitalized costs or expenses and meet the following requirements: (1) materially improve the utility’s cybersecurity posture through either an investment in advanced cybersecurity technology or participation in a cybersecurity threat information sharing program; and (2) not already be mandated by Critical Infrastructure Protection Reliability Standards, or local, state, or federal law.
FERC intends to publish and maintain a list of pre-qualified expenditures on the FERC website for utilities but is also seeking suggestions for an alternative evaluation approach for qualifying expenditures on a case-by-case basis.
Utilities would be eligible for two types of incentives: (1) a return on equity adder of 200 basis points or (2) deferred cost recovery for certain cybersecurity expenditures that enable the utility to defer expenses and include the unamortized portion in rate base.
As proposed, any approved incentive would remain in effect for five years from the date on which the cybersecurity investment enters service or expenses are incurred (although it could expire earlier if other conditions are met before the end of that five year period), but FERC has also requested comment on the duration and expiration conditions for the incentives.
Further, any utility that has received a cybersecurity incentive will be required to make an informational filing each year on June 1, detailing the specific investments that were made.
Comments on the proposed rule will be due thirty days after publication in the Federal Register.