The Federal Energy Regulatory Commission on Dec. 17 issued a notice of proposed rulemaking (NOPR) proposing incentive rate treatment for certain voluntary cybersecurity investments that go above and beyond the requirements of the North American Electric Reliability Corporation’s (NERC) mandatory Critical Infrastructure Protection (CIP) reliability standards.
The NOPR (Docket No. RM21-3-000) was issued by the Commission at its monthly open meeting. It was the first FERC open meeting for Commissioner Allison Clements, who was sworn in on December 8, 2020. Clements did not vote on any of the agenda items.
FERC white paper
In June, FERC staff sought comments on a white paper that proposed “a new framework for providing transmission incentives to utilities for cybersecurity investments.” FERC staff cited “the evolving and increasing threats to the cybersecurity of the electric grid” as the impetus for the Cybersecurity Incentives Policy white paper (Docket No. AD20-19-000).
In response to the white paper, the American Public Power Association in August said that an incentive program for cybersecurity investments is not needed to encourage investment in cybersecurity measures and could lead to investment that raises transmission costs for customers without providing meaningful cybersecurity benefits in return.
Details of NOPR
Reflecting many of the features included in the FERC Staff white paper, the new NOPR would allow FERC-jurisdictional utilities to seek Commission approval, pursuant to section 205 of the Federal Power Act, of two types of incentives for cybersecurity investments: a rate of return adder of 200 basis points or deferred cost recovery for certain cybersecurity-related expenses.
Qualifying expenditures would be eligible for either, but not both, incentives. The total cybersecurity incentives requested would be capped at the top of the return on equity “zone of reasonableness” used by FERC to establish allowed equity returns for public utilities.
The incentives would be available for certain investments that voluntarily apply specific CIP reliability standards to facilities that are not subject to those requirements and/or implement standards and guidelines from the National Institute of Standards and Technology’s (NIST) voluntary framework for improving critical infrastructure cybersecurity.
Deferred cost recovery would be allowed for three categories of expenses: (1) expenses associated with third-party provision of hardware, software and computing networking services; (2) expenses for training to implement new cybersecurity enhancements undertaken pursuant to this rule; and (3) other implementation expenses, such as risk assessments by third parties or internal system reviews and initial responses to findings of such assessments.
Prior or continuing costs would not be eligible for incentives. Deferred regulatory assets whose costs are typically expensed would be amortized over a five-year period.
Utilities seeking to implement the proposed incentives must obtain prior Commission approval, and the proposed rule would impose initial and annual reporting requirements.
Comments on the NOPR are due 60 days after publication in the Federal Register, with reply comments due 30 days later.