FERC NOPR seeks comment on proposed ratemaking incentives for transmission owner cybersecurity investments and expenses

Background

The Commission has been exploring potential incentives to improve utility cybersecurity since at least 2020.  Following FERC staff’s issuance of a June 2020 white paper on potential frameworks for transmission incentives for certain cybersecurity investments, the Commission issued a NOPR in December of 2020^[1] proposing to allow utilities to request incentives for some cybersecurity investments that exceed the requirements of the CIP Reliability Standards.^[2] 

While the December 2020 NOPR was still pending, Congress passed the Infrastructure Investment and Jobs Act (IIJA), which mandated that the Commission conduct a study to identify potential incentive-based rate treatments (including performance-based) that could support cybersecurity investments and participation in threat information sharing programs, submit a report to Congress, and then issue a rule establishing such rate treatments.^[3]  Following submission of the report to Congress in May of this year, the Commission proposes in the 2022 NOPR a framework for utilities to obtain two potential transmission ratemaking incentives for certain expenditures relating to cybersecurity investments and expenses. 

The Proposed Incentives and Framework

The Incentives

The 2022 NOPR proposes two possible incentives that could be incorporated into transmission rates depending on the type of expenditure at issue.  For expenditures that are typically capitalized, a utility may seek a 200 basis point ROE adder for the portion of the investment that is allocated to transmission.  Subject to certain enumerated termination conditions, the proposed ROE adder has a duration of up to five years. 

For eligible expenditures that would normally be treated as expenses, such as costs associated with third-party provision of hardware, software, or monitoring services, a utility may seek deferred cost recovery and treatment of such costs as a regulatory asset.  Under the proposal, eligible expenses incurred for five years could be added to a regulatory asset that is allowed in rate base and amortized over five subsequent years.  Notably, the 2022 NOPR proposes that expenses associated with participation in cybersecurity threat information sharing programs be treated differently with respect to the incentive duration because the ongoing value such participation provides can be distinguished from discrete cybersecurity investments that may become obsolete over time.  As such, FERC proposes that utilities may continue deferring these expenses and including them in rate base for each annual tranche of expenses as long as the information sharing program remains eligible for incentives and the utility continues incurring costs for participation.

What Expenditures are Eligible for Incentives Under FERC’s Proposal?

The proposal includes two overarching eligibility requirements – the cybersecurity expenditures must both: (a) materially improve the utility’s security posture; and (b) not already be mandated. 

In addition, the Commission proposes that eligible expenses must be one of an enumerated list of pre-qualified investments that could qualify for incentives (PQ List).  There are currently two different types of expenditures on the proposed PQ List: (1) expenditures associated with participation in the Department of Energy’s Cybersecurity Risk Information Sharing Program; and (2) expenditures associated with internal network security monitoring within a utility’s cyber systems.  The Commission contemplates that a variety of investments could come within these two categories. 

How Would a Utility Obtain the Incentives?

Under the proposed regulations, a utility would request one or more of these incentive-based rate treatments in a Federal Power Act (FPA) Section 205 filing that includes detailed information about how the utility plans to implement the requested incentive approach and rate treatment.  The filing utility would also need to provide details regarding the expenditures and how the expenditures qualify as one or more of the PQ List items.  Once it is established that an expenditure is on the PQ List, there is a rebuttable presumption of eligibility for an incentive.  However, intervenors may attempt to rebut the presumption by establishing that the expenditure does not meet one or more of the eligibility requirements (e.g., circumstances are such that the investments do not materially improve the utility’s security posture).  On this point, the Commission proposes to refer to programs of other agencies with expertise, such as NIST, CISA, DOE, and DHS in determining what expenditures will materially improve a utility’s security posture. 

For incentives in rates, the filing must also include proposed conforming revisions to the utility’s formula rate to reflect the incentive rate treatment.

Note also that under the proposed regulations, the filing utility must still establish that the proposed rate, inclusive of the incentives, is just and reasonable.  Likewise, any total ROE must remain within the zone of reasonableness.

The Commission proposes that any utility receiving any of these incentives must make an annual informational filing detailing the specific investments made pursuant to the Commission’s approval and identifying the corresponding FERC accounts in which they are booked.  Once the rules surrounding these incentives are finalized, utilities receiving incentives should expect this to be a potential future FERC audit scope area.

Identified Alternatives and Requests for Feedback

The Commission seeks comments on various aspects of the proposal and certain identified alternatives. 

Regarding alternatives to the proposed PQ List framework, the Commission seeks comment regarding the possibility of instead implementing a case-by-case review process in which the filing utility would have to establish that any proposed cybersecurity expenditure materially improves security posture and is voluntary.  Under this approach, there would be no presumption of eligibility for any expenditure.  In his concurrence to the 2022 NOPR, Commissioner Phillips expresses concern both that the proposed PQ List may be too narrow, and that the case-by-case approach may be too time consuming and inefficient.  He suggests that stakeholders comment on whether the PQ List should be expanded, offering several potential additions.  The 2022 NOPR likewise seeks feedback regarding potential additional items that could be included in the initial PQ List.

Another area where the Commission solicits commentary is the magnitude and duration of the incentives.  The 2022 NOPR observes that the proposed ROE adder is on the high side, but notes that because cybersecurity expenditures are relatively small, a larger incentive may be appropriate in order to stimulate the desired investments.  Nonetheless, the Commission questions whether the duration of the ROE adder should be limited to three years rather than five.  Similarly, it seeks comment regarding whether regulatory asset treatment should be limited to 50% of the eligible cybersecurity expenses, a significant potential reduction from the proposal. 

Although the IIJA directed the Commission to consider them, FERC is not proposing any performance-based incentives.  The Commission seeks feedback regarding potential ways to incorporate principles of performance-based regulation into the proposal, including potential metrics for evaluation of cybersecurity performance, as well as what kind of rate mechanisms could accompany those metrics.

Conclusion

This long awaited NOPR on transmission rate incentives for voluntary cybersecurity investments has implications for transmission owners, entities that pay transmission rates, and the public at large that depends on utilities to provide their critical services uninterrupted by cyber attacks. 

BCLP has significant experience working with clients across the energy industry to assess new proposed regulations and, as appropriate, with submitting input and comments in the FERC stakeholder process.

[1] FERC, Cybersecurity Incentives Policy White Paper, Docket No. AD20-19-000, (June 2020) (Cybersecurity White Paper), https://www.ferc.gov/sites/default/files/2020-06/notice-cybersecurity.pdf.

[2] Cybersecurity Incentives, Notice of Proposed Rulemaking, 173 FERC 61,240 (2020).

[3] Infrastructure and Jobs Act, Pub. L. 117-58, section 40123, 135 Stat. 429, 952 (to be codified at 16 U.S.C. 824s-1(b)).