On December 17, 2020, FERC issued a Notice of Proposed Rulemaking proposing to revise its regulations to establish incentives for public utilities to make certain cybersecurity investments that go beyond the current requirements of the Critical Infrastructure Protection (“CIP”) Reliability Standards established by the North American Electric Reliability Corporation (“NERC”) (“Cybersecurity NOPR”). Specifically, FERC proposed rules to allow regulated entities to:
- receive incentive-based rate treatment for the voluntary implementation of: (i) certain NERC CIP Reliability Standards to facilities that are not currently subject to those requirements (“NERC CIP Incentives Approach”), and/or (ii) certain security controls included in the National Institute of Standards and Technology Framework (“NIST Framework Approach”);
- request a return-on-equity adder of two hundred (200) basis points for making eligible cybersecurity capital investments; and
- defer cost recovery of certain cybersecurity costs that are generally expensed as incurred, and treat such costs as regulatory assets that may be included in transmission rate base.
The Cybersecurity NOPR follows a March 2020 NOPR wherein FERC proposed to revise its electric transmission incentive policy under section 219 of the Federal Power Act (“FPA”) while stating it would separately address cybersecurity incentives (see March 23, 2020 edition of the WER). Shortly thereafter, in June 2020, FERC issued a White Paper seeking comments on a potential new framework for providing transmission incentives to entities for their cybersecurity investments, proposing to augment the current CIP Reliability Standards with an incentive based framework under FPA section 219 (see June 24, 2020 edition of the WER). The CIP Reliability Standards, developed by NERC pursuant to FPA section 215, require entities to comply with specific requirements to safeguard critical cyber assets.
In the Cybersecurity NOPR, FERC stated its concerns with certain limitations of the CIP Reliability Standards, including the length of time that it takes for a new Reliability Standard to be implemented, and that the CIP Reliability Standards do not apply to all cybersecurity systems, as they generally only apply to Bulk Electric System facilities that are 100 kV or higher. To remedy this, FERC proposed to provide incentives to public utilities that voluntarily make certain cybersecurity investments in addition to those required by the CIP Reliability Standards. FERC also stated that its proposed cybersecurity incentives approach would be better implemented under FPA sections 205 and 206, as opposed to being tied to FERC’s transmission incentives authority under FPA section 219, as the cybersecurity investments would apply to more than just a public utility’s transmission system.
Under the proposed NERC CIP Incentives Approach, utilities may receive incentive rate treatment for voluntarily applying CIP Reliability Standards to facilities that are not currently subject to those requirements. FERC proposed two options for requesting an incentive. First, the “Med/High Incentive” allows a utility to receive incentive rate treatment for voluntarily applying the requirements for medium or high impact systems to low impact systems, and/or the requirements for high impact systems to medium impact systems. Second, the “Hub-Spoke Incentive” would allow a utility to request incentive rate treatment for ensuring that all external roundtable connectivity to and from a low impact system connects to a high or medium impact system. Utilities requesting incentives under the NERC CIP Incentives Approach will receive a rebuttable presumption that the investments materially enhance the security posture of the Bulk-Power System above levels required by the CIP Reliability Standards.
Under the proposed NIST Framework Approach, utilities may receive incentive rate treatment for implementing the automated and continuous monitoring security controls. This could include, for example, a dynamic management program to improve a utility’s ability to quickly detect and address new or previously unknown equipment on its network. Utilities requesting incentives under the NIST Framework Approach will not be subject to a rebuttable presumption—instead, FERC proposed that utilities show how an investment meets NIST Framework security controls, will go above and beyond the CIP Reliability Standards requirements, and materially enhance the current cybersecurity posture of the bulk power system.
For the ROE incentive, FERC proposed to allow a utility that makes eligible cybersecurity capital investments to request an ROE adder of 200 basis points (“Cybersecurity ROE Incentives”). The total cybersecurity incentives requested would be capped by the zone of reasonableness.
For the Regulatory Asset Incentive, FERC proposed to allow a public utility to defer recovery of certain cybersecurity costs that are generally expensed as incurred and to treat them as regulatory assets to be included in transmission rate base. FERC clarified that mandatory expenses incurred on a regular or ongoing basis, or that are incurred prior to the incentive request, would not be eligible for such regulatory asset treatment. FERC proposed to allow deferred cost recovery for three categories of expenses: (1) expenses associated with third-party provision of hardware, software, and computing networking services; (2) expenses for training to implement new cybersecurity enhancements undertaken pursuant to this rule; and (3) other implementation expenses, such as system assessments by third parties or internal system reviews and initial responses to findings of such assessments.
FERC also proposed that relevant cybersecurity investments not be eligible for both the Cybersecurity ROE Incentives and the Regulatory Asset Incentives, given that regulatory asset treatment is available to costs that are normally treated as expenses, as opposed to capital investments. However, FERC proposed to allow both ROE and Regulatory Asset Incentive treatment for enterprise-wide costs that are not specific to transmission but recovered through transmission rates.
Further, FERC proposed to add a catch-all provision to the new regulations that would grant FERC flexibility to grant other cybersecurity incentives on a case-by-case basis. The new regulations would require a public utility to request these incentive-based rate treatments in a FPA section 205 filing.
Finally, in terms of the duration of an approved incentive, FERC proposed that utilities will not be able to receive any incentive past the first to occur of:
- the depreciation life of the underlying asset;
- ten (10) years from when the improvement enters service;
- the time when such voluntary investment becomes mandatory pursuant to a CIP Reliability Standard; and
- when the utility no longer meets the requirement for receiving the incentive.
To ensure utilities receiving incentive rate treatment have properly implemented the incentives, FERC proposed that utilities submit annual informational filings due within 120 days of completion of the cybersecurity upgrades for which the applicant has been granted incentives, and again every year thereafter.
Comments on the NOPR are due 60 days from the date of its publication in the Federal Register.
A copy of the NOPR is available here.