For the fourth straight meeting of the Federal Energy Regulatory Commission (FERC) and the fourth since Willie L. Phillips was appointed its acting Chair, an order aimed at improving the reliability of the nation’s electric grid was placed atop FERC’s agenda. At the most recent FERC open meeting on April 20, 2023, FERC issued Order No. 893—Incentives for Advanced Cybersecurity Investment—which permits certain public and non-public utilities to seek incentive-based rate treatment for their eligible cybersecurity investments.1As discussed further below, as a result of Order No. 893, transmission owning utilities will now have the ability to make a filing to seek to recover the costs of their voluntary investments in cybersecurity capabilities.
Although Order No. 893 was issued in response to the Infrastructure Investment and Jobs Act’s (IIJA) requirement that FERC establish incentive-based rate treatments to encourage public utilities to invest in advanced cybersecurity technology and participate in cybersecurity threat information sharing programs2 and did not, in the eyes of dissenting Commissioner James P. Danly, do enough to “harden the cybersecurity defenses of the nation’s critical energy infrastructure,”3 it nevertheless represents another indicator that either requiring or incentivizing utilities to improve grid reliability is a top priority of the Phillips-led FERC.
Utility Eligibility
Despite the IIJA’s requirement that FERC establish cybersecurity incentives for public utilities engaging in the transmission of electric energy in interstate commerce and the sale of electric energy at wholesale in interstate commerce,4 Order No. 893 limits eligibility for such incentives to utilities that have or will have a cost-of-service rate on file with it.5 FERC found that public utilities with market-based rates are not eligible for the incentives absent making a filing to recover their entire cost of service under a cost-based rate6—another point on which Commissioner Danly dissented.7On the other hand non-public utilities, such as those utilities generally exempt from FERC jurisdiction under Federal Power Act (FPA) section 201(f) that have a cost-based rate on file with FERC will be eligible for the incentives.8
FERC’s decision to limit eligibility to utilities with a cost-of-service rate on file with the Commission means that the majority of transmission-owning utilities should be eligible to seek recovery of their cybersecurity investment. At the same time, FERC’s decision appears to exclude generation resources making sales at market-based rate—which account for the vast majority of resources participating in wholesale markets—from recovering such costs. As Commissioner Danly noted, the Commission’s decision to categorically exclude generation resources from recovering their investment in cybersecurity investments seems out-of-step with Commission policy permitting generation resources to recover their costs through a combination of market-based rate and cost-based sales.9 As Commissioner Danly pointed out:
Even under the construct today, a generation utility may have both a market-based rate tariff under which it sells energy, capacity and ancillary services and a cost-based rate tariff under which it recovers a reactive power revenue requirement. There is no requirement that such generation utility abandon its market-based rate tariff to recover its cost-based rates.10
Eligible Cybersecurity Investments
For an eligible utility’s cybersecurity investment to qualify for incentive-based rate treatment it must both (1) materially improve cybersecurity through either an Advanced Cybersecurity Technology (as defined by the IIJA) or participation in a cybersecurity threat information sharing program and (2) not already be mandated by North American Electric Reliability Corporation (NERC) reliability standards, federal, state or local laws, orders or directives, or a consent decree or settlement agreement.11FERC rejected arguments made by some parties and Commissioner Danly, in dissent,12 that the “materially improve” standard was too subjective, finding that “some degree of judgement is necessary given the many types of cybersecurity threats and investments and their rapid evolution.”13
Instead of omitting the materially improves standard, FERC identified multiple sources it would rely on to determine whether a cybersecurity investment satisfied the standard, including a specific cybersecurity recommendation from a relevant federal authority, such as the Department of Homeland Security’s Cybersecurity Infrastructure Security Agency, the Federal Bureau of Investigation, the National Security Agency, or the Department of Energy or participation in the Cybersecurity Risk Information Sharing Program (CRISP) or similar cybersecurity threat information sharing program.14 FERC also clarified that, with respect to incentives for cybersecurity information sharing programs, it would consider programs based on whether they were (1) sponsored by federal or state governments, (2) provide two-way communications from and to electric industry and government entities and (3) deliver relevant and actionable cybersecurity information to program participants from the U.S. electric industry.15
The PQ List and Case-by-Case Cybersecurity Investments
Order No. 893 further clarifies what cybersecurity investments are eligible for incentive-based rate treatment by developing a list of pre-qualified investments—the “PQ List”—and adopting procedures through which it will evaluate non-PQ List investments on a case-by-case basis.16 For those investments that are identified on FERC’s PQ List, which FERC says will be posted to its website, a utility would be entitled to a presumption that its investment is eligible for incentive-based rate treatment.17 Initially, the PQ List will include expenditures related to participation in CRISP and expenditures associated with internal network security monitoring with the utility’s cyber systems.18 The PQ List may, however, be updated and expanded based on FERC’s experience with approving incentives under the case-by-case approach (discussed below) or as proposed by utilities.19
For investments not identified on the PQ List, Order No. 893 adopts a case-by-case approach pursuant to which a utility could propose a specific cybersecurity investment that it deems worthy of incentive-based rate treatment.20 The same criteria identified above would apply to cybersecurity investments proposed by utilities under the case-by-case approach, however, such investments would not be entitled to the presumption that the investments were in fact eligible for incentive-based rate treatments as with investments on the PQ List.21 Additionally, FERC said that under this approach, it will permit utilities to receive incentives for cybersecurity investments made to comply with cybersecurity-related NERC reliability standards for the time period between when they are approved by FERC and become effective.22
Cybersecurity Investment Rate Incentives
Although FERC initially proposed to provide utilities investing in cybersecurity with two rate incentive options, Order No. 893 limits utilities to single incentive option: a cybersecurity regulatory asset.23 The cybersecurity regulatory asset allows a utility to seek deferred cost recovery for cybersecurity investments that are eligible (as described below) for incentives for up to five years, treat such costs as a regulatory asset, and include them in rate base.24 Only eligible cybersecurity costs that are incurred after the effective date of FERC’s approval of such costs for incentive-based rate treatment and—with the exception of expenses associated with participation in cybersecurity threat information sharing program25—that are materially different from cybersecurity investments already incurred by utilities more than three months prior to making their incentive requests may be included in the regulatory asset.26
FERC abandoned—over a dissent from Commissioner James P. Danly27—its plan to provide utilities with another incentive option in the form of a return on equity (ROE) adder. Initially, FERC had proposed providing a 200-basis point ROE adder for utilities eligible cybersecurity investments, but found that the cybersecurity regulatory asset incentive alone was sufficient to induce utilities to invest in cybersecurity to the extent Congress intended in the IIJA.28
Application Process
A utility seeking incentive-based rate treatment for its cybersecurity investments must make a filing under section 205 of the FPA seeking a ruling on the eligibility of its investments or file a petition for declaratory order followed by a subsequent section 205 filing.29As expressly stated in the IIJA, a utility is permitted to make its filing seeking incentive-based rate treatment for its cybersecurity investments on a single issue basis.30 A filing must include, among other things, a description of the relevant cybersecurity expenses, estimates of the costs of cybersecurity expenses, and a description of when the cybersecurity expenses are expected to be incurred.31 A utility must also include an attestation that the specific cybersecurity investment it is seeking a rate incentive for is voluntary (i.e., not mandated by law, regulation, directive or settlement)32 and that it has not already undertaken a materially similar cybersecurity investment for more than three months prior to the filing.33A utility receiving incentive-based rate treatment under Order No. 893 must generally file an annual report with FERC by June 1 of each year.34
Conclusion
While Order No. 893 provides additional clarity regarding who can seek cybersecurity investment incentives, what they can be sought for, and how and when a utility might apply, there is still a fair amount unknown about how FERC will view applications for cybersecurity incentives (particularly for investments not on the PQ List) and apply its admittedly subjective “materially improves” standard. The Akin energy regulatory team will be tracking these developments.
1 Incentives for Advanced Cybersecurity Investment, Order No. 893, 183 FERC ¶ 61,033 (2023).
2 Infrastructure Investment and Jobs Act of 2021, Pub. L. 117-58, § 40123, 135 Stat. 429, 951 (codified at 16 U.S.C. 824s-1) (IIJA).
3 Order No. 893 (Danly, J, dissenting at P 17).
4 16 U.S.C. 824s-1(c).
5 Order No. 893, at PP 24, 26.
6 Id., at P 26.
7Order No. 893 (Danly, J, dissenting at PP 2-7) (“The IIJA intended agencies to adopt policies and rules that would induce swift and efficient investments in cybersecurity by the entire energy sector—it was not designed to undermine competitive markets.”).
8 Order No. 893, at P 24.
9 Order No. 893 (Danly, J, dissenting at P 7).
10 Id.
11 Order No. 893, at P 38.
12 Order No. 893 (Danly, J, dissenting at PP 8-11).
13Order No. 893, at P 50.
14 Id., at P 40.
15 Id., at P 42.
16 Id., at P 54.
17 Id., at PP 64, 69.
18 Id., at P 84.
19Id., at P 90.
20 Id., at P 107.
21 Id.
22 Id., at P 117.
23 Id., at P 134.
24 Id., at PP 145, 172.
25 Id., at P 152.
26 Id., at P 148.
27 Order No. 893 (Danly, J, dissenting at P 12).
28 Order No. 893, at P 134.
29 Id., at P 183.
30 Id, at P 184. See also 16 U.S.C. 824s-1(f).
31 Id., at P 186.
32 Id., at PP 46, 185.
33 Id., at P 185.
34 Id. at 193.