FERC Again Aims to Enhance Grid Reliability with Order Approving Incentive Rate Treatment for Cybersecurity Investments

April 25, 2023

Reading Time : 7 min

For the fourth straight meeting of the Federal Energy Regulatory Commission (FERC) and the fourth since Willie L. Phillips was appointed its acting Chair, an order aimed at improving the reliability of the nation’s electric grid was placed atop FERC’s agenda. At the most recent FERC open meeting on April 20, 2023, FERC issued Order No. 893—Incentives for Advanced Cybersecurity Investment—which permits certain public and non-public utilities to seek incentive-based rate treatment for their eligible cybersecurity investments.1As discussed further below, as a result of Order No. 893, transmission owning utilities will now have the ability to make a filing to seek to recover the costs of their voluntary investments in cybersecurity capabilities.

Although Order No. 893 was issued in response to the Infrastructure Investment and Jobs Act’s (IIJA) requirement that FERC establish incentive-based rate treatments to encourage public utilities to invest in advanced cybersecurity technology and participate in cybersecurity threat information sharing programs2 and did not, in the eyes of dissenting Commissioner James P. Danly, do enough to “harden the cybersecurity defenses of the nation’s critical energy infrastructure,”3 it nevertheless represents another indicator that either requiring or incentivizing utilities to improve grid reliability is a top priority of the Phillips-led FERC.

Utility Eligibility

Despite the IIJA’s requirement that FERC establish cybersecurity incentives for public utilities engaging in the transmission of electric energy in interstate commerce and the sale of electric energy at wholesale in interstate commerce,4 Order No. 893 limits eligibility for such incentives to utilities that have or will have a cost-of-service rate on file with it.5 FERC found that public utilities with market-based rates are not eligible for the incentives absent making a filing to recover their entire cost of service under a cost-based rate6—another point on which Commissioner Danly dissented.7On the other hand non-public utilities, such as those utilities generally exempt from FERC jurisdiction under Federal Power Act (FPA) section 201(f) that have a cost-based rate on file with FERC will be eligible for the incentives.8

FERC’s decision to limit eligibility to utilities with a cost-of-service rate on file with the Commission means that the majority of transmission-owning utilities should be eligible to seek recovery of their cybersecurity investment. At the same time, FERC’s decision appears to exclude generation resources making sales at market-based rate—which account for the vast majority of resources participating in wholesale markets—from recovering such costs. As Commissioner Danly noted, the Commission’s decision to categorically exclude generation resources from recovering their investment in cybersecurity investments seems out-of-step with Commission policy permitting generation resources to recover their costs through a combination of market-based rate and cost-based sales.9 As Commissioner Danly pointed out:

Even under the construct today, a generation utility may have both a market-based rate tariff under which it sells energy, capacity and ancillary services and a cost-based rate tariff under which it recovers a reactive power revenue requirement. There is no requirement that such generation utility abandon its market-based rate tariff to recover its cost-based rates.10

Eligible Cybersecurity Investments

For an eligible utility’s cybersecurity investment to qualify for incentive-based rate treatment it must both (1) materially improve cybersecurity through either an Advanced Cybersecurity Technology (as defined by the IIJA) or participation in a cybersecurity threat information sharing program and (2) not already be mandated by North American Electric Reliability Corporation (NERC) reliability standards, federal, state or local laws, orders or directives, or a consent decree or settlement agreement.11FERC rejected arguments made by some parties and Commissioner Danly, in dissent,12 that the “materially improve” standard was too subjective, finding that “some degree of judgement is necessary given the many types of cybersecurity threats and investments and their rapid evolution.”13

Instead of omitting the materially improves standard, FERC identified multiple sources it would rely on to determine whether a cybersecurity investment satisfied the standard, including a specific cybersecurity recommendation from a relevant federal authority, such as the Department of Homeland Security’s Cybersecurity Infrastructure Security Agency, the Federal Bureau of Investigation, the National Security Agency, or the Department of Energy or participation in the Cybersecurity Risk Information Sharing Program (CRISP) or similar cybersecurity threat information sharing program.14 FERC also clarified that, with respect to incentives for cybersecurity information sharing programs, it would consider programs based on whether they were (1) sponsored by federal or state governments, (2) provide two-way communications from and to electric industry and government entities and (3) deliver relevant and actionable cybersecurity information to program participants from the U.S. electric industry.15

The PQ List and Case-by-Case Cybersecurity Investments

Order No. 893 further clarifies what cybersecurity investments are eligible for incentive-based rate treatment by developing a list of pre-qualified investments—the “PQ List”—and adopting procedures through which it will evaluate non-PQ List investments on a case-by-case basis.16 For those investments that are identified on FERC’s PQ List, which FERC says will be posted to its website, a utility would be entitled to a presumption that its investment is eligible for incentive-based rate treatment.17 Initially, the PQ List will include expenditures related to participation in CRISP and expenditures associated with internal network security monitoring with the utility’s cyber systems.18 The PQ List may, however, be updated and expanded based on FERC’s experience with approving incentives under the case-by-case approach (discussed below) or as proposed by utilities.19

For investments not identified on the PQ List, Order No. 893 adopts a case-by-case approach pursuant to which a utility could propose a specific cybersecurity investment that it deems worthy of incentive-based rate treatment.20 The same criteria identified above would apply to cybersecurity investments proposed by utilities under the case-by-case approach, however, such investments would not be entitled to the presumption that the investments were in fact eligible for incentive-based rate treatments as with investments on the PQ List.21 Additionally, FERC said that under this approach, it will permit utilities to receive incentives for cybersecurity investments made to comply with cybersecurity-related NERC reliability standards for the time period between when they are approved by FERC and become effective.22

Cybersecurity Investment Rate Incentives

Although FERC initially proposed to provide utilities investing in cybersecurity with two rate incentive options, Order No. 893 limits utilities to single incentive option: a cybersecurity regulatory asset.23 The cybersecurity regulatory asset allows a utility to seek deferred cost recovery for cybersecurity investments that are eligible (as described below) for incentives for up to five years, treat such costs as a regulatory asset, and include them in rate base.24 Only eligible cybersecurity costs that are incurred after the effective date of FERC’s approval of such costs for incentive-based rate treatment and—with the exception of expenses associated with participation in cybersecurity threat information sharing program25—that are materially different from cybersecurity investments already incurred by utilities more than three months prior to making their incentive requests may be included in the regulatory asset.26

FERC abandoned—over a dissent from Commissioner James P. Danly27—its plan to provide utilities with another incentive option in the form of a return on equity (ROE) adder. Initially, FERC had proposed providing a 200-basis point ROE adder for utilities eligible cybersecurity investments, but found that the cybersecurity regulatory asset incentive alone was sufficient to induce utilities to invest in cybersecurity to the extent Congress intended in the IIJA.28

Application Process

A utility seeking incentive-based rate treatment for its cybersecurity investments must make a filing under section 205 of the FPA seeking a ruling on the eligibility of its investments or file a petition for declaratory order followed by a subsequent section 205 filing.29As expressly stated in the IIJA, a utility is permitted to make its filing seeking incentive-based rate treatment for its cybersecurity investments on a single issue basis.30 A filing must include, among other things, a description of the relevant cybersecurity expenses, estimates of the costs of cybersecurity expenses, and a description of when the cybersecurity expenses are expected to be incurred.31 A utility must also include an attestation that the specific cybersecurity investment it is seeking a rate incentive for is voluntary (i.e., not mandated by law, regulation, directive or settlement)32 and that it has not already undertaken a materially similar cybersecurity investment for more than three months prior to the filing.33A utility receiving incentive-based rate treatment under Order No. 893 must generally file an annual report with FERC by June 1 of each year.34

Conclusion

While Order No. 893 provides additional clarity regarding who can seek cybersecurity investment incentives, what they can be sought for, and how and when a utility might apply, there is still a fair amount unknown about how FERC will view applications for cybersecurity incentives (particularly for investments not on the PQ List) and apply its admittedly subjective “materially improves” standard. The Akin energy regulatory team will be tracking these developments.


1 Incentives for Advanced Cybersecurity Investment, Order No. 893, 183 FERC ¶ 61,033 (2023).

2 Infrastructure Investment and Jobs Act of 2021, Pub. L. 117-58, § 40123, 135 Stat. 429, 951 (codified at 16 U.S.C. 824s-1) (IIJA).

3 Order No. 893 (Danly, J, dissenting at P 17).

4 16 U.S.C. 824s-1(c).

5 Order No. 893, at PP 24, 26.

6 Id., at P 26.

7Order No. 893 (Danly, J, dissenting at PP 2-7) (“The IIJA intended agencies to adopt policies and rules that would induce swift and efficient investments in cybersecurity by the entire energy sector—it was not designed to undermine competitive markets.”).

8 Order No. 893, at P 24.

9 Order No. 893 (Danly, J, dissenting at P 7).

10 Id.

11 Order No. 893, at P 38.

12 Order No. 893 (Danly, J, dissenting at PP 8-11).

13Order No. 893, at P 50.

14 Id., at P 40.

15 Id., at P 42.

16 Id., at P 54.

17 Id., at PP 64, 69.

18 Id., at P 84.

19Id., at P 90.

20 Id., at P 107.

21 Id.

22 Id., at P 117.

23 Id., at P 134.

24 Id., at PP 145, 172.

25 Id., at P 152.

26 Id., at P 148.

27 Order No. 893 (Danly, J, dissenting at P 12).

28 Order No. 893, at P 134.

29 Id., at P 183.

30 Id, at P 184. See also 16 U.S.C. 824s-1(f).

31 Id., at P 186.

32 Id., at PP 46, 185.

33 Id., at P 185.

34 Id. at 193.

Share This Insight

Previous Entries

Speaking Energy

December 5, 2024

On November 27, 2024, the Federal Energy Regulatory Commission (FERC or Commission) issued Venture Global CP2 LNG, LLC,1 an order that sets aside, in part, the Commission’s prior authorization of the CP2 LNG Terminal and CP Express Pipeline Project (collectively, the CP2 Project) under sections 3 and 7 of the Natural Gas Act (NGA). In anticipation of future appellate challenges to its authorization of the CP2 Project, FERC ordered the initiation of a supplemental environmental impact statement (SEIS) process under the National Environmental Policy Act (NEPA) to assess the CP2 Project’s contribution to cumulative air impacts for nitrogen dioxide (NO2) and particulate matter less than 2.5 micrometers (PM2.5). Accordingly, FERC stated that it would not allow construction to commence on the CP2 Project’s proposed liquefied natural gas (LNG) export terminal and related feed gas pipeline until the SEIS process concluded and a subsequent order was issued. Concurrent with its Venture Global order, FERC issued a projected schedule for the NEPA process that does not conclude until July 24, 2025. Construction on the CP2 Project had been expected to be imminent, with the project sponsor seeking a partial authorization to proceed with construction only hours prior to Venture Global’s issuance.

...

Read More

Speaking Energy

December 5, 2024

On November 27, 2024, in Venture Global, CP2 LNG, LLC,1 the Federal Energy Regulatory Commission’s (FERC or Commission) explicitly overruled precedent set in Northern Natural Gas Co.,2 a 2021 decision in which FERC made an affirmative finding that an interstate natural gas pipeline project it was certificating under section 7 of the Natural Gas Act (NGA) would not make a “significant” contribution to global climate change. Northern Natural is the only FERC decision in which a so-called significance determination was made with respect to greenhouse gas emissions (GHG) arising from a FERC-regulated natural gas infrastructure project. In Venture Global, FERC rejected arguments that it needed to follow Northern Natural and assess the significance of GHG emissions in all NGA certificate proceedings to comply with the National Environmental Policy Act (NEPA). NEPA requires federal agencies, including FERC, that perform “major federal actions,” which include issuing NGA section 7 certificates, to prepare an environmental impact statement (EIS) if the action will “significantly affect[] the quality of the human environment.”3 FERC has been under pressure to fully explain why it has chosen not to apply Northern Natural’s significance analysis in subsequent cases, and that issue is currently before FERC on remand from the U.S. Court of Appeals for the District of Columbia (D.C. Circuit) in Healthy Gulf et al. v. FERC, which reviewed FERC’s approval of a liquefied natural gas (LNG) terminal under NGA section 3.

...

Read More

Speaking Energy

December 4, 2024

On November 21, 2024, the Federal Energy Regulatory Commission (FERC or Commission) issued Order No. 1920-A1 addressing requests for rehearing and clarification of FERC’s landmark final rule on transmission planning and cost allocation issued in May 2024. While the Commission largely affirmed the final rule, the order grants rehearing of some of the more controversial aspects of Order No. 1920.

...

Read More

Speaking Energy

August 7, 2024

*Thank you to JaKell Larson, 2024 Akin Summer Associate, for her valuable collaboration on this article.

...

Read More

Speaking Energy

July 31, 2024

Interstate oil, liquid and refined products pipelines regulated by the Federal Energy Regulatory Commission (FERC) will soon be able to raise their transportation rates (provided they were set using FERC’s popular Index rate methodology) in the wake of a significant new decision by the District of Columbia Circuit (the D.C. Circuit) in Liquid Energy Pipeline Association v. FERC (LEPA).

...

Read More

Speaking Energy

July 29, 2024

On Wednesday, July 24, 2024, the U.S. House of Representative Committee on Energy and Commerce held a Subcommittee on Energy, Climate, and Grid Security hearing to review the Federal Energy Regulatory Commission (FERC or Commission) Fiscal Year 2025 Budget Request. Members of the Subcommittee had the opportunity to hear testimony from all five Commissioners, including FERC Chairman Willie Phillips and Commissioner Mark Christie, as well as the three recently confirmed commissioners, David Rosner, Lindsay See and Judy Chang. In addition to their prepared remarks, the five commissioners answered questions on FERC’s mandate to provide affordable and reliable electricity and natural gas services nationwide, while also ensuring it fulfills its primary mission of maintaining just and reasonable rates.

...

Read More

Speaking Energy

July 29, 2024

On July 9, 2024, the U.S. Court of the Appeals for the D.C. Circuit held that the Federal Energy Regulatory Commission (FERC or the Commission) erred in ordering refunds for certain bilateral spot market transactions in the Western Energy Coordinating Council (WECC) region that exceeded the $1,000/megawatt-hour (MWh) “soft” price cap for such sales.1 Finding FERC failed to conduct a “Mobile-Sierra public-interest analysis” before “altering” those contracts by ordering refunds, the court vacated FERC’s orders and remanded the case to FERC for further proceedings.2

...

Read More

Speaking Energy

July 8, 2024

On June 28, 2024, in Loper Bright Enterprises v. Raimondo, the U.S. Supreme Court overruled Chevron U.S.A. Inc. v. Natural Resources Defense Council, Inc., which for 40 years required court deference to reasonable agency interpretations of federal statutes in certain circumstances, even when the reviewing court would read the statute differently. The Court ended “Chevron deference” and held that courts “must exercise their independent judgment in deciding whether an agency has acted within its statutory authority.” In doing so, the Court upended a longstanding principle of administrative law that is likely to make agency decisions more susceptible to challenge in the courts.

...

Read More

© 2024 Akin Gump Strauss Hauer & Feld LLP. All rights reserved. Attorney advertising. This document is distributed for informational use only; it does not constitute legal advice and should not be used as such. Prior results do not guarantee a similar outcome. Akin is the practicing name of Akin Gump LLP, a New York limited liability partnership authorized and regulated by the Solicitors Regulation Authority under number 267321. A list of the partners is available for inspection at Eighth Floor, Ten Bishops Square, London E1 6EG. For more information about Akin Gump LLP, Akin Gump Strauss Hauer & Feld LLP and other associated entities under which the Akin Gump network operates worldwide, please see our Legal Notices page.