FERC reluctantly issued a Notice of Proposed Rulemaking on Thursday to consider a 200-basis-point incentive for utilities that make voluntary cybersecurity investments, an initiative directed by Congress in last year’s Infrastructure Investment and Jobs Act (RM22-19).
Expenses and capital investments in advanced cybersecurity technology that “materially improve” a utility’s cybersecurity posture and are not already mandated by NERC’s Critical Infrastructure Protection (CIP) reliability standards, or local, state or federal law, would be eligible for the incentives. Also included would be expenses for participating in cybersecurity threat information-sharing programs.
‘FERC Candy’
Chairman Richard Glick and Commissioner Mark Christie said they were reluctantly supporting the NOPR because of Congress’ directive.
Glick said NERC’s mandatory reliability standards have “proven to be a pretty effective approach,” although he acknowledged that it can take too long to respond to emerging threats by amending the CIP standards.
“I think that, if it is important that utilities make investments, or if it’s important that utilities participate in these information-sharing groups, we need to explore whether we need to utilize our mandatory reliability standards approach to get there,” Glick said. “And that that was my preferred option.”
He cited the commission’s 2019 technical conference on cybersecurity incentives, where he said numerous utilities said they had not encountered problems recovering their costs from FERC or state regulators. (See Mixed Reaction for ‘Resilience Incentives’.)
“I’m not totally sure the incentives approach is the way to go, given the significance of these types of investments,” he said.
The NOPR proposes that utilities choose between a return on equity (ROE) adder of 200 basis points or deferred cost recovery, allowing it to add the unamortized portion of the expenses to its rate base.
The commission acknowledged that a 200-basis-point adder exceeds the ROE incentives for transmission facilities. But it said that “given the relatively small cost of cybersecurity investments compared to conventional transmission projects, a higher ROE may be necessary to affect the expenditure decisions of utilities, without unduly burdening ratepayers.”
“Two hundred basis points — that is a lot,” said Christie. “As you know, the ROE already is supposed to represent the market cost of equity capital, and now you’re going to give them 200 basis points on top of that for doing what they ought to do anyway? I mean, there’s a reason why these adders over the years have come to be known as ‘FERC candy.’ They’re really sweet for those who get it, but not to consumers who have to pay for it. Pretty sour for consumers. …
“I acknowledge the statute says create an incentive,” he added. “One might make the case that the rate treatment itself is a pretty good incentive.”
Commissioner James Danly said that because of the time it takes to enact new mandatory reliability rules, “of all of the challenges that NERC faces, maybe cybersecurity is the one for which NERC is the least apposite.”
FERC Commissioner Willie Phillips | FERC
“So the question becomes, if that is an inapposite tool — and I would argue that it probably at least partially is — is the provision of FERC candy the proper way to incentivize the rapid immediate response that I think is the policy that is being driven at here? And the fact of the matter is, I do not know. We have to see what the comments are.”
Commissioner Willie Phillips, a former NERC assistant general counsel, said the CIP standards are “a great foundation. The problem is, as everyone has pointed out, they just take too long. …
“We absolutely need to make sure that our utilities don’t do the bare minimum, but that they’re reaching for the sky,” he continued. “What we don’t want to do … is look back years from now, in the wake of some catastrophic, successful cyberattack, and say, ‘If only we had done a little bit more.’”
Prequalified Expenditures
FERC proposed creating a prequalified list of cybersecurity expenditures eligible for incentives with a rebuttable presumption of eligibility. It said it would initially include on the list expenses related to participation in the Department of Energy’s Cybersecurity Risk Information Sharing Program and those for internal network security monitoring, which it said “may better position an entity to detect malicious activity that has circumvented perimeter controls.”
Incentives would generally last as long as the underlying assets are depreciated, with a maximum of five years. Technologies that “may be innovative and/or above and beyond industry standards at one time … may subsequently become conventional, mandatory or even antiquated and therefore may be less deserving of an incentive over time,” the commission said.
The commission also asked for comment on whether cyber incentives should be through performance-based rates. “In particular, we seek comment on whether any widely accepted metrics for cybersecurity performance could lend themselves to be benchmarks needed for performance-based rates, or whether new appropriate metrics could be developed,” it said.
As a result of the NOPR, the commission voted to terminate a previous cybersecurity incentives proposal it opened in December 2020 (RM21-3). (See Industry Warns of Hidden Dangers in Cyber Incentives.)
Comments on the new NOPR will be due 30 days after publication in the Federal Register, with reply comments due 15 days after that.
