FERC took the final step on Thursday in fulfilling its obligation to encourage voluntary investments in cybersecurity by electric utilities, as directed by Congress two years ago (RM22-19).

Congress ordered FERC to develop its cyber incentive plan in the Infrastructure Investment and Jobs Act of 2021, which mandated that the commission establish financial incentives for public utilities to invest in “advanced cybersecurity technology” and participate in cybersecurity threat information-sharing programs.

FERC Chair Willie Phillips | FERC

“In today’s highly interconnected world, our nation’s security and economic wellbeing depend on reliable and cyber-resilient energy infrastructure,” FERC Chair Willie Phillips said in a statement. “We must continue to build upon the mandatory framework of our cybersecurity reliability standards with efforts such as this to encourage utilities to proactively make additional cybersecurity investments in their systems.”

The final rule approved Thursday is largely similar to the Notice of Proposed Rulemaking that FERC issued last September. (See FERC Reluctantly Proposes Cybersecurity Incentives.) It sets three ways utilities may qualify for the incentives:

• any investment included in a prequalified list of cybersecurity expenditures with a rebuttable presumption of eligibility;
• investments needed to establish compliance with NERC’s mandatory Critical Infrastructure Protection (CIP) standards that are not yet enforceable; and
• investments not included in either of these categories but “tailored to their specific situations” and approved by FERC on a case-by-case basis.

The first qualification was already given in last year’s NOPR; the latter two were added for the final rule. Eligible investments must be for technology that “materially improves” a utility’s cybersecurity posture and is not already mandated by law or the CIP standards. Expenses for participating in threat information-sharing programs would also qualify for reimbursement.

Also included from the NOPR is the proposal to allow deferred cost recovery for eligible investments, through which utilities may add the unamortized portion of the expenses to their rate base.

An alternative means of compensation that would have provided a return on equity adder of 200 basis points was not adopted in the final rule. Commissioner Mark Christie criticized the idea as “FERC candy” when it was brought up in September, saying it was “pretty sour for consumers” who would end up paying utilities significantly more for doing what they “ought to do anyway.”

Incentives will remain in effect for up to five years from the date the expenses are incurred, with some exceptions, as long as the investments remain voluntary.

The only dissenting vote on the measure came from Commissioner James Danly, who said at Thursday’s meeting that despite the “unambiguous declarations of Congress and [their] clear purpose [of] directing us to incentivize certain types of investments,” FERC had chosen an “insufficient” path for fulfilling its mandate.

“We can quibble all we like about whether or not [the law] was the right way to do it; it doesn’t matter,” Danly said. “We’ve been given our marching orders by Congress, and it has been a matter of continuous interest to any number of policymakers that we take more aggressive stances on cybersecurity. This rule fails to encompass a sufficient quantity of the entire electric system, and it demands certain levels of materiality that I think are simply not appropriate given the statutory language.”

Danly tempered his criticism with praise for Phillips’ “enthusiastic and unflagging … support for ensuring that the NERC reliability standards are up to scratch.”

The final rule will take effect 60 days following its publication in the Federal Register. FERC had not published its order approving the rule as of press time.