In April 2023, the Commission issued an order that provides for incentive-based rate treatment to encourage investments by utilities in Advanced Cybersecurity Technology, and participation by utilities in cybersecurity threat information sharing programs.
Public and non-public utilities that have or will have a cost-based rate on file with the Commission.
As found in 18 CFR § 35.48(b), an “Advanced Cybersecurity Technology” is any technology, operational capability, or service, including computer hardware, software, or a related asset that enhances the security posture of public utilities by protecting against, detect, respond to, or recover from a “cybersecurity threat,” as defined by 6 USC § 1501(5).
As described in 18 CFR § 35.48(d), an expense for either an investment in an Advanced Cybersecurity Technology and from participation in a cybersecurity threat information sharing program will be eligible if it both (1) materially improves cybersecurity through either Advanced Cybersecurity Technology or participation in a cybersecurity threat information sharing program, and (2) is not already mandated by (a) Commission-approved Reliability Standards, (b) Local, State, or Federal law, decision, or directive, or (c) otherwise legally mandated (e.g., merger condition, consent decree from Federal or State agency, or settlement agreement).
As found in 18 CFR § 35.48(e), an applicant has three methods to demonstrate that it has satisfied the eligibility criteria.
- If the applicant demonstrates that a cybersecurity investment qualifies as one or more of the cyber-security investments on the Prequalified List (PQ List), , the investment has a rebuttable presumption that it satisfies the material improvement criterion.
- If the cybersecurity investment is not on the PQ List, the applicant can apply for an incentive for a cybersecurity investment made on a case-by-case basis. The applicant would bear the burden of proof to demonstrate that the particular investment materially improves cybersecurity through either Advanced Cybersecurity Technology or participation in a cybersecurity threat information sharing program.
- If the applicant demonstrates that the cybersecurity investment is made to comply with a Reliability Standard that is approved by the Commission but has not yet taken effect. Such an applicant would also bear the burden of proof to demonstrate that such investment satisfies the eligibility criteria, and that it is necessary to comply with the Reliability Standard and will be made prior to the date that the Reliability Standard becomes mandatory and enforceable for that utility.
Under any of these pathways, the applicant needs to submit an attestation, as described in 18 CFR § 35.48 (h)(1), that the cybersecurity investment is not mandatory.
As set forth in 18 CFR § 35.48(e)(1), the Commission has established a list of items that are presumed to have demonstrated that the particular investment materially improves cybersecurity through either Advanced Cybersecurity Technology or participation in a cybersecurity threat information sharing program. The PQ List can be found at [Add link]
Yes. For cybersecurity investments that are not found on the PQ List, the Commission will evaluate each application on a case-by-case basis to determine whether incentives are warranted. The Commission will consider the following sources in that evaluation: (1) security controls enumerated in the NIST SP 800-53 “Security and Privacy Controls for Information Systems and Organizations” catalog; (2) security controls satisfying an objective found in the NIST Cybersecurity Framework technical subcategory; (3) a specific cybersecurity recommendation from a relevant federal authority, such as DHS’s CISA, the FBI, NSA, or DOE; (4) participation in a relevant cybersecurity threat information sharing program; and/or (5) achieving and sustaining one or more of the C2M2 Domains at the highest Maturity Indicator Level.
As found in 18 CFR § 35.48(f), an incentive-based rate treatment for a cybersecurity investment is a deferral of expenses as a “Regulatory Asset.” This rate treatment will allow utilities to include eligible expenses in a rate base and earn a rate of return on those expenses. An incentive lasts for up to five years, with amortization of costs being up to five years.
No. But, utilities may request incentive treatment for future expenses associated with eligible information-sharing programs irrespective of how long the utility has been incurring such costs. For other cybersecurity investments, as found in 18 CFR § 35.48(g) and 18 CFR § 35.48(h)(5), only those investments that are materially different from cybersecurity investments already incurred by the utility more than three months prior to the incentive request are incentive eligible.
As found in 18 CFR § 35.48(g), the duration of the incentives is different if it is an Advanced Cybersecurity Technology or if it is a cybersecurity threat information sharing program.
For Advanced Cybersecurity Technology, the incentive duration is:
- Amortized over a period of up to five years at applicant’s choice; and
- Limited to first five years following Commission approval; and
- Terminated when and if the cybersecurity investment becomes mandatory.
For cybersecurity threat information sharing program, the incentive duration is:
- Not limited to any duration; and
- Amortized each year expenses over the next five years.
Any incentive terminates automatically if the cybersecurity investment for which it is granted becomes mandatory.
In order to receive incentive-based rate treatment for a cybersecurity investment, an applicant must make a rate filing pursuant to section 205 of the FPA to reflect that proposed incentive. An applicant may also petition the Commission for a declaratory order that would precede the 205 filing. Requests can be part of a general rate request, or a single-issue based request.
As described in 18 CFR § 35.48(i), an entity that has an incentive-based rate treatment for the cybersecurity investments that had been approved at least 60 days prior to June 1 of that calendar year must submit to the Commission by June 1 a report detailing specific cybersecurity investments with the corresponding FERC account used and describing the deferred expenses to differentiate cybersecurity improvement from ongoing maintenance.
As found in 18 CFR § 35.48(j), an entity may seek treatment of any information it believes qualifies as Critical Energy/Electric Infrastructure Information (CEII), as described in 18 CFR § 388.113(d)(1)(i)–(ii). This approach applies to both incentive applications and annual reporting.