Steeped in the energy industry
We are in the know.

FERC Issues Final Rule on Incentive Rate Treatments for Advanced Cybersecurity Investment

The Federal Energy Regulatory Commission (FERC) issued a Final Rule on April 21, 2023, revising its regulations under section 219A of the Federal Power Act (FPA) to provide incentive-based rate treatments for both public and non-public utilities that voluntarily invest in advanced cybersecurity technology and participate in cybersecurity threat information sharing programs. The Final Rule, required by the Infrastructure Investment and Jobs Act of 2021 (IIJA), will take effect sixty days following its publication in the Federal Register.

Under the Final Rule, FERC will evaluate cybersecurity investments for which utilities seek incentives using a list of pre-qualified expenditures that will be entitled to a rebuttable presumption of eligibility for incentive treatment. FERC also adopted an alternative case-by-case approach to granting incentives upon a demonstration by a utility that its cybersecurity investment satisfies the eligibility criteria. Eligible cybersecurity expenditures undertaken by utilities must: 

  1. materially improve cybersecurity, and
  2. not already be mandated by an existing Reliability Standard, or any applicable local, state, or federal law.

The Final Rule also allows a utility to seek incentives for early compliance with new cybersecurity reliability standards.

The incentive rate treatment would allow a utility to defer cost recovery for certain cybersecurity expenses and capitalized costs by deferring these expenditures and including the unamortized portion of the expenditures in its rate base as a regulatory asset. The Final Rule limits the duration of approved incentives, with certain exceptions, to up to five years from the date on which expenditures were made, provided that the investments remain voluntary. FERC will require utilities that receive incentive-based rate treatment to submit informational reports while the cybersecurity incentive is in effect. FERC declined to adopt its proposal to allow a utility that makes cybersecurity investment, including enterprise-wide investments, to request a cybersecurity return on equity (ROE) incentive adder of 200 basis points that would be applied to the incentive-eligible investments.

Commissioner Danly dissented from the Final Rule, calling it a “tepid response to a clear Congressional mandate” contending it is not in line with the IIJA because it applies only to certain industry participants (it excludes utilities that sell electricity at market-based rates) and includes a materiality requirement. Commissioner Danly also disagreed with the elimination of the 200 basis point ROE adder and the failure to establish performance-based rate treatments. Commissioner Danly asserted a better way to comply with IIJA would be a rule allowing entities to propose on a case-by-case basis performance-based rate treatments “that would measure and tie the rate treatment to the number and severity of cybersecurity incidents.”