Think of a software bill of materials (SBOM) or hardware bill of materials (HBOM) as a list of...
Incentives for Advanced Cybersecurity Investment
On April 21, 2023, the Department of Energy (DOE), under the aegis of the Federal Energy Regulatory
Commission (FERC), issued its “Incentives for Advanced Cybersecurity Investment” (Docket No. RM22-
19-000; Order No. 893). The rule comprises revisions to prior regulations aimed at providing incentive-based rate treatment for transmitting electric energy in interstate commerce, and the sale of electric energy by utilities at wholesale in interstate commerce.
The new rule’s objective is intended to benefit consumers by encouraging investments by utilities in
Advanced Cybersecurity Technology and their participation in cybersecurity threat information sharing
programs, as directed by the Infrastructure Investment and Jobs Act of 2021.
Focus on Voluntary Cybersecurity Investments in Advanced Cybersecurity Technology
The final rule by FERC revised section 219A of the Federal Power Act (FPA) to establish rules for
voluntary incentive-based rate treatment for certain voluntary cybersecurity investments by utilities.
The newly established rules make incentive-based rate treatment available to utilities that focus on voluntary investments in advanced cybersecurity technology. These investments will enhance organization’s security posture and better protect consumers by improving their ability to protect against, detect, respond to, or recover from a cybersecurity threat. Importantly, it extends incentive-based rate
treatment to utilities that participate in cybersecurity threat information sharing programs.
The new incentive-based rules are in line with directives under the Infrastructure Investment and Jobs
Act of 2021 (IIJA), signed into law in November 2021, calling for FERC to revise its regulations in order to
establish the above rate treatments as part of efforts to enhance the security posture of the Bulk-Power
As part of its mandate, the rule establishes two eligibility criteria, requiring that each cybersecurity
- materially improves cybersecurity through either Advanced Cybersecurity Technology or
participation in a cybersecurity threat information sharing program; and
- is not already mandated by the Reliability Standards, or otherwise mandated by local, state, or
federal law, decision, or directive; otherwise legally mandated; or an action taken in response
to a federal or state agency merger condition, consent decree from federal or state agency, or
settlement agreement that resolves a dispute between a utility and a public or private party
In establishing a regulatory framework for utilities to request incentive-based rate treatment for certain
voluntary cybersecurity investments, the Commission details specific criteria defining each of the
operational elements of the rule. These range from defining cybersecurity investments, establishing
requirements for utility eligibility for rate incentives based on cybersecurity investments to a detailed
discussion of cybersecurity investment rate incentives.
The Commission also proposed to evaluate cybersecurity investments using a list of pre-qualified
expenditures (PQ List) that are determined by the Commission to be eligible for incentives, which would
be posted on the Commission’s public website. The Commission proposed that any cybersecurity
investment on the PQ List would qualify under a “rebuttable presumption of eligibility” for an incentive.
With the Commission having evaluated cybersecurity investments to include on the PQ List in advance
of the application for incentive-based rate treatment, along with the rebuttable presumption, the
Commission believes that the PQ List approach would provide an efficient and transparent mechanism
for determining appropriate cybersecurity investments that are eligible for incentives. The
Commission also discussed and sought comment on a potential alternative approach, whereby a
utility’s cybersecurity investment would be evaluated on a case-by-case basis to determine if it is
eligible for an incentive.
Notably, the Commission also proposed two potential cybersecurity incentives under Rule 893:
- A return on equity (ROE) incentive of 200 basis points, or Cybersecurity ROE Incentive; and
- Deferred cost recovery for certain cybersecurity investments, enabling a utility to defer
expenses and include the unamortized portion in its rate base (Cybersecurity Regulatory Asset
In its full sweep, the rule constitutes a new framework designed to accomplish the following:
- Identify the utilities permitted to request incentive-based rate treatment for cybersecurity
- Establish criteria by which the Commission can determine whether a cybersecurity investment
is eligible to receive an incentive-based rate treatment;
- Discuss the approaches that a utility may use to demonstrate that a cybersecurity investment
satisfies the eligibility criteria;
- Explain the types of incentive-based rate treatments available for qualifying cybersecurity
- Set limits on the duration of the incentive-based rate treatment;
- Describe what utilities must include in their applications for incentive-based rate treatment for
cybersecurity investments; and
- Establish the annual reporting requirements for utilities that receive incentive-based rate
treatment for their cybersecurity investments.