On April 21, 2023, the Department of Energy (DOE), under the aegis of the Federal Energy Regulatory
Commission (FERC), issued its “Incentives for Advanced Cybersecurity Investment” (Docket No. RM22-
19-000; Order No. 893). The rule comprises revisions to prior regulations aimed at providing incentive-based rate treatment for transmitting electric energy in interstate commerce, and the sale of electric energy by utilities at wholesale in interstate commerce.
The new rule’s objective is intended to benefit consumers by encouraging investments by utilities in
Advanced Cybersecurity Technology and their participation in cybersecurity threat information sharing
programs, as directed by the Infrastructure Investment and Jobs Act of 2021.
The final rule by FERC revised section 219A of the Federal Power Act (FPA) to establish rules for
voluntary incentive-based rate treatment for certain voluntary cybersecurity investments by utilities.
The newly established rules make incentive-based rate treatment available to utilities that focus on voluntary investments in advanced cybersecurity technology. These investments will enhance organization’s security posture and better protect consumers by improving their ability to protect against, detect, respond to, or recover from a cybersecurity threat. Importantly, it extends incentive-based rate
treatment to utilities that participate in cybersecurity threat information sharing programs.
The new incentive-based rules are in line with directives under the Infrastructure Investment and Jobs
Act of 2021 (IIJA), signed into law in November 2021, calling for FERC to revise its regulations in order to
establish the above rate treatments as part of efforts to enhance the security posture of the Bulk-Power
System.
In establishing a regulatory framework for utilities to request incentive-based rate treatment for certain
voluntary cybersecurity investments, the Commission details specific criteria defining each of the
operational elements of the rule. These range from defining cybersecurity investments, establishing
requirements for utility eligibility for rate incentives based on cybersecurity investments to a detailed
discussion of cybersecurity investment rate incentives.
The Commission also proposed to evaluate cybersecurity investments using a list of pre-qualified
expenditures (PQ List) that are determined by the Commission to be eligible for incentives, which would
be posted on the Commission’s public website. The Commission proposed that any cybersecurity
investment on the PQ List would qualify under a “rebuttable presumption of eligibility” for an incentive.
With the Commission having evaluated cybersecurity investments to include on the PQ List in advance
of the application for incentive-based rate treatment, along with the rebuttable presumption, the
Commission believes that the PQ List approach would provide an efficient and transparent mechanism
for determining appropriate cybersecurity investments that are eligible for incentives. The
Commission also discussed and sought comment on a potential alternative approach, whereby a
utility’s cybersecurity investment would be evaluated on a case-by-case basis to determine if it is
eligible for an incentive.
The complete, final rule, including comments, is available at https://www.ferc.gov/.