FERC Proposing incentives for cybersecurity investments

FERC issued a Notice of Proposed Rulemaking (NOPR) in Docket RM-21-3 that would allow public utilities to request incentives for certain cybersecurity investments that go above and beyond the requirements of the North American Electric Reliability Corporation, or NERC, Critical Infrastructure Protection Reliability Standards, the CIP Reliability Standards.  The proposed cybersecurity incentives framework encourages public utilities to undertake cybersecurity investments on a voluntary basis that are above and beyond the requirements of the mandatory CIP Reliability Standards and, thereby, better ensure secure service for customers.  This approach would incent a public utility to adopt cybersecurity practices that would not only better protect its own systems but also improve the cybersecurity of the Bulk-Power System.  The NOPR includes two incentive approaches:
The first approach, the NERC CIP Incentives Approach, would allow a public utility to receive incentive rate treatment for voluntarily applying identified CIP Reliability Standards to facilities that are not currently subject to those requirements.    

• Under the NERC CIP Incentives Approach, a public utility has two options for requesting an incentive.  A public utility would request incentive rate treatment for voluntarily applying the requirements for medium or high impact systems to low impact systems, and/or the requirements for high impact systems to medium impact systems, referred to as the Medium/High Incentive. 
• Alternatively, or in addition to the Medium/High Incentive, a public utility would request incentive rate treatment for voluntarily ensuring that all external routable connectivity to and from the low impact system connect to a high or medium impact bulk electric system Cyber System, referred to as the Hub-Spoke Incentive.

The second approach would allow a public utility to receive incentive rate treatment for implementing certain security controls included in the Cybersecurity Framework developed by the National Institute of Standards and Technology, the NIST Framework.  This is the NIST Framework Approach.  The NIST Framework includes many types of security controls; however, the NOPR proposes to initially only consider one type of security controls, automated and continuous monitoring, as eligible for an incentive under this approach.
The NOPR would allow a public utility to request incentives using any combination of the two proposed approaches.
Under the NOPR, a public utility that makes cybersecurity investments consistent with the two approaches that we have described would be eligible for one of the following two types of incentives:
The first incentive would apply a 200 basis-point adder to the return on equity for eligible cybersecurity capital investments and is referred to as the Cybersecurity ROE Incentive.
Alternatively, the second incentive would allow a public utility to seek deferred cost recovery for certain expenses related to cybersecurity investments and is referred to as the Regulatory Asset Incentive.
Finally, the NOPR describes the showings that a public utility would have to make to receive either incentive and would require an annual informational filing.
Initial comments are due 60 days (mid-February 2021), and reply comments 90 days (mid-March 2021), after the date of publication in the Federal Register.