18 C.F.R. § 35.48

Current through September 30, 2024
Section 35.48 - Cybersecurity investment
(a)Purpose. This section establishes rules for incentive-based rate treatments for utilities with rates on file with the Commission that voluntarily make cybersecurity investments as described in this section.
(b)Definitions. As used in this section:

Advanced Cybersecurity Technology means any technology, operational capability, or service, including computer hardware, software, or a related asset, that enhances the security posture of public utilities through improvements in the ability to protect against, detect, respond to, or recover from a cybersecurity threat (as defined in section 102 of the Cybersecurity Act of 2015 (6 U.S.C. 1501 ) ).

Advanced Cybersecurity Technology Information means information relating to Advanced Cybersecurity Technology or proposed Advanced Cybersecurity Technology that is generated by or provided to the Commission or another Federal agency. Pursuant to FPA section 219A(g), Advanced Cybersecurity Technology Information is considered to be Critical Electric Infrastructure Information.

Critical Energy/Electric Infrastructure Information (CEII) has the same meaning as defined in 18 CFR 388.113 .

Electric Reliability Organization has the same meaning as defined in § 39.1 of this subchapter.

Reliability Standard has the same meaning as defined in § 39.1 of this subchapter.

(c)Incentive-based rate treatment for cybersecurity investment. The Commission will authorize incentive-based rate treatment for a utility that voluntarily makes an investment in Advanced Cybersecurity Technology and for a utility that voluntarily participates in a cybersecurity threat information sharing program under this section, provided that the utility meets the requirements of this section and the utility demonstrates that the resulting rate is just and reasonable and not unduly discriminatory or preferential, as required by sections 205 and 206 of the Federal Power Act. Incentive-based rate treatment is available to both public and non-public utilities that have or will have a rate on file with the Commission. A utility may request a single incentive-based rate treatment as specified in paragraph (f) of this section for an eligible cybersecurity investment that meets the eligibility criteria set forth in paragraph (d) of this section.
(d)Eligibility criteria. Pursuant to paragraphs (e) through (j) of this section, a utility may receive incentive-based rate treatment for a cybersecurity investment that:
(1) Materially improves cybersecurity through either Advanced Cybersecurity Technology or participation in a cybersecurity threat information sharing program; and
(2) Is not already mandated by the Reliability Standards as maintained by the Electric Reliability Organization, or otherwise mandated by local, State, or Federal law, decision, or directive; otherwise legally mandated; or an action taken in response to a Federal or State agency merger condition, consent decree from Federal or State agency, or settlement agreement that resolves a dispute between a utility and a public or private party.
(e)Demonstrating satisfaction of the eligibility criteria. A utility shall demonstrate to the Commission that a proposed cybersecurity investment satisfies the eligibility criteria in paragraph (d) of this section. Such demonstration shall show that the cybersecurity investment fulfills at least one of the provisions in the following paragraphs (e)(1) through (3):
(1) A utility shall demonstrate that a cybersecurity investment qualifies as one or more of the pre-qualified cybersecurity investments. The Commission shall rebuttably presume that pre-qualified cybersecurity investments satisfy the eligibility criteria. The Commission shall maintain a list on its website of pre-qualified cybersecurity investments and shall update such list from time to time either subject to notice and comment procedures or in a rulemaking.
(2) A utility shall demonstrate that a cybersecurity investment satisfies each of the eligibility criteria in paragraph (d) of this section. The Commission shall not presume that such demonstration satisfies the eligibility criteria.
(3) A utility shall demonstrate that it will make cybersecurity investments to comply with a Reliability Standard that is approved by the Commission but has not yet taken effect as approved by the Commission. The Commission shall not presume that such demonstration satisfies the eligibility criteria. Any incentives authorized by the Commission pursuant to this section shall terminate when the Reliability Standard takes effect.
(f)Types of incentive-based rate treatment for cybersecurity investment. For purposes of this section, incentive-based rate treatment shall mean deferral of expenses as a regulatory asset.
(g)Incentive duration.
(1) A deferred Advanced Cybersecurity Technology regulatory asset whose costs are typically expensed shall be:
(i) Amortized over a period of up to five years;
(ii) Limited to expenses incurred in the first five years following Commission approval of the incentive;
(iii) Limited to ongoing expenses that the applicable utility was not already undertaking more than three months prior to filing an incentive request; and
(iv) Terminated when the cybersecurity investment or activity that serves as the basis of that incentive becomes mandatory.
(2) An incentive granted for participation in a qualified cybersecurity threat information sharing program will not be subject to the five-year duration limitation provisions of paragraph (g)(1)(ii) of this section for as long as the utility participates in the qualified cybersecurity threat information sharing program and such participation is not mandatory as to the utility. A utility participating in a qualified cybersecurity threat information sharing program is eligible to continue deferring expenses associated with such participation, which for each year would be amortized over the next five years.
(h)Incentive applications. For the purpose of this section, a utility's request for incentive based-rate treatments for one or more cybersecurity investments must be made in a filing pursuant to section 205 of the Federal Power Act, or in a petition for a declaratory order that precedes a filing pursuant to section 205 of the Federal Power Act. Utilities may file such a request either as a part of a general rate request or on a single-issue basis. Such a request shall include a detailed explanation to include the following information:
(1) A demonstration that the cybersecurity investment satisfies the eligibility criteria, which includes an attestation that cybersecurity investment is not mandatory, as required by paragraph (d)(2) of this section, and that the resulting rate is just and reasonable and not unduly discriminatory or preferential;
(2) A detailed description of relevant cybersecurity expenses, including whether such cybersecurity expenses are:
(i) Associated with third-party provision of hardware, software, computing networking services, and/or cybersecurity monitoring services;
(ii) For training to implement network analysis and monitoring programs, and/or other cybersecurity protocols; and/or
(iii) Other cybersecurity expenses;
(3) Estimates of the cost of such cybersecurity expenses;
(4) When the cybersecurity expenses are expected to be incurred; and
(5) An attestation that the utility either has not already been undertaking duplicative or materially the same expenses for more than three months or that the utility is participating in a cybersecurity threat information-sharing program for the expense at issue. In the case of cybersecurity investments made to comply with a Reliability Standard that is approved by the Commission but has not yet taken effect as approved by the Commission pursuant to paragraph (e)(3) of this section, the utility must attest that it has not already been undertaking duplicative or materially the same expenses for more than three months prior to the date that the Commission's approval of the Reliability Standard becomes effective.
(i)Reporting requirements. A utility that has received Commission approval for incentive-based rate treatment under this section shall make an annual informational filing on June 1, provided that the utility has received such Commission approval at least 60 days prior to June 1 of that year. A utility that receives Commission approval of an incentive-based rate treatment under this section later than 60 days prior to June 1 shall submit an annual informational filing beginning on June 1 of the following year. The annual filing shall detail the specific cybersecurity investments that were made pursuant to the Commission's approval and the corresponding FERC account used. The annual informational filing shall describe the deferred expenses in sufficient detail to demonstrate that such expenses are specifically related to the cybersecurity investment granted incentives and not for ongoing services including system maintenance, surveillance, and other labor costs. Utilities shall provide a detailed description of any material changes in the nature of such expenses from prior year informational filings.
(j)Transmittal of CEII in incentive applications and annual reports. As appropriate, any CEII submitted to the Commission in a utility's incentive application made pursuant to paragraph (h) of this section or contained in its reporting requirements made pursuant to paragraph (i) of this section shall be filed consistent with part 388 of this title.

18 C.F.R. §35.48

88 FR 28377, May 3, 2023; 88 FR 37145, June 7, 2023
88 FR 28377, 7/3/2023; 88 FR 37145, 7/3/2023