This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
| 1 minute read

Federal Energy Regulatory Commission Proposes Incentives for Utility Cybersecurity

The Federal Energy Regulatory Commission (“FERC”) published a notice of proposed rulemaking (“NOPR”) on October 6, 2022, to introduce rate-based incentives for cybersecurity improvements made by companies that deal in the transmission and sale of electric energy. Public comments about the NOPR are encouraged and should be submitted by the expiration of the comment period on November 7, 2022, using FERC’s electronic filing at

Under this initial proposal, FERC proposes incentives to utilities that invest in cybersecurity measures which enhance their security posture and measures which facilitate information sharing. To qualify, the utility’s expenditures must materially improve the utility’s cybersecurity defenses and not be already required by state law, federal law, or the North American Electric Reliability Corporation’s (“NERC’s”) CIP Reliability Standards. Utilities with qualifying investments may benefit from one of two potential incentives: the option to defer expenses and include any unamortized portion in their rates, or an additional incentive tacked on to a transmission company's return on equity, known as an "adder." The NOPR contemplates an adder of 200 basis points, or two percent.

The NOPR stems from the 2021 Infrastructure and Jobs Act, in which Congress directed FERC to encourage investments by public utilities in cybersecurity technology and information sharing programs. This is FERC’s first public iteration of the proposed program, though it tracks closely with a cybersecurity program FERC considered in December 2020, and is just the latest effort by the Commission to address growing cybersecurity concerns among utilities and municipalities. It comes after years of continued efforts to develop regulatory processes for cybersecurity investment and in a political environment where some FERC commissioners have expressed concern that cybersecurity investment should be mandatory.

Please reach out to a member of Michael Best’s Energy Practice or Technology, Privacy and Cybersecurity Practice if you have questions or are interested in our assistance with submitting comments about the NOPR.

The docket number for this rulemaking is RM22-19.

"It just takes one weak link in the whole system to potentially cause major, catastrophic damage from a reliability perspective."


energy, regulatory, privacy cybersecurity