Overview
Title
Cybersecurity Incentives
Agencies
ELI5 AI
The government wants to give extra money to energy companies if they choose to make their computers and systems safer from bad guys who might try to mess with them. They're still figuring out the best way to do this so it’s fair and makes the system strong and safe for everyone.
Summary AI
The Federal Energy Regulatory Commission (FERC) has proposed new rules to encourage public utilities to invest in cybersecurity measures beyond what is currently required. These rules offer financial incentives like an increased rate of return and deferred cost recovery for utilities that enhance their cybersecurity infrastructure. The aim is to protect the Bulk-Power System against growing cyber threats by using established standards and frameworks like the Critical Infrastructure Protection Reliability Standards and the NIST Framework. Comments on this proposed rule are invited to ensure a wide range of insights, with a deadline for submissions set for April 6, 2021, and replies by May 6, 2021.
Abstract
The Commission is proposing to revise its regulations to establish rules for incentive-based rate treatments for voluntary cybersecurity investments by a public utility for or in connection with the transmission or sale of electric energy subject to the jurisdiction of the Commission, and rates or practices affecting or pertaining to such rates for the purpose of ensuring the reliability of the Bulk- Power System.
Keywords AI
Sources
AnalysisAI
The Federal Energy Regulatory Commission (FERC) has proposed new regulations aimed at bolstering the cybersecurity defenses of public utility companies, particularly those involved in the transmission or sale of electric energy. This initiative is in response to the growing cyber threats that the energy sector faces, and it seeks to provide financial incentives for utilities that voluntarily enhance their cybersecurity measures beyond the basic requirements.
Document Overview
FERC's proposal introduces incentive-based rate treatments intended to encourage public utilities to make substantial voluntary cybersecurity investments. These include increasing the rate of return on equity (ROE) by 200 basis points and allowing for deferred cost recovery. Eligible investments are those that "materially enhance" the cybersecurity posture of the utility, going beyond the standards set by the Critical Infrastructure Protection (CIP) Reliability Standards or the National Institute of Standards and Technology (NIST) Framework.
Significant Issues
The proposal raises several concerns. One potential issue is the lack of detailed criteria for the ROE adders, which could result in uneven financial benefits across utilities. The terms for eligible spending categories, such as "other transition expenses," are quite broad and might lead to potential misuse. This vagueness could allow for the allocation of incentives to unclear or non-essential expenses.
Additionally, the voluntary nature of the incentive might inadvertently benefit larger utilities over smaller entities. Larger companies may have more resources to invest and thus could receive disproportional benefits, widening the gap between large and small utilities. Furthermore, the complex language of the document could hinder broader public engagement and understanding, potentially limiting effective feedback during the comment period.
Public and Stakeholder Impact
For the public, this rule could lead to increased reliability and security of the electric grid, mitigating public service disruptions due to cyber incidents. However, if financial incentives lead to increased utility costs, there could be an indirect impact on consumer electricity rates.
Specific stakeholders, such as smaller utility companies, could find these regulations challenging. While the incentives aim to encourage investment, smaller utilities might struggle to implement qualifying cybersecurity upgrades due to financial constraints. In contrast, larger utilities could more readily take advantage of the financial incentives, thereby ensuring more robust cybersecurity measures.
Finally, there are concerns surrounding the effectiveness of this incentive-based approach compared to traditional regulatory mandates. Some argue that regulatory mandates could ensure more consistent cybersecurity measures across the board, rather than relying on financial incentives to encourage voluntary participation.
The proposed rule has opened a critical dialogue on how best to enhance the cybersecurity infrastructure within the energy sector. As FERC invites comments on the proposed regulation, it aims to refine these provisions to address public concerns and develop a more secure and reliable Bulk-Power System.
Financial Assessment
The document regarding cybersecurity incentives by the Federal Energy Regulatory Commission (FERC) primarily revolves around the financial aspects of incentivizing public utilities to enhance their cybersecurity measures voluntarily. This commentary will focus on summarizing the financial allocations and discussing their potential implications, as highlighted in the issues noted with the proposal.
Summary of Financial References
The proposal outlines a system of financial incentives designed to encourage public utilities to invest in cybersecurity measures that exceed the current mandatory requirements. Among these incentives are proposed increases in the rate of return on equity (ROE) of 200 basis points for eligible cybersecurity investments. This particular incentive is positioned as a means to encourage proactive investment by public utilities, theoretically enhancing their cybersecurity posture significantly beyond baseline standards.
Additionally, public utilities are presented with the opportunity to recover certain costs typically treated as expenses through deferred cost recovery. These include costs associated with third-party services such as hardware, software, and networking solutions, as well as training expenses for the implementation of cybersecurity enhancements.
However, these incentives are not without costs. Each filer is estimated to incur additional annual costs of $6,640, culminating in a potential range from $0 to $132,800 per entity annually, depending on various factors. The hourly rate for these assessments is calculated at $83.00, equating to an annual rate of $172,329.
Relation to Identified Issues
The financial incentives and their allocation present several concerns. Firstly, the language suggesting rate increases via ROE adders potentially signifies substantial financial benefits to certain public utilities without explicit criteria. This can lead to disproportionate benefits favoring larger entities over smaller ones, exacerbating existing financial inequities within the industry. Smaller entities might lack the resources to implement qualifying cybersecurity measures compared to their larger counterparts, inadvertently prioritizing wealthier organizations.
Further, the proposal's reference to broad spending categories, such as "other transition expenses," lacks clarity, which can lead to potential misuse or misallocation of funds. Adequate management and oversight mechanisms are essential to ensure these allocations are used effectively and ethically, which may currently be inadequate given the broad definitions and coverage.
Moreover, in evaluating whether cybersecurity postures have been "materially enhanced," the lack of specific benchmarks could result in inconsistent interpretations, thus affecting the equitable distribution of financial incentives.
The proposal's emphasis on voluntary participation raises questions highlighted by concurring commissioners regarding its effectiveness compared to traditional regulatory mandates. This signifies a lack of consensus on whether financial incentives are the optimal approach to addressing these critical cybersecurity challenges.
Overall, while the proposal intends to bolster cybersecurity through financial incentives, it must address these concerns about equity, clarity, and effectiveness in implementing and managing these financial resources.
Issues
• The language regarding the potential for ROE adders seems to suggest significant financial incentives without clear criteria, which might lead to disproportionate financial benefit to some public utilities.
• Spending categories like 'other transition expenses' are vaguely defined, which could potentially lead to misuse or wasteful spending.
• The opportunity for public utilities to receive incentives for voluntary cybersecurity upgrades could unintentionally prioritize benefits to larger, more financially capable organizations, potentially disadvantaging smaller entities.
• The proposed regulation details various types of eligible costs for incentives but lacks detailed examples or scenarios, making it difficult to assess how these rules would apply in practice.
• The confidentiality and competitive sensitivity considerations seem well-intended but might not be sufficient to prevent misuse of the incentive requests process.
• The complex and technical language used throughout the document may not be easily understood by all stakeholders, potentially hindering effective engagement and feedback.
• The criteria for 'materially enhancing the cybersecurity posture' lacks specific measures or benchmarks, which could lead to inconsistent application or interpretation.
• Concerns about whether the incentive approach may be more or less effective than traditional regulatory mandates were noted by the concurring commissioners, suggesting a lack of consensus.