Understanding FERC's Incentives for Advanced Cybersecurity Investment

What Are FERC’s Cybersecurity Incentives?

FERC’s cybersecurity incentives offer financial support to utilities that invest in cybersecurity measures beyond current regulatory requirements. Designed to address evolving cyberthreats, these incentives are part of FERC’s efforts to bolster the security of the electric grid. The program enables utilities to categorize eligible cybersecurity expenditures as regulatory assets, allowing for deferred cost recovery, which can ultimately be factored into the rate base for a return on investment.

The aim is to incentivize investing in advanced cybersecurity technology, operational capabilities and practices, making it more feasible for utilities to address cyberrisks before new regulations mandate these improvements.

Types of Incentives Available

There are two types of incentives available:

• Regulatory asset incentive. Utilities can defer certain cybersecurity expenses over a period of up to five years. This incentive allows for costs associated with cybersecurity improvements — such as monitoring systems, training and software licenses — to be added to the rate base, providing a mechanism for cost recovery. The asset incentive is focused on expenditures that are voluntary, meaning they go beyond mandatory standards such as the North American Electric Reliability Corporation’s Critical Infrastructure Protection (NERC CIP) requirements.
• Prequalified list (PQ List) investments. FERC has established a PQ List that includes cybersecurity measures preapproved for incentive treatment. Items like participation in the Cybersecurity Risk Information Sharing Program (CRISP) and specific network monitoring tools fall under this list. Investing in these areas offers utilities a faster path to approval, as expenditures on this list are presumed to meet FERC’s eligibility criteria. For cybersecurity improvements not covered by the PQ List, utilities can apply on a case-by-case basis, though they will need to demonstrate that these investments meet FERC’s standards for enhancing cybersecurity.

Who Can Apply?

Both public and nonpublic utilities with a cost-of-service rate on file at FERC are eligible to apply for these incentives. This broad eligibility opens options for a range of utilities that might face unique cybersecurity challenges and want to strengthen their systems with the support of regulatory incentives.

The program is designed to support voluntary investments, so any cybersecurity improvement already mandated by NERC standards, federal laws or other requirements would not qualify for these incentives. This structure encourages utilities to make additional cybersecurity investments that enhance overall security readiness without waiting for new regulations to compel them.

How to Qualify

• Assess eligible investments. Evaluate cybersecurity improvements within your organization and determine if any align with FERC’s eligibility criteria. Investments that materially improve cybersecurity, such as new monitoring technologies or OT-specific protections, are strong candidates. Eligible investments include costs associated with labor, operation and maintenance expenses, network monitoring, implementation, and training, whether performed internally or by a third party.
• Check the PQ List. Review FERC’s PQ List for prequalified expenditures. This list simplifies the approval process for certain cybersecurity investments, particularly in areas like network security and threat information sharing.
• Consider case-by-case applications. If an investment isn’t on the PQ List, utilities still have options. By submitting a case-by-case application, a utility can seek incentive treatment for other cybersecurity improvements that may align with the unique needs of its organization.

Financial and Operational Benefits of Participation

The regulatory asset incentive represents a financial opportunity for utilities to recover the costs associated with increasingly needed cybersecurity upgrades. By categorizing these expenses under regulatory assets, utilities can defer them over several years, adding them to the rate base and potentially improving cash flow and ROI on cybersecurity investments.

For many utilities, cybersecurity can be a significant but necessary expense. FERC’s incentive program opens the door to cost-effective, proactive cybersecurity improvements, which help to protect not only the utility themselves but also the larger infrastructure that depends on a secure and resilient power grid.

Utilities face significant challenges when it comes to operationalizing advanced cybersecurity technologies, particularly in operational technology (OT) environments. A persistent skills gap in OT cybersecurity has made it difficult to recruit and retain the specialized talent needed to implement, monitor and manage these tools effectively. As a result, many utilities are left with understaffed teams, struggling to extract value from their cybersecurity investments. This has also led to tool sprawl, where an overabundance of cybersecurity tools accumulates without proper integration or management, further straining resources.

Recognizing these challenges, FERC’s ruling under Order No. 893 offers a pivotal solution. By extending financial incentives to cover not only advanced technologies but also critical operations and maintenance expenses, including managed services, the ruling enables utilities to adopt a more sustainable and impactful approach to strengthening cybersecurity posture.

Now Is the Time to Act

FERC’s cybersecurity incentives present a new and timely opportunity for utilities to make meaningful cybersecurity investments while managing costs. By leveraging these incentives, utilities can achieve proactive improvements, preparing their infrastructure against cyberthreats with financial backing. Utilities interested in exploring these incentives further should consider consulting with skilled and experienced industry professionals to make the most of the program and align cybersecurity investments with FERC’s strategic vision.