Commissioner James Danly Statement
April 21, 2023
Docket No. RM22-19-000
I dissent from today’s Final Rule[1] because it is not in line with the Infrastructure Investment and Jobs Act (IIJA) directive to establish incentive-based rate treatments that “encourag[e]” “investments by public utilities in advanced cybersecurity technology” and “participation by public utilities in cybersecurity threat information sharing programs.”[2] Some have stated that Congress intended for the IIJA to “shore up cybersecurity” across the energy sector and other critical infrastructure.[3] The Final Rule provides cybersecurity incentives to select energy sector participants and only a few cybersecurity investments. This rule does not “shore up cybersecurity” of the bulk power system. At best, it is a tepid response to a clear Congressional mandate.
First, the Final Rule limits incentives and cost recovery to those public and non-public utilities “that have or will have a [cost-based] rate [tariff] on file with the Commission.”[4] Put differently, the Final Rule excludes public and non-public utilities that sell electricity at market-based rates. This exclusion is not narrow. In 2019, the Commission estimated that there were over 2,500 market-based rate sellers.[5]
Given the size of the population excluded, one would expect the IIJA to have directed such limitation. It does not. The statute directs the Commission to establish incentive-based rate treatments that “encourage” “public utilities” to make cybersecurity investments and participate in cybersecurity information sharing programs. It allows for single-issue rate filings and does not distinguish between those utilities with cost-of-service rates from those with market-based rates.
Nor does the broader context of the IIJA support such exclusion.[6] A reading of the IIJA’s cybersecurity provisions in their entirety make evident that Congress intended for agencies to immediately undertake a broad campaign to support cybersecurity investment in the energy sector. The IIJA directed the Commission to establish cybersecurity incentives within 1.5 years of its enactment.[7] Further, as noted by the Electric Power Supply Association (EPSA), “Congress specifically cites small or medium-sized public utilities with limited cybersecurity resources as being potentially eligible for additional incentives beyond those identified in the legislation, demonstrating the Congressional intent to fortify the entirety of the [Bulk Power System] to the greatest extent that is reasonably possible.”[8] The IIJA also directed the Secretary of Energy to “enhance[] grid security,”[9] “deploy advanced cybersecurity technologies for electric utility systems,”[10] and “increase the participation of eligible entities in cybersecurity threat information sharing programs.”[11] Simply put, excluding 2,500 market-based rate sellers from cybersecurity incentives and cost recovery is not in line with Congressional intent. It should also not go unnoticed that the majority fails to include the provisions from the IIJA in its revised regulations regarding additional incentives for certain utilities, including defense critical electric infrastructure and small and medium utilities,[12] without any explanation although there really can be none.
What Congress intended is of no consequence to the majority. On top of failing to respond meaningfully to EPSA’s argument regarding Congressional intent (an Administrative Procedure Act violation),[13] my colleagues declare (without citing to any provision in the IIJA) that “utilities that make sales of energy, capacity, or ancillary services at market-based rates should [not] be able to continue to make those sales and also separately recover the costs of, and receive incentive-based rate treatment on, eligible cybersecurity investments.”[14] Then the majority goes on to claim that the “final rule meets the requirements of [the IIJA]” because “[a]ll sellers of energy, capacity, and ancillary services are free to file cost-of-service rates under FPA section 205 . . . to recover their entire cost of service” and “proceed to make sales exclusively under that cost-based rate.”[15] In other words, the Commission has fulfilled the Congressional mandate because 2,500 market-based rate sellers can always abandon their market-based rate authority and make filings to transact only at cost-based rates.
That reasoning is untenable. The IIJA intended agencies to adopt policies and rules that would induce swift and efficient investments in cybersecurity by the entire energy sector—it was not designed to undermine competitive markets. Moreover, the majority’s interpretation effectively voids the IIJA’s directive that “[t]he Commission shall permit public utilities to apply for incentive-based rate treatment under a rule issued under this section on a single-issue basis by submitting to the Commission a tariff schedule under [FPA] section [205[16]] . . . that permits recovery of costs and incentives over the depreciable life of the applicable assets, without regard to changes in receipts or other costs of the public utility.”[17]
Public utilities submit revisions both to market-based rate tariffs and cost-based rate tariffs under FPA section 205. While the proposed rule stated that utilities must file to recover costs and incentives in accordance with FPA section 205 and identified certain filing requirements as to utilities with formula rates and stated rates,[18] at no time did the Commission suggest that entities currently making sales of energy, capacity and ancillary services under market-based rate tariffs must make a filing to recover their entire cost of service, including costs of and an incentive return on, cybersecurity investments and proceed to make sales exclusively under that cost-based rate, as set forth in the final rule. The final rule is not a “logical outgrowth”[19] of the proposed rule, and its sharp departure from the proposed rule violates that the Administrative Procedure Act (APA) requirement that agencies engaged in a rulemaking must provide interested parties adequate notice and opportunity to comment on a proposed rule.[20] It also is nonsensical. Even under the construct today, a generation utility may have both a market-based rate tariff under which it sells energy, capacity and ancillary services and a cost-based rate tariff under which it recovers a reactive power revenue requirement. There is no requirement that such generation utility abandon its market-based rate tariff to recover its cost-based rates. Because the proposed rule failed to provide adequate notice to the public of any change as to market-based rate sellers, this violation of the APA is an obvious legal error.
Second, the Final Rule unilaterally imposes the heightened requirement that each “cybersecurity investment[s] [must] . . . materially improve cybersecurity through either an investment in Advanced Cybersecurity Technology or participation in a cybersecurity threat information sharing program.”[21] The IIJA includes no such materiality requirement. Congress directed the Commission to “encourage[]—(1) investments by public utilities in advanced cybersecurity technology; and (2) participation by public utilities in cybersecurity threat information sharing programs.”[22]
The IIJA already limits what qualifies as “advanced cybersecurity technology” to “any technology, operational capability, or service, including computer hardware, software, or a related asset, that enhances the security posture of public utilities through improvements in the ability to protect against, detect, respond to, or recover from a cybersecurity threat.”[23] The ordinary meaning of “enhance” is “to improve the quality, amount, or strength of something.”[24] It is not to “materially improve the quality, amount or strength of something.”
While the IIJA does not explicitly define “cybersecurity threat information sharing program,”[25] it can be inferred that the statute requires (1) that there is a “program,” (2) that “information [is] shar[ed],” and (3) that information relates to “cybersecurity.” The statute cannot be read as inferring a requirement that the utility’s participation must “materially improve” the security posture of that utility. The additional requirements in the Final Rule that the information be “relevant and actionable” and program be “sponsored by the federal or state government” are arbitrary and subjective and also is not in line with the IIJA.[26] Congress knows how to say “materially improve,” and in fact, did so elsewhere in the IIJA,[27] but did not do so to limit the cybersecurity investments eligible for an incentive.
To make matters worse, the majority provides no meaningful objective criteria for satisfying its materiality requirement. While the Final Rule lists specific sources that the Commission will “consider” in its determination,[28] even when parties demonstrate that an investment meets the requisite number of sources the Commission finds that it does not “have a high degree of confidence that such item[] will likely materially improve cybersecurity.”[29] What could be more arbitrary than a “standard” based upon how confident an agency feels?
Third, the majority eliminates the 200-basis point ROE Adder incentive because “[cybersecurity] expenses . . . constitute a large portion of overall expenditures for many cybersecurity investments” and “the Cybersecurity Regulatory Asset Incentive alone provides the encouragement that Congress intended without unduly increasing costs on consumers.”[30] I disagree. Like Chairman Phillips, then Commissioner, stated in his concurrence to the NOPR:
I believe the 5-year proposed duration and the 200-basis point adder are adequate to properly incent utilities. Unlike expenses in the traditional transmission incentives context, the dollar amounts in cybersecurity investments are typically small. Yet, the benefits of additional, advanced cybersecurity investments cannot be ignored. Offering anything less than what is proposed would likely be insufficient to incent any action by utilities, as required by Congress.[31]
Moreover, Congress required the Commission to establish a rule to provide incentives to investments in “any technology, operational capability, or service”[32] not just “many cybersecurity investments.”[33]
Finally, Congress did not require the Commission to simply “consider performance-based rates as an option among incentive ratemaking treatments”[34] as the majority contends. The statutory text states that “the Commission shall establish, by rule, incentive-based, including performance-based, rate treatments.”[35] There is no ambiguity here that could allow for, or support, the majority’s “interpretation.”
The word “consider[],” while used elsewhere in FPA section 219A,[36] is absent from that provision. And the majority should not place too much weight on Order No. 679, which interpreted a provision in FPA section 219 similarly.[37] The Commission’s interpretation in Order No. 679 was arguably not in accordance with law and was never upheld by a court on appeal. My colleagues cannot rewrite a Congressional mandate because they believe that the statute is “difficult” to implement.[38]
Nor is compliance with this provision as “difficult” as the majority claims. The Commission could comply simply by establishing a rule that entities can propose on a case-by-case basis a performance-based rate treatment that would measure and tie the rate treatment to the number and severity of cybersecurity incidents. No more is required on the Commission’s part.
Congress has made it clear that the Commission must provide incentives to shore up the security of the bulk power system. President Biden has “urge[d] our private sector partners to harden [their] cyber defenses immediately.”[39] Former President Trump issued an Executive Order declaring that “[i]t is the policy of the executive branch to use its authorities and capabilities to support the cybersecurity risk management efforts of the owners and operators of the Nation’s critical infrastructure.”[40] Former President Obama warned that cybersecurity threats are “the most serious economic and national security challenge[] we face as a nation” and “America’s economic prosperity . . . will depend on cybersecurity.”[41] Similarly, last fall in his concurrence to the Cybersecurity Incentives NOPR, Chairman Phillips, then Commissioner, stated, “the nation’s security and economic well-being depends on reliable and cyber-resilient energy infrastructure.”[42] Instead of following Congress’ instructions, and taking this reliability threat seriously, the majority passes up the opportunity to harden the cybersecurity defenses of the nation’s critical energy infrastructure.
For these reasons, I respectfully dissent.
[1] Incentives for Advanced Cybersecurity Investment, 183 FERC ¶ 61,033 (2023) (Final Rule).
[2] Pub. L. No. 117-58, § 40123(c), 135 Stat. 429, 952 (codified 16 U.S.C. § 824s-1(c)).
[3] See, e.g., Senate Committee on Energy & Natural Resources, Chairman Manchin Opening Remarks, at 6 (Mar. 23, 2023), https://www.energy.senate.gov/services/files/3D1ABB79-6CBF-4786-872A-E708A87CB6AB (“We took action last Congress by providing $1.9 billion in the Infrastructure Investment and Jobs Act to shore up cybersecurity across the transportation, energy, and water sectors by supporting utilities and state and local governments. I am immensely proud of this work.”).
[4] Final Rule, 183 FERC ¶ 61,033 at P 23 (citation omitted).
[5] Data Collection for Analytics & Surveillance & Market-Based Rate Purposes, Order No. 860, 168 FERC ¶ 61,039, at P 324 (2019).
[6] See McCarthy v. Bronson, 500 U.S. 136, 139 (1991) (“[S]tatutory language must always be read in its proper context.”); Crandon v. U.S., 494 U.S. 152, 158 (1990) (“In determining the meaning of the statute, we look not only to the particular statutory language, but to the design of the statute as a whole and to its object and policy.”) (citations omitted).
[7] Pub. L. No. 117-58, § 40123(b)-(c), 135 Stat. 429, 952 (codified 16 U.S.C. § 824s-1(b)-(c)) (requiring the Commission to conduct a study to identify incentive-based rate treatments within 180 days after the enactment of the section and establish a rule for incentive-based rate treatment within one year thereafter).
[8] EPSA, November 7, 2022 Comments, at 6 (Accession No. 20221107-5130) (emphasis in original) (EPSA Comments). The IIJA also authorized the Commission to provide “additional incentives” if that “investment in advanced cybersecurity technology or information sharing program costs will reduce cybersecurity risks to . . . defense critical electric infrastructure.” Pub. L. No. 117-58, § 40123(d), 135 Stat. 429, 952 (codified at 16 U.S.C. § 824s-1(d)).
[9] Id., § 40121, 135 Stat. 429, 949 (emphasis added).
[10] Id., § 40124(c), 135 Stat. 429, 954 (emphasis added).
[11] Id. (emphasis added).
[12] See id., § 40123(d), 135 Stat. 429, 952 (codified 16 U.S.C. § 824s-1(d))
[13] See TransCanada Power Mktg. Ltd. v. FERC, 811 F.3d 1, 12 (D.C. Cir. 2015) (“It is well established that the Commission must ‘respond meaningfully to the arguments raised before it.”’) (quoting Pub. Serv. Comm’n v. FERC, 397 F.3d 1004, 1008 (D.C. Cir. 2005)).
[14] Final Rule, 183 FERC ¶ 61,033 at P 26.
[15] Id. (citation omitted).
[16] 16 U.S.C. § 824d.
[17] Pub. L. No. 117-58, § 40123(f), 135 Stat. 429, 953 (codified 16 U.S.C. § 824s-1(f)) (emphasis added).
[18] See Incentives for Advanced Cybersecurity Investment, 180 FERC ¶ 61,189, at P 2 (2022) (citation omitted) (Cybersecurity Incentives NOPR); id. PP 24, 50-51; see also id. P 51 (“In order to effectuate an incentive in rates, utilities would need to propose in their FPA section 205 filing conforming revisions to their formula rates, as appropriate, to reflect incentive rate treatment granted pursuant to these proposed regulations.”) (emphasis added); id. P 51 n.47 (“Utilities with stated rates may file under FPA section 205 to seek incentives as part of a larger rate case or make a request for single issue ratemaking, which the Commission will evaluate on a case-by-case basis to ensure that the rate, inclusive of the incentive, is just and reasonable.”).
[19] See, e.g., Am. Fed. Of Labor & Congress of Indus. Org. v. Donovan, 757 F.2d 330, 339 (D.C. Cir. 1985) (“the modification cannot reasonably be seen as the ‘logical outgrowth’ of a proposal that gave no indication of any change at all in this respect.”); Shell Oil Co. v. EPA, 950 F.2d 741, 751 (D.C. Cir. 1991) (“Even if the mixture and derived-from rules had been widely anticipated, comments by members of the public would not in themselves constitute adequate notice. Under the standards of the APA, ‘notice necessarily must come—if at all—from the Agency.’”) (citations omitted); id. (“Moreover, while a comment may evidence a recognition of a problem, it can tell us nothing of how, or even whether, the agency will choose to address it.”).
[20] See 5 U.S.C. § 553.
[21] Final Rule, 183 FERC ¶ 61,033 at P 28.
[22] Pub. L. No. 117-58, § 40123(c)(2), 135 Stat. 429, 952 (codified 16 U.S.C. § 824s-1(c)(2)).
[23] Id., § 40123(a), 135 Stat. 429, 951-52 (codified 16 U.S.C. § 824s-1(a)).
[24] Cambridge Dictionary, https://dictionary.cambridge.org/us/dictionary/english/enhance (defining “enhance”).
[25] Pub. L. No. 117-58, § 40123(c), 135 Stat. 429, 952 (codified 16 U.S.C. § 824s-1(c)).
[26] Final Rule, 183 FERC ¶ 61,033 at P 42.
[27] See Pub. L. No. 117-58, § 22420(a), 135 Stat. 429, 749 (“The Administrator of the Federal Railroad Administration shall conduct a study of the potential installation and use in new passenger rail rolling stock of passenger rail vehicle occupant protection systems that could materially improve passenger safety.”). C.f. Cent. Bank of Denver v. First Interstate Bank, 511 U.S. 164, 176-77 (1994) (“Congress knew how to impose aiding and abetting liability when it chose to do so.”) (citation omitted).
[28] Final Rule, 183 FERC ¶ 61,033 at P 40 (“Considering these sources as part of a Commission determination of whether a particular cybersecurity investment would materially improve cybersecurity”); id. P 109 (“the Commission will consider evidence”).
[29] Id. P 90.
[30] Id. P 134 (“We decline to adopt an ROE incentive adder, as proposed in the NOPR.”).
[31] Cybersecurity Incentives NOPR, 180 FERC ¶ 61,189 (Phillips, Comm’r, concurring, at P 7) (citations omitted).
[32] Pub. L. No. 117-58, § 40123(a), 135 Stat. 429, 951 (codified 16 U.S.C. § 824s-1(a)) (emphasis added).
[33] Final Rule, 183 FERC ¶ 61,033 at P 134.
[34] Id. P 159.
[35] Pub. L. No. 117-58, § 40123(c), 135 Stat. 429, 952 (codified 16 U.S.C. § 824s-1(c)) (emphasis added).
[36] Id., § 40123(d), 135 Stat. 429, 952 (codified 16 U.S.C. § 824s-1(d)) (i.e., factors for consideration).
[37] See Final Rule, 183 FERC ¶ 61,033 at P 159 (citing Promoting Transmission Investment through Pricing Reform, Order No. 679, 116 FERC ¶ 61,057, at P 270 (2006)).
[38] Id. P 160.
[39] Statement by President Biden on Our Nation’s Cybersecurity, The White House (Mar. 21, 2022), https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/21/statement-by-president-biden-on-our-nations-cybersecurity; see also Cybersecurity Incentives NOPR, 180 FERC ¶ 61,189 (Phillips, Comm’r, concurring at P 8 n.17) (quoting Statement by President Biden on Our Nation’s Cybersecurity).
[40] Exec. Order No. 13800, 82 Fed. Reg. 22391, § 2 (May 11, 2017).
[41] Remarks by the President on Securing Our Nation’s Cyber Infrastructure, The White House (May 29, 2009), https://obamawhitehouse.archives.gov/the-press-office/remarks-president-securing-our-nations-cyber-infrastructure#:~:text=In%20short%2C%20America%27s%20economic%20prosperity%20in%20the%2021st,them%20for%20public%20transportation%20and%20air%20traffic%20control.
[42] Cybersecurity Incentives NOPR, 180 FERC ¶ 61,189 (Phillips, Comm’r, concurring at P 1).