Voglio sapere a riguardo di…

Federal Register / Vol. 86, No. 23 / Friday, February 5, 2021 / Proposed Rules
jbell on DSKJLSW7X2PROD with PROPOSALS

facilities, both the underlying investments and associated incentives must be allocated based on conventions of the rates e.g., the transmission share using a wages and salaries allocator for general plant in most transmission cost of service rates. With this limitation, we seek to ensure that the cybersecurity incentives policy adheres to the ratemaking principles of beneficiary pays and cost-causality by limiting a transmission customers share of incentive costs to the share of such investments that serve and is traditionally allocated to transmission.
We note that the Commissions rules and regulations in the Uniform System of Accounts 63 already require public utilities to maintain records supporting any entries to the regulatory asset account so that the utility can furnish full information as to the nature and amount of, and justification for, each regulatory asset recorded in the account.
Therefore, pursuant to our existing regulations, public utilities must maintain sufficient records to support the distinction of any expenses that are afforded incentivized treatment.64
2. Regulatory Asset Incentive 40. We propose to add 35.48c2 to the Commissions regulations to allow a public utility to seek deferred cost recovery pursuant to this NOPR. We believe that, in limited circumstances, it may be appropriate to allow a public utility to defer recovery of certain cybersecurity costs that are generally expensed as incurred, and treat them as regulatory assets, while also allowing such regulatory assets to be included in transmission rate base Regulatory Asset Incentive. Such expenses must be associated with the NERC CIP
Incentives Approach or the NIST
Framework Approach investments that receive Commission approval for ROE
incentives. Like the provision of ROE
incentives, discussed above, we propose that only expenses for activities that go above and beyond the CIP Reliability Standards, as discussed above, be eligible for incentives. Under this proposal, expenses that are mandatory, that a public utility incurs on a regular or ongoing basis, or that are incurred prior to the incentive request, would not be eligible for such regulatory asset treatment.
41. More specifically, to implement proposed 35.48c2 of the Commissions regulations, we propose to allow deferred cost recovery for three 63 See 18 CFR part 101, Account Definition Account 182.3, Other Regulatory Assets, paragraph D.
64 Id.

VerDate Sep<11>2014

16:29 Feb 04, 2021

Jkt 253001

categories of expenses: 1 Expenses associated with third-party provision of hardware, software, and computing networking services; 2 expenses for training to implement new cybersecurity enhancements undertaken pursuant to this rule; and 3 other implementation expenses, such as system assessments by third parties or internal system reviews and initial responses to findings of such assessments. In all such cases, eligible costs are limited to costs associated with implementing cybersecurity upgrades and do not include ongoing costs including system maintenance, surveillance, and other labor costs, either in the form of employee salaries or third-party service contracts.
42. Regarding the first category, certain cost categories, such as software, that companies traditionally purchased and could capitalize, are now often procured as services with periodic payments to vendors that is updated as needed. Therefore, to encourage investment in cybersecurity, we believe that it would be appropriate to allow public utilities to defer and amortize eligible costs that are typically recorded as expense that are associated with third party provision of hardware, software, and computing and networking services.
Pursuant to our existing regulations, public utilities must maintain sufficient records to support the distinction of any expenses that are afforded incentivized treatment.65
43. Regarding the second category, in response to the White Paper, many commenters stated that training is central to improving cybersecurity. We agree that such training is critical to successful implementation of cybersecurity enhancements. Therefore, we propose to allow public utilities to request the Regulatory Asset Incentive for training expenses associated with cybersecurity investments made pursuant to this rule. However, ongoing training expenses, which many organizations provide to employees regularly, would not be eligible because such training is an ongoing rather than implementation type of operating expense for the implementation we seek to incentivize. Pursuant to our existing regulations, public utilities must maintain sufficient records to support the distinction of any training expenses that are afforded incentivized treatment.66
44. Regarding the third category, we believe that there may be large one-time expenses associated with implementing cybersecurity upgrades. These may 65 Id.
66 Id.

PO 00000

Frm 00009

Fmt 4702

Sfmt 4702

8317

include unusually large internal system evaluations and assessments or analyses by third parties. These expenses may be large relative to the size of the capital investments associated with the cybersecurity upgrades and essential to their proper implementation. We propose that such expenses not include regularly scheduled activities that would occur irrespective of the cybersecurity upgrades. Pursuant to our existing regulations, public utilities must maintain sufficient records to support the distinction of any expenses that are afforded incentivized treatment.
45. Additionally, consistent with the proposal for the ROE incentive for eligible cybersecurity capital investments, only directly assigned transmission costs or the conventionally allocated i.e., using the wages and salaries allocator portion of enterprisewide expenses would be eligible the Regulatory Asset Incentive. Applicants would be required under proposed 35.48b to demonstrate that any enterprise-wide expenses for which they seek this treatment materially enhances the cybersecurity of the Bulk-Power System by enhancing the applicants cybersecurity posture substantially above levels required by CIP Reliability Standards, to the benefit of ratepayers.
46. Finally, we propose in 35.48d2 that deferred regulatory assets whose costs are typically expensed should be amortized over a five-year period. We believe that this duration will allow incentive recipients a reasonable amount of time to earn a return on expenditures for which no return is normally allowed. Moreover, the proposed amortization period generally corresponds to the short lifespan and depreciation rates of cybersecurity investments.
3. Other Types of Incentives 47. In this NOPR, we are proposing to grant ROE and deferred cost recovery incentives. Nonetheless, we recognize that other incentives, such as construction work in progress, may be warranted to encourage investment in cybersecurity if adequately supported.
To maintain flexibility under this proposal for other types of incentives under these new regulations, we propose to add 35.48c3 to the Commissions regulations that provides the Commission additional flexibility to grant a public utility any other incentives, pursuant to the requirements of this section, that the Commission deems to be just and reasonable and not unduly discriminatory or preferential for investments undertaken pursuant to
E:FRFM05FEP1.SGM

05FEP1