At its December open meeting, FERC
proposed to establish rules for incentive-based rate treatments for voluntary cybersecurity investments by a public utility. If approved, the regulations would provide incentives for utilities to invest in cybersecurity improvements above and beyond existing mandatory requirements, provided the investments are related to the jurisdictional transmission or sale of electric energy. Traditionally FERC has worked to enhance the cybersecurity of the bulk-power system by directing the development and expansion of mandatory NERC Critical Infrastructure Protection (CIP) reliability standards. The proposed rules here would be quietly revolutionary by offering the “carrot” of financial incentives for cybersecurity enhancements, rather than relying exclusively on the “stick” of monetary sanctions that result from violations of mandatory requirements.