• Policy and Regulations
  • Federal Government
  • FERC
  • SEC
  • Cybersecurity

Delays Ahead for Energy and Cybersecurity Regulations with End of Chevron Deference

Francesco Radicati
Jul 22, 2024

Columns of the US Supreme Court building

The US Supreme Court’s June 2024 decision in Loper Bright Enterprises vs Raimondo, Secretary of Commerce will affect all regulatory agencies under the federal executive branch, including those in charge of energy, environmental, and cybersecurity issues. While Federal Energy Regulatory Commission (FERC) authority over technical issues like tariffs, rates, or regional transmission organization rules will be less affected, the rules governing transmission planning may need to be revisited. The ruling will also affect cybersecurity rules, like the Securities Exchange Commission’s (SEC’s) 2023 requirement that companies report cybersecurity breaches within 4 days of determining materiality.

The Supreme Court decided that, contrary to the 1984 ruling in Chevron vs. Natural Resources Defense Council, courts hold the authority to interpret ambiguous language in regulations. The decision means that courts are now responsible for interpreting matters of law where regulatory agencies had previously been given deference in deciding on topics such as net neutrality or product safety.

FERC Expects Little Change to Its Rules for Now

FERC’s authority to issue rates and tariffs is generally based on deference not related to Chevron, and FERC is therefore expected to continue to receive deference from the courts. One notable exception is FERC’s Order No. 1000, which governs transmission planning, where the Chevron deference was applied to uphold the agency’s interpretation of the Federal Power Act. Subsequent orders based on Order 1000, notably Order 1920, on transmission planning and cost allocation, may therefore be subject to further litigation.

While these rules are unlikely to be struck down, the Supreme Court’s new standard is expected to let regulated bodies challenge agency rulemaking more easily, potentially leading to longer delays in implementation. The new standard should also push Congress to draft legislation that more clearly defines the competencies of agencies, which will slow down the regulatory process but should lead to more robust delineation of what agencies can and can’t regulate.

Industry May Find Itself Facing a Patchwork of Cybersecurity Regulations

Cybersecurity regulations will be particularly susceptible to judicial review following the Loper Bright decision. This is because cybersecurity is a highly technical field in which Congress typically doesn’t have the most cutting-edge knowledge, and also because it’s difficult for any single regulation to keep up with the pace of change in threats and the technology to counter those threats. Because legislation hasn’t kept up with the evolving cyber threat landscape, agencies have had to adapt older mandates to respond to newer forms of attacks.

As mentioned above, the SEC’s rules on disclosures for cybersecurity risk management, governance, and incident reporting may be subject to judicial review, given that the original Securities Act (1933) and Securities Exchange Act (1934) don’t mention cybersecurity. Similarly, the Cybersecurity Infrastructure and Security Agency’s rule requiring reporting from many entities in critical infrastructure sectors may need to be narrowed, given that the rule makes broad interpretations of the regulatory language in the Cyber Incident Reporting for Critical Infrastructure Act of 2022.

Judicial review of these regulations in a variety of jurisdictions could lead to different interpretations in different circuits, forcing industry to deal with a patchwork of rules across the US. Any efforts to harmonize regulations will need explicit congressional authority, or regulators may have to encourage stronger industry self-regulation. Some companies may also allow their security practices to lapse in the absence of more explicit requirements.

Whatever the next steps, companies and industries seeking greater clarity on cybersecurity requirements may have to formulate those requirements themselves. Otherwise, they risk losing the confidence of their users in protecting their sensitive data, as the number of attacks is only expected to increase.