PUBLIC SERVICE ENTERPRISE GROUP INC - (PEG)
10-K Filing Date: February 26, 2024
ITEM 1C. CYBERSECURITY
In an effort to reduce the likelihood and severity of cybersecurity incidents, we have established a comprehensive cybersecurity program designed to protect and preserve the confidentiality, integrity and availability of our technology systems and our business operations more broadly. For a discussion of the risks associated with cybersecurity threats, see Item 1A. Risk Factors.
Risk Management and Strategy
Our processes for assessing, identifying, and managing material risks from cybersecurity threats include the following:
•Ongoing Assessment—The Cybersecurity Risk and Compliance department, led by the Managing Director, Chief Information Security Officer (CISO), and reporting to the SVP, Chief Information and Digital Officer (CIDO) is staffed with cyber professionals tasked with the day-to-day responsibility of assessing material risks from cybersecurity threats. In addition, the Cyber Security Council, comprised of senior management, is kept apprised of the state of PSEG’s cybersecurity program, including any emerging risks, and provides guidance on the strategic directions of the program.
•Engagement of Third Parties—We engage third parties, such as security service providers, risk management firms and external legal counsels to assess material risks from cybersecurity threats and report on our internal incident response preparedness and cyber posture, support incident response, conduct tabletop exercises, and comply with applicable laws and regulations. We also carry cybersecurity insurance that provides certain protection against losses from a cybersecurity incident. Regulatory agencies, including but not limited to the NRC and Transportation Security Administration, as well as NERC, inspect applicable components of our cybersecurity program.
•Third-Party Service Provider Management—We maintain processes to oversee and identify risks from cybersecurity threats associated with our use of third-party service providers. This includes a risk-based vendor management program, which incorporates robust security contractual provisions, vendor security assessments and, if appropriate, periodic audits.
•Technical Safeguards—We manage controls to protect our network perimeter, internal IT and Operational Technology (OT) environments, such as internal and external firewalls, network intrusion detection and prevention, penetration testing, vulnerability assessments, threat intelligence, anti-malware and access controls.
•Training and Awareness—We provide mandatory annual cybersecurity training for all personnel with network access, as well as additional education for personnel with access to industrial control systems or customer information systems; and conduct phishing exercises with progressive consequences for failures. Employees also receive periodic cybersecurity awareness messages and each October, in recognition of Cybersecurity Awareness Month, are invited to presentations throughout the month from internal and external cyber experts covering diverse cyber topics. These efforts better enable all employees to identify potential cybersecurity risks and escalate them appropriately.
•Incident Response Plans—We maintain and periodically update a cyber incident response plan that addresses the life cycle of a cybersecurity incident from a technical perspective (i.e., detection, response, and recovery), as well as a data breach response plan (with a focus on external communication/disclosure and legal compliance); and conduct regular tabletop exercises to test plan effectiveness (both internally and through external exercises).
•Mobile Security—We maintain controls to prevent loss of data through mobile device channels.
•Physical Security—We also maintain physical security measures to protect our OT systems, consistent with a defense in-depth and risk-tiered approach. Such physical security measures may include access control systems, video surveillance, around-the-clock command center monitoring, and physical barriers (such as fencing, walls, and bollards). Additional features of PSEG’s physical security program include threat intelligence, insider threat mitigation, background checks, a threat level advisory system, a business interruption management model, and active coordination with federal, state, and local law enforcement officials. See Item 1. Business. Regulatory Issues—Federal Regulation for a discussion of Critical Infrastructure Protection standards that the NERC has promulgated that mitigate risk associated with both cybersecurity and physical security of PSEG’s critical facilities.
These processes are integral to our overall risk management system or processes and inform the identification and assessment
30
of risks and mitigations through our Enterprise Risk Management (ERM) program. The ERM team, led by the SVP – Audit, Enterprise, Risk and Compliance (AERC) considers cybersecurity risks alongside other PSEG risks, and facilitates discussion with PSEG subject matter experts to identify cybersecurity risks, evaluate their potential severity and likelihood, identify mitigations, including those identified above, and assess the impact of those mitigations on residual risk. In addition, PSEG maintains a Risk Management Committee (RMC), responsible for assessing exposure to and determining PSEG's overall risk management strategy, including with respect to cybersecurity. The RMC, supported by the ERM function, is chaired by the SVP – AERC and consists of members of senior management including the CIDO and six other of the CEO’s direct reports. In discharging its responsibilities related to cybersecurity threats, the RMC has received presentations from the CISO. To date, there has been no material impact or reasonably likely material impact on our business strategy, results of operations or financial condition from these attacks or other cybersecurity incidents, including as a result of prior cybersecurity incidents.
Governance
–PSEG Board of Directors (Board) Oversight of Risks from Cybersecurity Threats:
•PSEG Board —The PSEG Board has ultimate responsibility for the oversight of risk management at PSEG, overseeing PSEG’s risk management program and reviewing the most significant risks facing PSEG, including cybersecurity risks. The Governance, Nominating and Sustainability Committee of the PSEG Board reviews key enterprise risks, including cybersecurity risks, and recommends to the Board the mapping of each risk to an appropriate committee or the full Board, in accordance with the allocation of risk categories reflected in the charter of each committee. Through this process, cybersecurity risk is mapped primarily to the Board’s Industrial Operations Committee (IOC), and also the Audit Committee. In providing oversight of risks from cybersecurity threats, the Board is informed of cybersecurity incidents as appropriate, by way of updates from Senior Management, pursuant to PSEG’s Cybersecurity Event Escalation and Incident Response Practice, as administered by the CISO.
•IOC—At the PSEG Board level, the IOC holds the primary responsibility, as enumerated in its charter, of overseeing PSEG’s cybersecurity program and assessing overall compliance through active, independent and critical oversight. The IOC is informed about cybersecurity risks by the CIDO and/or the CISO, during the IOC’s four regularly scheduled meetings a year, which each include cybersecurity as a standing agenda item. Cybersecurity updates to the IOC include discussions on OT and IT cyber risk, a cybersecurity update from the CISO and/or CIDO, and review of a corporate cybersecurity scorecard and other performance indicators. The CIDO and CISO are regular attendees at IOC meetings. In addition, the IOC meets with the CISO in executive session at each meeting with no other members of management present, and has also met with the CIDO, to whom the CISO directly reports, in executive session with no other members of management present. To ensure the full Board is kept informed about the cybersecurity risks discussed at the IOC meetings, the cybersecurity materials provided to the IOC are available for full viewing by all members of the Board, members of the Board who are not IOC members have a courtesy invitation to each IOC meeting, and the Chair of the IOC provides a summary of IOC meetings to the full Board, typically the day after the meeting takes place.
•Audit Committee—The Audit Committee has the charter responsibility of overseeing cybersecurity risks related to financial reporting and internal controls. The Audit Committee receives a cybersecurity update twice a year from the CIDO, either with the full Board or the IOC in attendance. Audit Committee members have a courtesy invitation to all IOC meetings, have full access to IOC meeting materials, and receive the summary of IOC meetings from the IOC Chair noted above.
•Governance, Nominating and Sustainability Committee and Audit Committee—These committees are briefed at least annually on enterprise-level risks and emerging risks, including those related to cybersecurity, and receive regular updates on PSEG RMC activities, including those related to cybersecurity.
•Board of Directors, IOC, and Audit Committee—In providing oversight of risks from cybersecurity threats, the Board, IOC and Audit Committee are informed of cybersecurity risks by way of frequent reports on such topics as personnel and resources to monitor and address cybersecurity threats, technological advances in cybersecurity protection, rapidly evolving cybersecurity threats that may affect us and our industry, cybersecurity incident response and applicable cybersecurity laws, regulations and standards, as well as collaboration mechanisms with intelligence and enforcement agencies and industry groups to assure timely threat awareness and response coordination. In addition, risks associated with cybersecurity incidents, or potential incidents, are escalated by senior management promptly to the Board outside of regularly scheduled meetings, if appropriate.
31
–Management’s Role in Assessing and Managing Material Cybersecurity Risks:
The assessment and management of material risks from cyber threats is managed by the CIDO, CISO and Cybersecurity Council, as further described below.
•CIDO—The CIDO has had the overall responsibility for PSEG’s cybersecurity since September 2022, including the assessment and management of materials risks to PSEG from cybersecurity threats. The CIDO has served in that position since August 2020 and is a direct report of the CEO. The CIDO has over 25 years of energy experience inclusive of leading technology compliance with cybersecurity regulations for nuclear, transmission, gas and corporate assets. Our CIDO’s experience includes leading the secure technology design, development, and deployment strategy for grid modernization efforts, including digital customer engagement platforms, advanced metering, enterprise asset management and distribution automation functionality.
As noted above, the CIDO provides cybersecurity updates to the Board or its Committees twice per year, regularly attends and provides updates with the CISO to the IOC, and has met with the IOC, without other members of management present, during the IOC executive sessions.
The CIDO remains informed about the monitoring, prevention, detection, mitigation, and remediation of cybersecurity incidents through the CISO and other members of the cybersecurity, risk and compliance team, as appropriate, who are tasked with these responsibilities on a day-to-day basis.
•CISO—The CISO has day-to-day responsibility for PSEG’s cybersecurity, including the assessment and management of material risks to PSEG from cybersecurity threats, and leads the cybersecurity, risk and compliance team. The CISO has served in this role since September 2018. Our CISO has over 20 years of experience in IT security management and served as the director of information security and chief security architect in the insurance sector prior to joining PSEG. Our CISO has a bachelor’s degree in electrical engineering and holds multiple security certifications, including Certificate of Cloud Security Knowledge, Certified Information Systems Security Professional, Certified Information Systems Auditor, Information Systems Security Architecture Professional, and National Institute of Standards and Technology Cyber Security Professional Practitioner.
As noted above, the CISO provides cybersecurity updates during the four regularly scheduled IOC meetings and meets with the IOC, without other members of management present, during each meeting’s executive session. The CISO remains informed about the monitoring, prevention, detection, mitigation, and remediation of cybersecurity incidents through the members of the CISO’s cybersecurity, risk and compliance team, who are tasked with these responsibilities on a day-to-day basis.
•Cybersecurity Council—The Cybersecurity Council, chaired by the CISO, ensures that senior management, and ultimately, the Board, are given the information required to exercise proper oversight over cybersecurity risks and that escalation procedures are followed. The Cybersecurity Council meets at least six times annually to receive reports on the state of PSEG’s cybersecurity program, provide guidance on the strategic direction of the program, discuss emerging cybersecurity issues, and review the cybersecurity scorecard to measure performance of key risk indicators. The Cybersecurity Council receives presentations from the CISO, members of the Cybersecurity Risk and Compliance Team cybersecurity managing counsel, and external cybersecurity experts, and participates in tabletop exercises led by external consultants. In addition to the CISO, the Cybersecurity Council members include the: (i) CIDO; (ii) EVP and General Counsel; (iii) EVP and CFO; (iv) President and COO of PSE&G; (v) President of PSEG Nuclear and Chief Nuclear Officer; (vi) SVP – Corporate Citizenship; (vii) SVP – Chief Human Resources and Diversity Officer; (viii) VP of Corporate Security and Properties; (ix) SVP – AERC; (x) Project Executive Advisor; and (xi) Vice President and Controller. PSEG’s Managing Counsel – Cybersecurity serves as counsel to the Cybersecurity Council.
In providing oversight of risks from cybersecurity threats, Senior Management is informed of cybersecurity risks by way of updates shared during Cybersecurity Council meetings, as well as through notifications or updates by the CISO, pursuant to PSEG’s Cybersecurity Event Escalation and Incident Response Practice.
For a discussion of regulatory requirements relating to cybersecurity matters, see Item 1. Business—Regulatory Issues.
32