DTE ENERGY CO - (DTE)
10-K Filing Date: February 08, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
DTE Energy maintains cybersecurity measures designed to protect its physical and digital infrastructure in order to provide safe and reliable delivery of energy to customers. These measures serve to maintain compliance with regulations and protect the confidentiality, integrity and availability of confidential and proprietary information, DTE Energy’s computing resources, and the electrical and gas systems.
To protect against cybersecurity threats, DTE Energy employs a dedicated cybersecurity team led by the Chief Information Officer. The cybersecurity team is responsible for implementing proper safeguards to mitigate the risk of cyber threats, including but not limited to firewalls, continuous monitoring, and training. DTE Energy also engages with third parties to conduct cybersecurity maturity assessments to provide an independent and objective view of our cybersecurity and assess opportunities for improvement. The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is the basis for these assessments to manage cyber risks, mature and monitor existing security controls, and communicate security posture coherently. The NIST CSF provides a common language to understand, manage, and express cyber risks internally and externally.
Another component of DTE Energy’s cybersecurity team is the Cybersecurity Defense Center (CSDC), which has the primary responsibility for monitoring and responding to cybersecurity incidents. The CSDC maintains an incident response plan designed to protect against, detect, evaluate, and respond to and recover from a cyber incident. The CSDC may receive incident reports from DTE Energy employees, corporate security, or external sources. The incident response plan is intended to be flexible so it may be adapted to an array of potential scenarios. Depending on the incident, the CSDC may decide to engage external resources for assistance with responding to the incident. DTE Energy regularly conducts exercises to help ensure the plan’s effectiveness and overall preparedness.
DTE Energy engages third-party service providers to assist with managing various aspects of its business. These service providers are subject to due diligence reviews of their information security programs prior to onboarding. DTE Energy also contractually requires service providers with access to its information technology (IT) systems, sensitive business data, or personal information to implement and maintain appropriate security controls and restricts their ability to use such data for purposes other than to provide services to DTE Energy, except as required by law. Third-party service providers are also contractually required to notify DTE Energy promptly of cyber incidents that may affect any systems or data. DTE Energy collaborates with its service providers to help determine whether their information security protocols are sufficient and monitors their compliance with DTE Energy security requirements; however, DTE Energy may not have the ability in all cases to effectively oversee the implementation of these control measures.
24
The CSDC monitors and responds to actual and potential compromises from third-party service providers. Access from a potentially compromised third-party is restricted until DTE Energy receives confirmation the compromise has been mitigated.
As of December 31, 2023, cybersecurity risks have not materially affected the Registrants’ business strategy, results of operations, or financial condition.
Governance
DTE Energy has an enterprise risk management program to reduce overall risk, including risks related to cybersecurity, through comprehensive risk assessments and execution of corresponding mitigation plans. Risks are reported and managed through various internal committees, which meet regularly and report at least annually to the Board of Directors. These committees include:
•The Risk Management Committee (RMC) is chaired by the Chief Executive Officer and comprised of the Chief Financial Officer, Chief Legal Officer, General Auditor, and other senior officers. The RMC directs the development and maintenance of comprehensive risk management policies and procedures. The RMC also sets, reviews, and monitors risk limits for enterprise-level risk and other exposures
•The Operational Risk and Resilience (ORR) Committee is chaired by the President and Chief Operating Officer and comprised of operational leaders in DTE Energy’s business units. The ORR is responsible for managing operational risks including safety, reliability, and cybersecurity at DTE Energy’s generation plants, substations, and other operating sites
•The Technology Cybersecurity Committee (TCC) is a sub-committee of the ORR that focuses on information and operational technology risks related to cybersecurity, chaired by operational leaders in DTE Energy’s business units and includes the Chief Information Officer
Members of the Board of Directors serve roles on various committees responsible for their respective oversight and risk management. The Audit Committee of the Board of Directors, comprised solely of independent directors, is responsible for reviewing DTE Energy’s cybersecurity risks, the results of any cybersecurity risk assessments and audits, and reports of investigations into significant events presented by DTE Energy’s IT department. The Audit Committee reports to the Board of Directors and may include any significant matters involving cybersecurity within its reporting. All members of the Board of Directors, including the Audit Committee, have either managerial knowledge or working knowledge of technology and cybersecurity matters.
DTE Energy’s Chief Information Officer leads the cybersecurity team and has responsibility for assessing and managing cybersecurity risks. The Chief Information Officer has held this position for over 10 years and has decades of experience in IT, including oversight of information protection security (IPS). The IPS cybersecurity team is also led by two full-time directors with over 40 combined years of industry experience, including (1) the director of cybersecurity operations responsible for the CSDC, identity and access assurance, and cloud security and (2) the IPS director of cybersecurity governance, risk, and compliance who is also responsible for engagement and outreach to internal and external stakeholders.
The Chief Information Officer provides regular updates to the Audit Committee and senior leaders regarding DTE Energy’s management of cyber risks, including but not limited to the status of various training metrics to safeguard against phishing, malware, and other cyber threats. The Chief Information Officer also provides an annual cybersecurity update directly to the Board of Directors. If cybersecurity risks arise, the CSDC executes the incident response plan and communicates the appropriate details to executive management, the Board of Directors, or any related committees.
A cybersecurity incident may also require various levels of external reporting. The CSDC coordinates with the legal department and controller’s organization in reporting incidents externally. Depending on the nature of the incident, reporting may be required to various federal and state government agencies. DTE Energy has forged trusted partnerships with such agencies and with other companies and organizations to share best practices, tools, and threat information. This includes partnering with others in the utilities industry to form the Electricity Subsector Coordination Council (ESCC). The ESCC is the principal liaison between the energy sector and the federal government in coordinating efforts to prepare for and respond to any threats to critical infrastructure.
25