CMS ENERGY CORP - (CMS)
10-K Filing Date: February 08, 2024
Item 1C. Cybersecurity
Enterprise Risk Management: CMS Energy and Consumers manage security risks, including cybersecurity risks, through a robust enterprise risk management program that includes people, processes, technology, and governance structures. The enterprise risk management program identifies risks that may significantly impact the business and informs the companies’ risk-mitigation strategies. The enterprise risk management program is reviewed with the Board at least annually.
Cybersecurity Program: CMS Energy’s and Consumers’ security function, led by the Executive Director of Security, is an integrated organization accountable for cyber and physical security and is subject to various state, federal, and industry cybersecurity, physical security, and privacy regulations. Their cybersecurity program is responsible for assessing, identifying, and managing risks from cybersecurity threats using industry frameworks, as well as best practices developed by government and industry partners. All employees and contractors are required to complete annual trainings on a variety of security-related topics. Additionally, the companies continuously upgrade technological investments designed to prevent, detect, and respond to attacks. The companies’ electric, natural gas, and corporate systems each follow standards, controls, and requirements designed to maintain compliance with applicable regulations and standards, such as MPSC, NERC critical infrastructure protection, and
50
payment card industry regulations. Technology projects and third-party service providers are reviewed for adherence to cybersecurity requirements.
CMS Energy’s and Consumers’ cybersecurity program focuses on finding and remediating vulnerabilities in their systems. The companies use third-party firms for penetration testing, audits, and assessments, and conduct exercises to practice their response to simulated events. The companies also have a dedicated, proactive function focused fully on monitoring CMS Energy’s and Consumers’ systems and responding when issues occur. This includes regular information sharing with industry partners, peer utilities, and state and federal partners. The companies’ incident response plan outlines the individuals responsible, the methods employed, and the timeline for notifying state and federal governmental agencies. The companies retain a third-party cybersecurity firm to assist with potentially significant incidents and have invested in cybersecurity insurance to offset costs incurred from any such incidents. To manage cybersecurity risks associated with the companies’ use of third-party service providers, the companies incorporate security requirements into contracts, when deemed applicable, and pursue third-party security certifications for vendors with a higher risk profile.
CMS Energy and Consumers have experienced no material cybersecurity incidents; however, future cybersecurity incidents could materially affect their business strategy, results of operations, or financial condition. For additional details regarding these and other uncertainties, see Item 1A. Risk Factors.
Management’s Role: The Executive Director of Security has 25 years of information technology and security experience. To enhance governance, the Executive Director of Security reports to the Senior Vice President and Chief Customer Officer, who has extensive experience overseeing cybersecurity and has had executive oversight of the security function for nine years at CMS Energy and Consumers. Prior to joining CMS Energy, this officer served as Vice President of Business Technology at Pacific Gas & Electric Company, a non-affiliated company. The Executive Director of Security is responsible for informing the CEO and other members of senior management, as necessary, about cybersecurity incidents, covering prevention, detection, mitigation, and remediation efforts as they are detected by the Executive Director’s team. Cyber incidents are managed using the companies’ standard process for critical events. In the event of such incidents, the Executive Director of Security communicates and collaborates with the officers of the companies and subject matter experts to address business continuity, contingency, and recovery plans. Senior management will notify the Board, including the Audit Committee, of any significant cybersecurity incidents.
Board Oversight: As part of the Board’s risk oversight process, senior management meets with the Board or Audit Committee at least twice annually to provide updates on and discuss cybersecurity. Such updates include a review of the companies’ cybersecurity strategy, a scan of the threat landscape, and recent performance. Additionally, cybersecurity risks are included in the Audit Committee’s risk oversight functions, which focus on operating and financial activities that could impact the companies’ financial and other disclosure reporting. The Audit Committee’s oversight involves reviewing and approving policies on risk assessment, controls, and accounting risk exposure. The Audit Committee also reviews internal audit reports regarding cybersecurity processes, and receives updates that focus on CMS Energy’s and Consumers’ cybersecurity program, mitigation of cybersecurity risks, and assessments by third-party experts. Of note, two members of the Board have extensive industry experience in cybersecurity and are on CMS Energy’s and Consumers’ Audit Committee.
51