Board Oversight of Cybersecurity
To reduce the likelihood and severity of cybersecurity incidents, we maintain a comprehensive cybersecurity program designed to protect and preserve the confidentiality, integrity and availability of our technology systems and business operations.
The Board, IOC, Audit Committee and senior management receive reports on: personnel and resources to monitor and address cybersecurity threats; technological advances in cybersecurity protection; evolving cybersecurity threats that may affect us and our industry; cybersecurity incident response and applicable cybersecurity laws, regulations and standards; and collaboration with intelligence and enforcement agencies and industry groups to assure timely threat awareness and response coordination. Risks associated with potential or actual cybersecurity incidents are promptly escalated by senior management to the Board outside of regularly scheduled meetings, if and as appropriate. Our cybersecurity program focuses on:
Governance:
Board Oversight: The IOC holds primary responsibility for overseeing our cybersecurity program and assessing compliance through active, independent and critical oversight. Cybersecurity is a standing agenda item at each IOC meeting, which includes discussion about operational technology (OT) and information technology (IT) cyber risks, cybersecurity updates from the CISO and/or CIDO and reviews of the corporate cybersecurity scorecard and performance indicators. The IOC meets with the CISO in Executive Session.
Cybersecurity Council: Comprised of members of senior management and meets at least six times annually to receive reports on the state of PSEG’s cybersecurity program, provide guidance on the strategic direction of the program, discuss emerging cybersecurity issues and review the cybersecurity scorecard to measure performance of key risk indicators. Ensures that senior management, and ultimately, the Board, is given the information required to exercise proper oversight over cybersecurity risks and that escalation procedures are followed.
Management Responsibility: The CIDO has overall management responsibility for cybersecurity, including the assessment and management of material risks to the Company from cybersecurity threats.
Documentation: Documented corporate practices provide that potential or actual delineated cybersecurity incidents must be escalated promptly to senior management.
Risk Management and Strategy:
Training and Awareness: Provides mandatory annual cybersecurity training to all personnel with network access and additional education to personnel with access to industrial control systems and/or customer information systems. Conducts phishing exercises with progressive consequences for failures. Shares periodic cybersecurity awareness messages and, in recognition of Cybersecurity Awareness Month, hosts presentations from cyber experts covering diverse cyber topics.
Technical Safeguards: Manages controls to protect our network perimeter, internal IT and OT environments, including internal and external firewalls, network intrusion detection and prevention controls, penetration testing, vulnerability assessments, threat intelligence, endpoint security and access controls.
Incident Response Plan: Maintains and periodically updates a cyber incident response plan that covers technical (i.e., detection, response and recovery) and collaborative (i.e., external communication/disclosure and legal compliance) aspects of cyber incident and breach response; and conducts tabletop exercises to test plan effectiveness (both internally and through external exercises).
Mobile Security: Maintains controls to prevent loss of data through mobile devices.
Artificial Intelligence (AI) Security: Maintains AI governance, including policies and a council; incorporates AI into Nth Party Risk Assessment process; implements technical controls enabling efficient AI use; and combats sophisticated threats that make use of AI.
Ongoing Assessment: Actions daily assessments from cyber professionals on material risks from cybersecurity threats.
Engagement of Nth Parties: Engages Nth parties (third parties and other business relationships, including fourth parties, etc.), such as cybersecurity service providers, risk management firms and external legal counsel, to assess material risks from cybersecurity threats, assess our internal incident response preparedness and cyber posture, support incident response, conduct tabletop exercises and comply with applicable laws and regulations.
Nth Party Service Provider Management: Maintains a risk-based vendor management program, including cybersecurity contractual provisions, vendor security assessments and, if appropriate, periodic audits.
Physical Security of Assets: Maintains physical security measures to protect our OT systems, consistent with a defense in-depth and risk-tiered approach. Physical security measures may include access control systems, video surveillance, around-the-clock command center monitoring and physical barriers (e.g., fencing, walls and bollards). Additional features of PSEG’s physical security program include threat intelligence, insider threat mitigation, background checks, a threat level advisory system, a business interruption management model and active coordination with federal, state and local law enforcement officials.
