XML 72 R42.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] CMS Energy’s and Consumers’ security function, led by the Vice President of Information Technology and Security and CIO, is accountable for cyber and physical security and is subject to various state, federal, and industry cybersecurity, physical security, and privacy regulations. Their cybersecurity program is responsible for assessing, identifying, and managing risks from cybersecurity threats using industry frameworks, as well as best practices developed by government and industry partners. All employees and contractors are required to complete annual trainings on a variety of security-related topics. Additionally, the companies continuously upgrade technological investments designed to prevent, detect, and respond to attacks. The companies’ electric, natural gas, and corporate systems each follow standards, controls, and requirements designed to maintain compliance with applicable regulations and standards, such as MPSC, NERC critical infrastructure protection, and payment card industry regulations. Technology projects and third-party service providers are reviewed for adherence to cybersecurity requirements.
CMS Energy’s and Consumers’ cybersecurity program focuses on finding and remediating vulnerabilities in their systems. The companies use third-party firms for penetration testing, audits, and assessments, and conduct technical exercises to practice their response to simulated events as well as tabletop exercises to test that response using their incident command system, including leadership decisions. The companies also have a dedicated, proactive function focused fully on monitoring CMS Energy’s and Consumers’ systems and responding when cybersecurity attacks occur. This includes regular information sharing with industry partners, peer utilities, and state and federal partners. The companies’ incident response plan outlines the individuals responsible, the methods employed, and the timeline for notifying state and federal governmental agencies. The companies retain a third-party cybersecurity firm to assist with potentially significant cybersecurity incidents and have invested in cybersecurity insurance to offset costs incurred from any such cybersecurity incidents. To manage cybersecurity risks associated with the companies’ use of third-party service providers, the companies incorporate security requirements into contracts, when deemed applicable, and pursue third-party security certifications for vendors with a higher risk profile.
CMS Energy and Consumers have experienced no material cybersecurity incidents; however, future cybersecurity incidents could materially affect their business strategy, results of operations, or financial condition. For additional details regarding these and other uncertainties, see Item 1A. Risk Factors.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block] CMS Energy’s and Consumers’ security function, led by the Vice President of Information Technology and Security and CIO, is accountable for cyber and physical security and is subject to various state, federal, and industry cybersecurity, physical security, and privacy regulations. Their cybersecurity program is responsible for assessing, identifying, and managing risks from cybersecurity threats using industry frameworks, as well as best practices developed by government and industry partners.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block] As part of the Board’s risk oversight process, senior management meets with the Board or Audit Committee at least twice annually to provide updates on and discuss cybersecurity. Such updates include a review of the companies’ cybersecurity strategy, a scan of the threat landscape, and recent performance. Additionally, cybersecurity risks are included in the Audit Committee’s risk oversight functions, which focus on operating and financial activities that could impact the companies’ financial and other disclosure reporting. The Audit Committee’s oversight involves reviewing and approving policies on risk assessment, controls, and accounting risk exposure. The Audit Committee also reviews internal audit reports regarding cybersecurity processes, and receives updates that focus on CMS Energy’s and Consumers’ cybersecurity program, mitigation of cybersecurity risks, and assessments by third-party experts. Of note, two members of the Board have extensive industry experience in cybersecurity and are on CMS Energy’s and Consumers’ Audit Committee.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] The Vice President of Information Technology and Security and CIO has over 25 years of information technology and security experience and, to enhance governance, reports to the Senior Vice President and General Counsel.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] The Vice President of Information Technology and Security and CIO has over 25 years of information technology and security experience and, to enhance governance, reports to the Senior Vice President and General Counsel. The Vice President of Information Technology and Security and CIO is responsible for informing the CEO and other members of senior management, as necessary, about cybersecurity incidents, covering prevention, detection, mitigation, and remediation efforts as they are detected by the cybersecurity team. Cybersecurity incidents are managed using the companies’ standard process for critical events. In the event of such cybersecurity incidents, the Vice President of Information Technology and Security and CIO communicates and collaborates with the officers of the companies and subject matter experts to address business continuity, contingency, and recovery plans. Senior management will notify the Board, including the Audit Committee, of any significant cybersecurity incidents.
Cybersecurity Risk Role of Management [Text Block]
Management’s Role: The Vice President of Information Technology and Security and CIO has over 25 years of information technology and security experience and, to enhance governance, reports to the Senior Vice President and General Counsel. The Vice President of Information Technology and Security and CIO is responsible for informing the CEO and other members of senior management, as necessary, about cybersecurity incidents, covering prevention, detection, mitigation, and remediation efforts as they are detected by the cybersecurity team. Cybersecurity incidents are managed using the companies’ standard process for critical events. In the event of such cybersecurity incidents, the Vice President of
Information Technology and Security and CIO communicates and collaborates with the officers of the companies and subject matter experts to address business continuity, contingency, and recovery plans. Senior management will notify the Board, including the Audit Committee, of any significant cybersecurity incidents.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] The Vice President of Information Technology and Security and CIO has over 25 years of information technology and security experience and, to enhance governance, reports to the Senior Vice President and General Counsel.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] The Vice President of Information Technology and Security and CIO has over 25 years of information technology and security experience and, to enhance governance, reports to the Senior Vice President and General Counsel.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] The Vice President of Information Technology and Security and CIO has over 25 years of information technology and security experience and, to enhance governance, reports to the Senior Vice President and General Counsel. The Vice President of Information Technology and Security and CIO is responsible for informing the CEO and other members of senior management, as necessary, about cybersecurity incidents, covering prevention, detection, mitigation, and remediation efforts as they are detected by the cybersecurity team. Cybersecurity incidents are managed using the companies’ standard process for critical events. In the event of such cybersecurity incidents, the Vice President of Information Technology and Security and CIO communicates and collaborates with the officers of the companies and subject matter experts to address business continuity, contingency, and recovery plans. Senior management will notify the Board, including the Audit Committee, of any significant cybersecurity incidents.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true