|
Cybersecurity Risk Management, Strategy, and Governance
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
ITEM 1C. CYBERSECURITY
To reduce the likelihood and severity of cybersecurity incidents, we established a comprehensive cybersecurity program designed to protect and preserve the confidentiality, integrity and availability of our technology systems and business operations more broadly. For a discussion of the risks associated with cybersecurity threats, see Item 1A. Risk Factors.
Risk Management and Strategy
Our processes for assessing, identifying, and managing material risks from cybersecurity threats include:
•
Ongoing Assessment—The Cybersecurity department, led by the VP, Chief Information Security Officer (CISO), and reporting to the SVP, Chief Information and Digital Officer (CIDO) is staffed with cyber professionals tasked with the day-to-day responsibility of assessing material risks from cybersecurity threats. In addition, the Cybersecurity Council, comprised of senior management, is kept apprised of the state of PSEG’s cybersecurity program, including any emerging risks, and provides guidance on the strategic directions of the program.
•
Engagement of Nth Parties—We engage Nth parties (third parties and other business relationships, including fourth parties, etc.), such as cybersecurity service providers, risk management firms, and external legal counsel, to assess material risks from cybersecurity threats and assess our internal incident response preparedness and cyber posture, support incident response, conduct tabletop exercises, and comply with applicable laws and regulations. We also carry cybersecurity insurance that provides certain protection against losses from a cybersecurity incident. Regulatory agencies, including but not limited to the NRC and Transportation Security Administration (TSA), as well as NERC, inspect applicable components of our cybersecurity program.
•
Nth-Party Service Provider Management—We maintain processes to oversee and identify risks from cybersecurity threats associated with our use of Nth-party service providers. This includes a risk-based vendor management program, which incorporates robust cybersecurity contractual provisions, vendor security assessments and, if appropriate, periodic audits.
•
Technical Safeguards—We manage controls to protect our network perimeter, internal IT and Operational Technology (OT) environments, such as internal and external firewalls, network intrusion detection and prevention, penetration testing, vulnerability assessments, threat intelligence, endpoint security and access controls.
•
Training and Awareness—We provide mandatory annual cybersecurity training for all personnel with network access, and additional education for personnel with access to industrial control systems and/or customer information systems; and conduct phishing exercises with progressive consequences for failures. Employees also receive periodic cybersecurity awareness messages and each year, in recognition of Cybersecurity Awareness Month, are invited to presentations throughout October from internal and external cyber experts covering diverse cyber topics. These efforts better enable all employees to identify potential cybersecurity risks and escalate them appropriately.
•
Incident Response Plans—We maintain and periodically update a cyber incident response plan that addresses the life cycle of a cybersecurity incident from a technical perspective (i.e., detection, response, and recovery), and a data breach response plan (with a focus on external communication/disclosure and legal compliance); and conduct regular tabletop exercises to test plan effectiveness (both internally and through external exercises).
•
Mobile Security—We maintain controls to prevent loss of data through mobile device channels.
•
Physical Security—We also maintain physical security measures to protect our OT systems, consistent with a defense in-depth and risk-tiered approach. Physical security measures may include access control systems, video surveillance, around-the-clock command center monitoring, and physical barriers (such as fencing, walls, and bollards). Additional features of PSEG’s physical security program include threat intelligence, insider threat mitigation, background checks, a threat level advisory system, a business interruption management model, and active coordination with federal, state, and local law enforcement officials. See Item 1. Business. Regulatory Issues—Federal Regulation for a discussion of Critical Infrastructure Protection standards that the NERC promulgated that mitigate risk associated with both cybersecurity and physical security of PSEG’s critical facilities.
These processes are integral to our overall risk management system/processes and inform the identification and assessment of risks and mitigations through our Enterprise Risk Management (ERM) program. The ERM team, led by the SVP, Audit, Enterprise, Risk and Compliance (AERC) considers cybersecurity risks alongside other PSEG risks, and facilitates discussion
with PSEG subject matter experts to identify cybersecurity risks, evaluate their potential severity and likelihood, identify mitigations, including those identified above, and assess the impact of those mitigations on residual risk. In addition, PSEG maintains a Risk Management Committee (RMC), responsible for assessing exposure to and determining PSEG's overall risk management strategy, including with respect to cybersecurity. The RMC, supported by the ERM function, is chaired by the SVP, AERC and consists of members of senior management including the CIDO and six of the CEO’s other direct reports. In discharging its responsibilities related to cybersecurity threats, the RMC has received presentations from the CISO. To date, there has been no material impact or reasonably likely material impact on our business strategy, results of operations or financial condition from cybersecurity attacks or incidents, including as a result of prior cybersecurity incidents.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
These processes are integral to our overall risk management system/processes and inform the identification and assessment of risks and mitigations through our Enterprise Risk Management (ERM) program. The ERM team, led by the SVP, Audit, Enterprise, Risk and Compliance (AERC) considers cybersecurity risks alongside other PSEG risks, and facilitates discussionwith PSEG subject matter experts to identify cybersecurity risks, evaluate their potential severity and likelihood, identify mitigations, including those identified above, and assess the impact of those mitigations on residual risk
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|there has been no material impact or reasonably likely material impact on our business strategy, results of operations or financial condition from cybersecurity attacks or incidents, including as a result of prior cybersecurity incidents
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Governance
–
PSEG Board of Directors (Board) Oversight of Risks from Cybersecurity Threats:
•
PSEG Board—The PSEG Board has ultimate responsibility for the oversight of risk management at PSEG, overseeing PSEG’s risk management program and reviewing the most significant risks facing PSEG, including cybersecurity risks. The Governance, Nominating and Sustainability Committee of the PSEG Board reviews key enterprise risks, including cybersecurity risks, and recommends to the Board the mapping of each risk to an appropriate committee or the full Board, in accordance with the allocation of risk categories reflected in the charter of each committee. Through this process, cybersecurity risk is mapped primarily to the Board’s Industrial Operations Committee (IOC), and also the Audit Committee. In providing oversight of risks from cybersecurity threats, the Board is informed of cybersecurity incidents as appropriate, by way of updates from Senior Management, pursuant to PSEG’s Cybersecurity Event Escalation and Incident Response Practice, as administered by the CISO.
•
IOC—At the PSEG Board level, the IOC holds the primary responsibility, as enumerated in its charter, of overseeing PSEG’s cybersecurity program and assessing overall compliance through active, independent and critical oversight. The IOC is informed about cybersecurity risks by the CIDO and/or the CISO, during the IOC’s four regularly scheduled meetings per year, which each include cybersecurity as a standing agenda item. Cybersecurity updates to the IOC include discussions on OT and IT cyber risks, cybersecurity updates from the CISO and/or CIDO, and reviews of a corporate cybersecurity scorecard and other performance indicators. The CIDO and CISO regularly attend IOC meetings. In addition, the IOC meets with the CISO in executive session with no other members of management present. To ensure the full Board is kept informed about the cybersecurity risks discussed at the IOC meetings, the cybersecurity materials provided to the IOC are available for full viewing by all members of the Board, members of the Board who are not IOC members have a courtesy invitation to each IOC meeting, and the Chair of the IOC provides a summary of IOC meetings to the full Board, typically the day after the meeting takes place.
•
Audit Committee—The Audit Committee has the charter responsibility of overseeing cybersecurity risks related to financial reporting and internal controls. The Audit Committee receives a cybersecurity update twice a year from the CISO, either with the full Board or the IOC in attendance. Audit Committee members have a courtesy invitation to all IOC meetings, have full access to IOC meeting materials, and receive the summary of IOC meetings from the IOC Chair as noted above.
•
Governance, Nominating and Sustainability Committee and Audit Committee—These committees are briefed at least annually on enterprise-level risks and emerging risks, including those related to cybersecurity, and receive regular updates on PSEG RMC activities, including those related to cybersecurity.
•
Board of Directors, IOC, and Audit Committee—In providing oversight of risks from cybersecurity threats, the Board, IOC, and Audit Committee are informed of cybersecurity risks through frequent reports on such topics as personnel and resources to monitor and address cybersecurity threats, technological advances in cybersecurity protection, rapidly evolving cybersecurity threats that may affect us and our industry, cybersecurity incident response and applicable cybersecurity laws, regulations and standards, as well as collaboration mechanisms with intelligence and enforcement agencies and industry groups to assure timely threat awareness and response coordination. In addition, risks associated with cybersecurity incidents, or potential incidents, are escalated by senior management promptly to the Board outside of regularly scheduled meetings, if appropriate.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|PSEG Board—The PSEG Board has ultimate responsibility for the oversight of risk management at PSEG, overseeing PSEG’s risk management program and reviewing the most significant risks facing PSEG, including cybersecurity risks. IOC—At the PSEG Board level, the IOC holds the primary responsibility, as enumerated in its charter, of overseeing PSEG’s cybersecurity program and assessing overall compliance through active, independent and critical oversight.Audit Committee—The Audit Committee has the charter responsibility of overseeing cybersecurity risks related to financial reporting and internal controls.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Board of Directors, IOC, and Audit Committee—In providing oversight of risks from cybersecurity threats, the Board, IOC, and Audit Committee are informed of cybersecurity risks through frequent reports on such topics as personnel and resources to monitor and address cybersecurity threats, technological advances in cybersecurity protection, rapidly evolving cybersecurity threats that may affect us and our industry, cybersecurity incident response and applicable cybersecurity laws, regulations and standards, as well as collaboration mechanisms with intelligence and enforcement agencies and industry groups to assure timely threat awareness and response coordination
|Cybersecurity Risk Role of Management [Text Block]
|
–
Management’s Role in Assessing and Managing Material Cybersecurity Risks:
The assessment and management of material risks from cyber threats is managed by the CIDO, CISO and Cybersecurity Council, as further described below.
•
CIDO—The CIDO has had the overall responsibility for PSEG’s cybersecurity since September 2022, including the assessment and management of material risks to PSEG from cybersecurity threats. The CIDO has served in that position since August 2020 and is a direct report to the CEO. The CIDO has over 25 years of energy experience inclusive of leading technology compliance with cybersecurity regulations for nuclear, transmission, gas and corporate assets. Our CIDO’s experience includes leading the secure technology design, development, and deployment strategy for grid modernization efforts, including digital customer engagement platforms, advanced metering, enterprise asset management and distribution automation functionality.
As noted above, the CIDO provides cybersecurity updates to the Board or its Committees, regularly attends and provides updates with the CISO to the IOC, and has met with the IOC, without other members of management present, during the IOC executive sessions.
The CIDO remains informed about the monitoring, prevention, detection, mitigation, and remediation of cybersecurity incidents through the CISO and other members of the cybersecurity team, as appropriate, who are tasked with these responsibilities on a day-to-day basis.
•
CISO—The CISO has day-to-day responsibility for PSEG’s cybersecurity, including the assessment and management of material risks to PSEG from cybersecurity threats, and leads the cybersecurity team. The CISO served in this role since July 2024. Our CISO has over 20 years of experience in cybersecurity and served as a VP, CISO in the manufacturing/chemicals sector prior to joining PSEG. Our CISO also started her career at the Department of Defense and led cyber teams in the financial and retail sectors. Our CISO holds an MBA in strategy, an MSE in Computer Science, a BS in Computer Science, and multiple cybersecurity certifications, including Certified Information Systems Security Professional.
As noted above, the CISO provides cybersecurity updates during the four regularly scheduled IOC meetings and regularly meets with the IOC, without other members of management present, during executive sessions. The CISO remains informed about the monitoring, prevention, detection, mitigation, and remediation of cybersecurity incidents through the members of the CISO’s cybersecurity team, who are tasked with these responsibilities on a day-to-day basis.
•
Cybersecurity Council—The Cybersecurity Council, chaired by the CISO, ensures that senior management, and ultimately, the Board, are given the information required to exercise proper oversight over cybersecurity risks and that escalation procedures are followed. The Cybersecurity Council meets at least six times annually to receive reports on the state of PSEG’s cybersecurity program, provide guidance on the strategic direction of the program, discuss emerging cybersecurity issues, and review the cybersecurity scorecard to measure performance of key risk indicators. The Cybersecurity Council receives presentations from the CISO, members of the Cybersecurity team, other IT domain experts, cybersecurity managing counsel and external cybersecurity experts, and participates in tabletop exercises led by external consultants. In addition to the CISO, the Cybersecurity Council members include the: (i) CIDO; (ii) EVP and General Counsel; (iii) EVP and CFO; (iv) President and COO of PSE&G; (v) President of PSEG Nuclear and Chief Nuclear Officer; (vi) SVP – Corporate Citizenship; (vii) SVP – Chief Human Resources and Diversity Officer; (viii) VP of Corporate Security and Properties; (ix) SVP – AERC; (x) Project Executive Advisor; and (xi) Vice President and Controller. PSEG’s Corporate Secretary and Managing Counsel – Cybersecurity serves as counsel to the Cybersecurity Council. In providing oversight of risks from cybersecurity threats, Senior Management is informed of cybersecurity risks through updates shared during Cybersecurity Council meetings and through notifications or updates by the CISO, pursuant to PSEG’s Cybersecurity Event Escalation and Incident Response Practice.
For a discussion of regulatory requirements relating to cybersecurity matters, see Item 1. Business—Regulatory Issues.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|CIDO—The CIDO has had the overall responsibility for PSEG’s cybersecurity since September 2022, including the assessment and management of material risks to PSEG from cybersecurity threats. CISO—The CISO has day-to-day responsibility for PSEG’s cybersecurity, including the assessment and management of material risks to PSEG from cybersecurity threats, and leads the cybersecurity team.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The CIDO has over 25 years of energy experience inclusive of leading technology compliance with cybersecurity regulations for nuclear, transmission, gas and corporate assets. Our CIDO’s experience includes leading the secure technology design, development, and deployment strategy for grid modernization efforts, including digital customer engagement platforms, advanced metering, enterprise asset management and distribution automation functionalityOur CISO has over 20 years of experience in cybersecurity and served as a VP, CISO in the manufacturing/chemicals sector prior to joining PSEG. Our CISO also started her career at the Department of Defense and led cyber teams in the financial and retail sectors. Our CISO holds an MBA in strategy, an MSE in Computer Science, a BS in Computer Science, and multiple cybersecurity certifications, including Certified Information Systems Security Professional
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
The CIDO remains informed about the monitoring, prevention, detection, mitigation, and remediation of cybersecurity incidents through the CISO and other members of the cybersecurity team, as appropriate, who are tasked with these responsibilities on a day-to-day basis.The CISO remains informed about the monitoring, prevention, detection, mitigation, and remediation of cybersecurity incidents through the members of the CISO’s cybersecurity team, who are tasked with these responsibilities on a day-to-day basis.In providing oversight of risks from cybersecurity threats, Senior Management is informed of cybersecurity risks through updates shared during Cybersecurity Council meetings and through notifications or updates by the CISO, pursuant to PSEG’s Cybersecurity Event Escalation and Incident Response Practice
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef