Security
Security is an integrated organization within CMS Energy, including its subsidiaries, and is accountable for cyber and physical security. Security is subject to state, federal and industry regulations that include focus on cyber security, physical security and privacy. Risks are managed using a robust program that includes people, processes, technology and governance structures. We maintain a strong security culture because we acknowledge evolving security threats pose risks. Our security culture focuses on shared responsibilities among our employees to maintain a secure environment.
The executive director of security reports to a senior vice president. The Board of Directors (Board) oversees our security risks including cyber security, physical security, compliance and privacy. Two members have extensive industry experience in cyber security. The Board receives updates at the start of each year, which cover the current threat environment, regulatory updates, review of prior year incidents and a strategic look forward. The Board receives a second update around mid-year. Board oversight also includes regular program updates and third-party audits.
Our See Something, Say Something program encourages employees to report suspicious activity. Employees also receive annual security training on a variety of physical and cyber security topics including phishing, data security, data privacy, device security and access management.
Cyber Security
We manage our cyber security program using industry frameworks and best practices developed by both government and industry partners. We make significant technological investments to prevent, detect and respond to attacks. Our electric, natural gas and corporate systems each follow standards, controls and requirements to maintain compliance. Our payment card industry compliance is audited annually.
Our cyber security incident response team is a dedicated, proactive function focused fully on monitoring our systems and responding when issues occur. This includes regular information sharing with industry partners, peer utilities and state and federal government agencies. We have third-party cyber security firms on retainer to assist with potential significant incidents. And we’ve invested in cyber security insurance to offset any costs incurred from incidents.
All technology projects are reviewed for cyber security requirements. Leadership must approve any unmet requirements prior to implementation. A dedicated team focuses on identifying and remediating system vulnerabilities. We regularly use third-party firms for penetration testing, audits and assessments.
We also conduct monthly phishing tests through our Don’t Take the Bait program, which asks employees to report suspicious emails that demonstrate common phishing tactics in real-world scenarios. When a test phishing email is clicked, employees are provided with information on cyber security best practices. We monitor our Don’t Take the Bait statistics every month and report click rates to senior management and all employees to further emphasize their role in cyber security.
Physical Security
We take employee and customer security seriously and strive to provide a safe and secure environment free from violence or threats of violence. Our buildings are equipped with security enhancements, including physical barriers, secured access areas, cameras, alarms and other monitoring equipment. Employees must use electronic badges to access sites and display identification badges throughout shifts.
As part of our physical security efforts, we also:
- Partner with the Michigan Intelligence Operations Center and law enforcement to share information related to any act of violence or threat to employees or customers.
- Mitigate potential threatening or dangerous situations through employee education including annual mandatory training on workplace violence and volatile situations and guidance for customer-facing employees to report dangerous situations to co-workers or customers.
- Provide all employees the ability to sign up for notifications about security threats and threats of violence.
- Conduct daily Safety Tailboards when groups of employees gather at work, in the field or remotely, to identify hazards, define responsibilities and review exit strategies in the case of a real threat. If violence or imminent danger occurs, employees are instructed to immediately call 911 first, then our security command center.
Privacy
Our privacy policy uses industry-standard administrative, technical, and physical security measures to ensure the integrity of our systems and protect customer information from unauthorized access, destruction or alteration. Protection measures include an enterprise security program based on industry standard frameworks, security awareness for employees, a dedicated team to detect and respond to threats, and collaboration with peers, state and federal partners.