EXXON MOBIL CORP - (XOM)
10-K Filing Date: February 28, 2024
ITEM 1C. CYBERSECURITY
The Corporation recognizes the importance of cybersecurity in achieving its business objectives, safeguarding its assets, and managing its daily operations. Accordingly, the Corporation integrates cybersecurity risks into its overall enterprise risk management system. The Audit Committee oversees the Corporation’s risk management approach and structure, which includes an annual review of the Corporation’s cybersecurity program.
The Corporation’s cybersecurity program is managed by the Corporation’s Vice President of IT, with support from cross-functional teams led by ExxonMobil information technology (IT) and operational technology (OT) cybersecurity operations managers (collectively, Cybersecurity Operations Managers). The Cybersecurity Operations Managers are responsible for the day-to-day management and effective functioning of the cybersecurity program, including the prevention, detection, investigation, and response to cybersecurity threats and incidents. The Cybersecurity Operations Managers collectively have many years of experience in cybersecurity operations.
IT management provides regular reports to the Corporation’s senior management throughout the year, and to the Audit Committee or the Board of Directors, as appropriate, in its annual cybersecurity review. Such reports typically address, among other things, the Corporation’s cybersecurity strategy, initiatives, key security metrics, penetration testing and benchmarking learnings, and business response plans as well as the evolving cybersecurity threat landscape.
The Corporation’s cybersecurity program includes multi-layered technological capabilities designed to prevent and detect cybersecurity disruptions and leverages industry standard frameworks, including the National Institute of Standards and Technology Cybersecurity Framework. The cybersecurity program incorporates an incident response plan to engage cross-functionally across the Corporation and report cybersecurity incidents to appropriate levels of management, including senior management, and the Audit Committee or Board of Directors, based on potential impact. The Corporation conducts annual cybersecurity awareness training and routinely tests cybersecurity awareness and business preparedness for response and recovery, which are developed based on real-world threats. In addition, the Corporation exchanges threat information with governmental and industry groups and proactively engages independent, third-party cybersecurity experts to test, evaluate and recommend improvements on the effectiveness and resiliency of its cybersecurity program through penetration testing, breach assessments, regular cybersecurity incident drill testing, threat information sharing, and industry benchmarking. The Corporation takes a risk-based approach with respect to its third-party service providers, tailoring processes according to the nature and sensitivity of the data or systems accessed by such third-party service providers and performing additional risk screenings and procedures, as appropriate.
As of the date of this report, we have not identified any risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected, or are reasonably likely to materially affect the Corporation, including our business strategy, results of operations, or financial condition.
While the Corporation believes its cybersecurity program to be appropriate for managing constantly evolving cybersecurity risks, no program can fully protect against all possible adverse events. For additional information on these risks and potential consequences if the measures we are taking prove to be insufficient or if our proprietary data is otherwise not protected, see “Item 1A. Risk Factors: Operational and Other Factors -- Cybersecurity” in this report.
8