IMPERIAL OIL LTD - (IMO)
10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity
Imperial recognizes the importance of cybersecurity in achieving its business objectives, safeguarding its assets, and managing its daily operations. Accordingly, the company integrates cybersecurity risks into its overall enterprise risk management system. The board of directors oversees the company’s risk management approach and structure, which includes an annual review of the company’s cybersecurity program.
The company’s cybersecurity program is managed by the Canada IT Manager, with support from cross-functional teams led by information technology (IT) and operational technology cybersecurity operations managers in the company and in Exxon Mobil Corporation and its affiliates (collectively, Cybersecurity Operations Managers). The Cybersecurity Operations Managers are responsible for the day-to-day management and effective functioning of the cybersecurity program, including the prevention, detection, investigation, and response to cybersecurity threats and incidents. The Cybersecurity Operations Managers collectively have many years of experience in cybersecurity operations.
IT management provides updates to the company’s senior management throughout the year, covering, as appropriate, the company’s cybersecurity strategy, initiatives, key security metrics, penetration testing and benchmarking learnings, and business response plans, as well as the evolving cybersecurity threat landscape.
The company’s cybersecurity program includes multi-layered technological capabilities designed to prevent and detect cybersecurity disruptions and leverages industry standard frameworks, including the National Institute of Standards and Technology Cybersecurity Framework. The cybersecurity program incorporates an incident response plan to engage cross-functionally and report cybersecurity incidents to appropriate levels of management based on potential impact. The company conducts annual cybersecurity awareness training and routinely tests cybersecurity awareness and business preparedness for response and recovery, which are developed based on real-world threats. In addition, IT management exchanges threat information with governmental and industry groups and proactively engages independent, third-party cybersecurity experts to test, evaluate and recommend improvements on the effectiveness and resiliency of its cybersecurity program through penetration testing, breach assessments, regular cybersecurity incident drill testing, threat information sharing, and industry benchmarking. The company takes a risk-based approach with respect to its third-party service providers, tailoring processes according to the nature and sensitivity of the data or systems accessed by such third-party service providers and performing additional risk screenings and procedures, as appropriate.
As of the date of this report, the company has not identified any risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected, or are reasonably likely to materially affect, the company including its business strategy, results of operations, or financial condition.
While the company believes its cybersecurity program to be appropriate for managing constantly evolving cybersecurity risks, no program can fully protect against all possible adverse events. For additional information on these risks and potential consequences if the measures the company is taking prove to be insufficient or if the company's proprietary data is otherwise not protected, see “Item 1A. Risk factors: Operational and other factors - Cybersecurity” in this report.
31