Marathon Petroleum Corp - (MPC)

10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
We have processes in place designed to protect our information systems, data, assets, infrastructure and computing environments from cybersecurity threats and risks while maintaining confidentiality, integrity and availability. These enterprise-wide processes are based upon policies, practices and standards that guide us on identifying, assessing and managing material cybersecurity risks and include, but are not limited to:
29

placing security limits on physical and network access to our information technology (“IT”) and operating technology (“OT”) systems;
employing internal IT and OT controls designed to detect cybersecurity threats by collecting and analyzing data in our centralized cybersecurity operations center;
utilizing layers of defensive methodologies designed to facilitate cyber resilience, minimize attack surfaces and provide flexibility and scalability in our ability to address cybersecurity risks and threats;
providing cybersecurity threat and awareness training to employees and contractors;
limiting remote network access to our IT and OT network environments; and
assessing our cybersecurity resiliency through various methods, including penetration testing, tabletop exercises with varying scenarios and participants ranging from individuals on our operations teams to executive leadership, and analyzing our corporate cybersecurity incident response plan.

We apply an enterprise risk management (“ERM”) methodology as established and led by our executive leadership team to identify, assess and manage enterprise-level risks. Our cybersecurity risk program directly integrates and is intended to align with our governing ERM program.
We engage with external resources to contribute to and provide independent evaluation of our cybersecurity practices, including a periodical assessment of our cybersecurity program performed by a third party. Our cybersecurity leadership and operational teams monitor cybersecurity threat intelligence and applicable cybersecurity regulatory requirements in a variety of ways, including by communicating with federal agencies, trade associations, service providers, and other miscellaneous third-party resources. Our management team through consultation with our Senior Vice President and Chief Digital Officer (“CDO”), Vice President and Chief Information Security Officer (“CISO”) and the Audit Committee of our Board use the information gathered from these sources to inform long-term cybersecurity investments and strategies which seek to identify, protect, detect, respond and recover from cybersecurity incidents.

We manage third-party service provider cybersecurity risks through contract management, evaluation of applicable security control assessments, and third party risk assessment processes.
As of February 28, 2024, we do not believe that any past cybersecurity incidents have had, or are reasonably likely to have, a material adverse effect on the company, including our business, operations or financial condition. However, there can be no assurance that our cybersecurity processes will prevent or mitigate cybersecurity incidents or threats and that efforts will always be successful. It is possible that these events may occur and could have a material adverse effect on our business, operations or financial condition. See “Business and Operational Risks--We are increasingly dependent on the performance of our information technology systems and those of our third-party business partners and service providers” in Item 1A. Risk Factors of this Annual Report on Form 10-K.
Governance
Our full Board of Directors oversees enterprise-level risks and has delegated to the Audit Committee of our Board oversight of risks from cybersecurity threats as informed through the ERM program. Our CDO and CISO are standing members of the ERM committee, comprised of members of senior management, and as part of the committee, report on and evaluate cybersecurity threats and risk management efforts, as communicated to them by way of their direct reports and the larger cybersecurity team. The CDO and CISO provides regular cybersecurity briefings to the Board of Directors and the Audit Committee as needed, with a minimum of two briefings per year. The Audit Committee further reviews and provides input on our cybersecurity and information security strategy.
Our CISO is responsible for the cybersecurity program which is comprised of Cybersecurity GRC (Governance, Risk & Compliance), Cybersecurity Architecture, Operations & Engineering, and a Cyber Fusion Center that includes Threat Intelligence, Vulnerability Management, & Incident Response. Our CISO has 30 years of experience in the oil and gas industry and has held various leadership and strategic roles across IT, software R&D and marketing.
Our CISO works at the direction of the CDO, who has more than 20 years of executive IT leadership experience and leads the company’s Digital and Information Technology functions that seek to provide innovative, secure, and reliable technology products and services to MPC and its customers.
30