We maintain a corporate information security policy and program (the “Program”) designed to identify, assess and appropriately manage risk from cybersecurity threats to help maintain operational continuity and protect Devon’s networks, systems and other assets, as well as the significant amount of information we use to run our business. We employ a variety of tools designed to identify, assess and manage cybersecurity threats, including monitoring and detection programs, network security measures, firewall monitoring devices and encryption of critical data. As part of the Program, we perform cybersecurity risk assessments of certain third-party vendors of the Company, including technology vendor and key operational suppliers and service providers. These assessments are intended to identify potential risks to Devon associated with our use of third-party vendors and, where appropriate, to recommend and implement mitigating controls or solutions. In addition, Devon maintains disaster recovery plans related to cybersecurity incidents as part of our broader corporate emergency preparedness program, and our employees receive cybersecurity awareness training as part of both new-hire onboarding and through periodic refresher courses.

We have made efforts to align the Program with the National Institute of Standards and Technology Cybersecurity Framework for risk management, and we conduct an annual assessment to identify areas for potential improvement and benchmark maturity relative to peers and other companies, as well as industry and other relevant standards. Moreover, we perform regular internal testing of our systems and programs, including disaster recovery exercises and tabletop exercises. We supplement these internal efforts by periodically engaging third-party organizations to separately review and stress-test the Program.

The Program is administered by our Digital Security team, which is led by our Manager of Digital Security. The Digital Security team meets at least weekly to discuss any cybersecurity incidents and related response actions, emerging cybersecurity threats facing the Company and preventative measures. It is important to Devon that members of our Digital Security team have the necessary expertise to oversee the Program and its related technologies, platforms and applications, whether through educational background, experience, technical certifications or other training. The Manager of Digital Security has over 12 years of cybersecurity experience, a degree in management information systems and multiple certifications relating to security, risk and information systems, including a security leadership certification.

Cybersecurity risk is an area of focus for our Board of Directors, and we include cybersecurity and related risks in our enterprise-wide risk-management framework that annually assesses risks to the Company. This year-round assessment of risk is guided by our Internal Audit team and involves our Board of Directors, management and certain internal subject matter experts. The Audit Committee of our Board of Directors has oversight of Devon’s risks from cybersecurity threats and reviews the steps management has taken to monitor and address such risks. Our management team provides quarterly updates to the Audit Committee on activities and other developments impacting Devon’s cybersecurity. These updates cover a variety of topics, including, among other things, (i) regular reviews of certain cybersecurity metrics for the Company, (ii) status reviews of our cybersecurity initiatives and the results of benchmarking or other assessments of the Program and (iii) briefings on current events or trends relating to cybersecurity. Our full Board of Directors also receives regular updates from our management team regarding the Program, as well as reports from the Audit Committee.

As of the date of this report, Devon is not aware of any previous cybersecurity threats that have materially affected or are reasonably likely to materially affect Devon. For information on the risks associated with cybersecurity threats, see “Item 1A. Risks Factors.”