CHEVRON CORP - (CVX)
10-K Filing Date: February 26, 2024
Item 1C. Cybersecurity
Chevron’s business and proprietary information, information technology (IT) and operational technology (OT) networks are essential to its success. The company’s cybersecurity program is designed to protect its information assets and operations from external and internal cyber threats by identifying and appropriately managing and mitigating risks while ensuring business resiliency. This program is integrated within the company’s Enterprise Risk Management (ERM) process, which is the company’s systematic approach to identifying, managing and assessing major risks and safeguards,
26
including cybersecurity risks. Chevron uses a risk-based information security process aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework to identify, prioritize and mitigate cyber risks.
The company’s worldwide team of cybersecurity professionals undertakes a range of preemptive activities to protect its people, assets and reputation globally. The company also leverages internal and external resources to monitor cybersecurity threats to its systems and networks and to understand the broader threat environment. The company seeks to remove exploitable weaknesses in its systems or devices before they become a threat. Chevron security experts use automated threat intelligence feeds to increase vulnerability awareness, taking action to mitigate the highest risks. The company’s cybersecurity guardrails, which are high-level design requirements expected to be built into any new digital solutions being deployed, are also updated on an ongoing basis to align with changes in industry standards and the evolving threat environment.
Chevron’s cyber risk management process includes testing and risk assessments of technologies, third-party suppliers, and its IT and OT networks. These assessments ensure that our focus is on the highest priorities to maintain the security of our company’s assets. To further protect the company’s systems and data, Chevron’s cybersecurity organization has threat intelligence capabilities to monitor security breaches impacting third-party suppliers. As third-party risks increase, the company’s approach to third-party supplier risk management and qualification continues to evolve, including the ongoing expansion of its current supplier risk management program beyond IT vendors to other high-risk, third-party vendors.
Chevron’s Chief Information Security Officer (CISO) leads a global cybersecurity team that operationalizes and manages the company’s cybersecurity program and strategy. Chevron’s CISO has more than 20 years of cybersecurity experience and is responsible for providing a single and consolidated view of the company’s enterprise cybersecurity risk. Before joining Chevron, he held a leadership role in cyber threat analysis with the U.S. Department of State’s Bureau of Diplomatic Security. Chevron’s CISO reports to the Chief Information Officer (CIO) who is responsible for Chevron’s broader IT program, including resiliency and ability to remediate and recover from a cybersecurity incident to minimize impacts to the business and operations. He has more than 30 years of experience in IT and the oil and gas industry.
Chevron operates four Cyber Intelligence Centers around the world, some co-located with critical assets, with cyber professionals who monitor and respond to cyber threats 24 hours a day, 365 days a year, to limit the scope and impact of cyber incidents in its networks. Chevron’s CISO regularly receives cybersecurity operations reports detailing prevention, detection, mitigation and remediation efforts associated with cyber incidents, both on Chevron’s networks and third-party supplier networks. The CISO has authority to mobilize a cross-functional cyber incident response team, including outside cybersecurity experts, to drive mitigation and remediation actions. Status updates on incidents are provided to senior management and to the Board, as appropriate.
The company’s dedicated cyber risk organization meets regularly with business units to raise cyber risk awareness and keep diverse cybersecurity skill sets connected across the enterprise. Chevron has invested in broad cybersecurity awareness and required training to educate those with access to Chevron’s networks on company policy and best practices. The company conducts regular phishing tests to train and assess its workforce’s ability to identify malicious emails.
Chevron’s Corporate Audit Department has a dedicated team responsible for IT and information security (including cybersecurity) audits. Chevron also leverages external resources to reinforce its cybersecurity capabilities. On a regular basis, external consultants provide a maturity assessment of the company’s cybersecurity program.
The company’s approach to managing risks, including cybersecurity risks, is embedded within the enterprise Operational Excellence (OE) Management System (OEMS). The OEMS provides a systematic process that enables the company to manage risk and implement safeguards and foster a culture of learning across different focus areas for Chevron’s business, including cybersecurity. The company’s Business Continuity Planning OE Process, a component of the OEMS, is designed to prepare Chevron to continue operations during an unplanned event or disruption, which aligns with its OE objective to prevent high-consequence security and cybersecurity incidents. Chevron works to identify critical business processes and dependent IT applications and document the processes for continuing operations without IT systems. Cross-functional teams also conduct regular multidisciplinary exercises, including an expansive cybersecurity exercise in 2023, to test and improve response plans.
The Board provides oversight of Chevron’s cybersecurity program, receives reports from management on cybersecurity risks in connection with Chevron’s operations and projects, and also reviews cybersecurity risks as part of the company’s broader annual ERM process. In support of the Board’s oversight of the company’s policies and processes with respect to risk management and the company’s major financial risk exposures, including cybersecurity, the Audit Committee meets with Chevron’s CISO and CIO at least twice a year to review cybersecurity risks and implications, including the results of
27
independent third-party assessments. The CISO and CIO present cybersecurity matters to the Board of Directors at least annually. The CISO and CIO also provide new Board members with a cybersecurity briefing as part of the onboarding process. In 2023, the Audit Committee hosted an external expert to discuss cybersecurity and digital risk management topics.
To date, the company has not experienced a cybersecurity threat or incident that has materially affected or is reasonably likely to materially affect the company, including its business strategy, results of operations or financial condition; however, the company has experienced and will continue to experience cyber incidents of varying degrees. Despite the cybersecurity measures that the company is taking to mitigate such risks, there can be no guarantee that such measures will be sufficient to protect the company’s systems, information, intellectual property and other assets from significant harm and that future cybersecurity incidents will not have a material adverse effect on the company or its results of operations or financial condition or cause reputational or other harm to the company. Refer to Item 1A. Risk Factors on pages 21 through 22 for further discussion of cyberattacks and the associated risks to Chevron’s business.