HESS CORP - (HES)
10-K Filing Date: February 26, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management and Strategy
Cybersecurity is an integral part of our enterprise risk management. We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity and availability of our Digital Systems. Our cybersecurity risk management program includes a cybersecurity incident response plan as well as property and casualty insurance that may cover damages caused as a result of a cybersecurity event.
We design and assess our program based on the NIST CSF. This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use the NIST CSF as a guide to help us identify, assess and manage cybersecurity risks relevant to our business.
Our cybersecurity risk management program is integrated into our overall enterprise risk management program overseen by our Chief Risk Officer, and shares certain methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other areas affecting our business risks, including financial, compliance, EHS, compensation and governance matters, among other topics.
Our cybersecurity risk management program includes:
•risk assessments designed to help identify material cybersecurity risks to critical systems integral to our exploration, development and production activities as well as the activities of our business partners and our broader enterprise information technology environment;
•a security team principally responsible for managing our cybersecurity risk assessment processes, our security controls and our response to cybersecurity incidents;
•the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls;
•ongoing cybersecurity awareness and compliance training that occurs quarterly and is mandatory for all our employees, incident response personnel and senior management;
•a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and
•a third-party risk management process for service providers, suppliers and vendors.
We have not identified risks from known cybersecurity threats during the year ended December 31, 2023, including as a result of any prior cybersecurity incidents, that have materially affected us or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition.
Additional information about cybersecurity risks we face is discussed in Item 1A. Risk Factors, under the heading “Disruption, failure or cybersecurity attacks affecting or targeting information technology and infrastructure used by the Corporation or our business partners may materially impact our business and operations” which should be read in conjunction with the information above.
Governance
Our Board of Directors (Board) appreciates the rapidly evolving nature of threats presented by cybersecurity incidents and is committed to the prevention, timely detection and mitigation of the effects of any such incidents on the Corporation. The Board considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee (Committee) primary responsibility for oversight of our risk management practices, including oversight of cybersecurity and other information technology risks.
The Committee oversees management’s implementation of our cybersecurity risk management program. The Committee receives presentations on cybersecurity topics from management at least twice a year, including the nature of threats, defense and detection capabilities; incident response plans; and employee training activities. In addition, management updates the Committee, as necessary, regarding any material cybersecurity incidents as well as other incidents with lesser impact potential. The Committee reports to the full Board regarding its activities, including those related to cybersecurity.
26
Our management team – including our Chief Risk Officer, our Head of Information Technology and our Chief Information Security Officer (CISO) – is responsible for assessing and managing our material risks from cybersecurity threats. The team is primarily responsible for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our Chief Risk Officer has nearly 20 years of experience in this role at the Corporation and previously served as a consultant with Ernst & Young LLP’s Risk Management and Regulatory Practice, where he assisted financial services and energy trading clients in establishing their risk management infrastructure. Our Head of Information Technology and our CISO each have over 20 years of experience in information technology leadership in oil and gas. Furthermore, our CISO holds a Bachelor of Science in Cyber and Data Security from the University of Arizona and is a Certified Information Systems Security Professional.
Our management team is informed about and monitors the efforts to prevent, detect, mitigate and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the information technology environment.