MURPHY OIL CORP - (MUR)

10-K Filing Date: February 23, 2024
Item 1C. CYBERSECURITY
Murphy’s cybersecurity environment is led by the Company’s Information Technology (IT) group, which, in addition to cybersecurity matters, oversees the Company’s IT infrastructure. Within the IT group, the Murphy Cybersecurity Team (MCT) is responsible for monitoring and managing security of the corporate network and enterprise systems, including developing and deploying policies, technical controls, and safety protocols and responding to security threats. All members of the MCT hold globally recognized security certifications and have wide-ranging experience in cybersecurity matters. The Incident Management Team (IMT) is responsible for responding to active threats and incidents as they occur. The Chief Information Officer is a member of the IMT, and regularly provides briefings to the Chief Executive Officer, the executive leadership team, and the Audit Committee of the Board. The Audit Committee is ultimately responsible for ensuring that management has processes in place to identify and evaluate cybersecurity risks to which Murphy is exposed and to implement processes and programs to manage cybersecurity risks and mitigate any incidents. The Audit Committee also reports material cybersecurity risks to the Board. We believe this visibility and oversight structure allows the Board and executive leadership team to make timely, data-driven decisions ensuring that Murphy, its employees, investors, and partners are adequately protected.
Murphy considers its protection from cybersecurity threats to be a core component of its overall enterprise risk management system. Murphy’s cybersecurity risk management framework consists of cyber readiness, cybersecurity governance, and risk management strategy. The cybersecurity risk management framework is incorporated into the overall enterprise risk management process through policies, procedures, periodic simulations, and constant monitoring of the cybersecurity environment for new and emerging threats. The Company also requires employees to receive regular cybersecurity training and education to mitigate cybersecurity risks. To remain informed of the cybersecurity landscape, the Company collaborates with peers, third party advisors, industry groups and policymakers.
Murphy engages cybersecurity assessors, consultants, our internal auditors, and other third parties both periodically and as appropriate when cyber threats are identified. Murphy utilizes these consultants to perform forensic analysis of data published by threat actors, to monitor and scan Murphy’s systems for threat vectors, and to consult on emerging cybersecurity environment topics.
Murphy utilizes industry leading technologies that focus on continuous monitoring and analytics built on machine learning and artificial intelligence to safeguard against sophisticated cyberattacks. Deployed technologies include next generation firewalls, advanced endpoint and email protection, multi-factor authentication and Managed Detection and Response.
In addition to the monitoring and detection processes for its own IT systems, Murphy also has processes in place to identify cybersecurity threats associated with third party service providers and partners; these processes include industry information sharing groups, cybersecurity notification services, vendor risk assessments, and ongoing collaboration with federal agencies.
Murphy has not experienced any material impacts to our business, operations, or reputation due to cyberattacks or other security-related incidents. However, we recognize cyber threats are constantly evolving and are committed to cultivating a culture of security, remaining vigilant and continually improving our cybersecurity environment and controls.
27

PART I