MARATHON OIL CORP - (MRO)

10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
We have implemented cybersecurity controls and processes to identify, detect, protect against, respond to and recover from threats and cybersecurity risks. These threats and risks include, among other things: operational risks; intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy or security laws and other litigation and legal risk; and reputational risks. Our approach is informed by external cybersecurity experts and aligns to the U.S. National Institute of Standards and Technology (NIST) framework and standards. Our senior vice president, Technology and Innovation and CIO (“CIO”), who has a Bachelor of Arts in computer science and over 35 years of business experience managing large-scale system environments and the associated risks from cybersecurity threats, and developing and implementing cybersecurity policies and procedures, oversees our cybersecurity program. In addition, our cybersecurity team has a diverse range of certifications from reputable organizations in the field, such as Cybersecurity and Infrastructure Security Agency (CISA), EC-Council (ECC), and Global Information Assurance Certification (GIAC), in addition to many vendor-specific certifications. Our enterprise risk management program considers cybersecurity risks alongside other Company risks. As part of our enterprise risk management process, our enterprise risk professionals consult with Company subject matter experts to gather information necessary to identify cybersecurity risks, and evaluate their nature and severity, as well as identify mitigations and assess the impact of those mitigations on residual risk.
Our cybersecurity risk management processes include a suite of IT and security policies and procedures, tabletop simulation exercises, technical security controls, policy enforcement mechanisms, monitoring systems, tools and related services from third-party providers, and management oversight to assess, identify and manage risks from cybersecurity threats. We also leverage government partnerships, industry and government associations, third-party benchmarking, internal and third-party audit results, threat intelligence feeds and other similar resources to inform our cybersecurity processes. Our technical controls are regularly evaluated and assessed, including through internal audits, by an annual third-party assessment of our cybersecurity posture and a biannual assessment of our cybersecurity standards, processes and team. Our Information Technology Steering Committee approves the implementation of new technologies and upgrades of our current systems using a formal process that includes a rigorous third-party risk assessment. This assessment evaluates and mitigates cyber risk associated with any new technology or suppliers before they are deployed. We employ continuous monitoring technology that provides real-time updates on our suppliers’ cyber security posture, alerting us to any significant changes due to cyber events or technological shifts. In our contractual process with third party providers, we require initial and ongoing certification of their cyber security and data protection standards.
To further cybersecurity awareness among our employees and contractors, we leverage formal mandatory training and incorporate other training and educational opportunities. We also maintain a cybersecurity incident response plan to guide our detection, response to, and recovery from cybersecurity incidents, which includes processes for assessing the severity of, escalating, containing, investigating and remediating incidents, as well as complying with legal and regulatory obligations and mitigating reputational impacts. We test our cybersecurity incident response and disaster recovery plans through an annual, scenario-based tabletop exercise. We also have processes and technologies to provide redundant computing and backup operations should a cyber incident occur that requires a full or partial data center recovery.
Furthermore, in 2023, we engaged a third party to conduct a Cyber Risk Quantification assessment. This assessment focused on estimating the likelihood and potential financial impact of a widespread ransomware attack within our network. It involved a thorough evaluation of both our current and planned cybersecurity capabilities.
Governance
Our Audit and Finance Committee, comprised fully of independent directors, is responsible for oversight of cybersecurity risk in connection with its oversight of the Company’s enterprise risk management process.
34

Marathon Oil’s senior leadership and the Audit and Finance Committee of our Board receive regular cybersecurity updates, with formal reporting to the Audit and Finance Committee at least annually. Our CIO regularly provides reports to senior leadership and the Audit and Finance Committee regarding our ongoing assessment of cybersecurity threats and risks, data security programs designed to prevent and detect threats, attacks, incursions and breaches, as well as management, mitigation and remediation of potential, and any actual, cybersecurity and information technology risks and breaches. In addition, the Audit and Finance Committee and management review reports from internal audit regarding evaluation of our information technology department on a regular basis.
To date, the Company has not experienced any material cybersecurity incidents and we are not aware of any cybersecurity risks that are reasonably likely to materially affect the Company. For additional information about the Company’s cybersecurity risks, please see Item 1A. Risk Factors.