Phillips 66 - (PSX)

10-K Filing Date: February 21, 2024
Item 1C. CYBERSECURITY

Management has implemented a comprehensive cybersecurity program that is designed to protect our information, and that of our customers and suppliers, against cybersecurity threats that may materially and adversely affect the confidentiality, integrity, and availability of our information systems. Our cybersecurity program includes processes and standards that leverage recognized cybersecurity frameworks, industry best practices and guidance from U.S. Government security directives that focus on cybersecurity and critical infrastructure.

Cybersecurity Governance

Board of Directors

The Audit and Finance Committee of the Board of Directors (the Audit and Finance Committee) is responsible for overseeing the company’s Enterprise Risk Management (ERM) program, including oversight of the processes management has implemented to assess, identify and manage risks associated with cybersecurity and information technology. In carrying out this responsibility, the Audit and Finance Committee regularly receives written reports from the company’s Chief Information Security Officer (CISO) and periodic briefings from the CISO. These presentations may address a wide range of topics, such as the results of recent vulnerability assessments and third-party independent reviews, changes to the threat environment, technological trends and other recent developments, and peer and other third-party benchmarking. The Audit and Finance Committee makes regular reports to the Board of Directors on data protection and cybersecurity matters. The company maintains an Enterprise Cybersecurity Incident Response Plan (ECIRP) which provides the framework for management’s response to cyber-related incidents and escalation protocols, including, when appropriate, prompt reporting to the Board of Directors.

Management

At the management level, our CISO has extensive cybersecurity knowledge and skills gained from work experience at the company and with a law enforcement agency, as well as from obtaining advanced professional certifications. The CISO is responsible for the assessment and management of risks from cybersecurity threats and leads a team responsible for implementing, monitoring and maintaining cybersecurity and data protection practices across the company. The individuals who report directly to our CISO possess relevant educational and industry experience in the areas of cyber threat hunting and intelligence, digital standards, data privacy, cyber training, and cybersecurity operations center management. In addition to our internal cybersecurity capabilities, we also regularly engage consultants, or other third parties to assist with assessing, identifying, and managing cybersecurity risks. The CISO receives reports on cybersecurity threats on an ongoing basis, and in conjunction with management, regularly reviews risk management measures implemented by the company to identify, assess and mitigate data protection and cybersecurity risks. Our CISO works closely with the company’s Senior Counsel, Intellectual Property and Data Protection, to oversee compliance with legal, regulatory and contractual security requirements.


36

Index to Financial Statements
Risk Management and Strategy

On an annual basis, we conduct an evaluation of our cybersecurity risks as part of the ERM program. Through the ERM program, the CISO and other internal subject matter experts review potential cybersecurity threat scenarios, such as data theft, cash theft, widespread outages and business disruptions, and the potential consequences of such scenarios. The results of the risk assessment are shared with management and the Audit and Finance Committee.

We have a continuous monitoring program to detect and respond to potential cybersecurity threats in real-time. Log data from our technical controls are collected, aggregated, and correlated in a Security Information and Event Management (SIEM) system that identifies and categorizes events, as well as analyzes them. If the SIEM system identifies a potential security event, it can direct other controls to stop the activity and also generate alerts for detection and response. These alerts are monitored by a managed security service provider that augments a dedicated internal Security Operations Center team.

In addition, we utilize a third-party risk management (TPRM) program to identify, assess, monitor, and mitigate risks associated with third-party relationships, including cybersecurity risks. The TPRM program is designed to help ensure proper controls and measures are in place to manage the potential risks and vulnerabilities associated with third parties. Our policies and procedures aid in the governance from initial due diligence, selection, and contracting to termination.

With respect to cybersecurity incident response, our ECIRP provides a standardized framework for responding to cybersecurity incidents. The ECIRP sets out a coordinated approach to investigating, containing, documenting and mitigating incidents, including reporting findings and keeping senior management and other key stakeholders informed and involved as appropriate.

Internal audit performs audits of our cybersecurity program. Each year, we conduct audits across the company’s information technology and operation technology infrastructure, networks, systems, applications, and operational processes and procedures to evaluate compliance with our information security policies and standards. Process control network assurance audits are conducted on a rotating schedule that is risk-based and provides coverage across each operational business area no greater than five years. In addition to the internal audits, we also engage external cybersecurity experts and auditors to conduct assessments, penetration testing, and cybersecurity maturity assessments. Although we have experienced actual and attempted cybersecurity events and incidents on our networks and systems in the past, we do not believe that the risks from any of these events or incidents, individually or in the aggregate, have materially affected our business, operations, or financial condition, or are reasonably likely to have such an effect. For more information concerning cybersecurity risks we face, see the discussion in “Item 1A. Risk Factors” in this report.