CONOCOPHILLIPS - (COP)

10-K Filing Date: February 15, 2024
Item 1C. Cybersecurity

Cybersecurity Risk Management and Strategy

Cybersecurity Risk Assessment and Management
We take a multilayered approach to cybersecurity risk management and strategy. Our IT/OT Security Program integrates administrative, technical, and physical controls against evolving cybersecurity threats, and includes enterprise IT and OT security architecture, cybersecurity operations, data privacy and governance, supply chain security, and governance, risk, and compliance. Additionally, it is designed to identify, assess, and manage cybersecurity risks and protect the confidentiality, integrity, and availability of our data, IT, and OT.

Cybersecurity is a component of our IT/OT Security Program, which we periodically review and adapt to respond to new and evolving circumstances, cybersecurity threats and regulations. We evaluate security, privacy, and resiliency risks, including those related to cybersecurity, in our overall Enterprise Risk Management (ERM) program's annual risk assessment process. This annual risk assessment process takes into account broader risks based on likelihood, potential consequences, and mitigations, such as operational and economic impact; health, safety and environmental impact; and reputational and financial implications. This risk assessment is discussed with members of the ELT, Audit and Finance Committee (AFC) of the Board of Directors, and Board of Directors on at least an annual basis.

We consult recognized security frameworks, such as the National Institute of Standards and Technology Cybersecurity Framework to organize, improve, and assess our IT/OT Security Program to manage and reduce cybersecurity risk. We deploy, configure, and maintain various technologies designed to enforce security policies, detect and protect against cybersecurity threats, and help safeguard IT and OT assets. We operate a Cybersecurity Operation Center (CSOC) to ingest threat intelligence, monitor cybersecurity threats, coordinate incident response resources and manage response times.

Our Global Computer Security Incident Response Plan (CSIRP) establishes the framework for our response to cybersecurity incidents. Under the CSIRP, cybersecurity incidents are escalated based on a defined incident categorization to the Chief Information Security Officer (CISO) and senior leaders, including the Chief Digital & Information Officer (CD&IO), General Counsel, Chief Financial Officer, and other cybersecurity program stakeholders, such as the AFC and/or the full Board of Directors. We also conduct incident response exercises at least annually, which are facilitated by internal team members and, in some instances, with assistance from third-party experts.

Physical controls are designed to work in conjunction with digital and cybersecurity controls to help protect the Company’s IT and OT assets from physical threats. Our Chief Security Officer is responsible for a physical security program including site plans, cameras, security systems monitoring, and access control and badging systems to manage physical security risks.

Our governing policies, standards and procedures create a structured approach to managing cybersecurity risk. Information security requirements for employees, contractors and partners are detailed in the ConocoPhillips Information Security & Protection Policy. Our workforce is required to complete information security training annually, and we periodically communicate ways to recognize and avoid cybersecurity threats to our workforce.

ConocoPhillips 2023 10-K
28

Engagement of Third Parties
We engage third-party cybersecurity consultants and experts to supplement staffing of our CSOC, as well as to help us assess, validate, and enhance our security practices, including conducting cybersecurity maturity assessments, vulnerability assessments and penetration tests.

As part of the cybersecurity incident response process described above, we engage third-party experts as needed to support incident response, such as external legal advisors, cybersecurity forensic firms and other specialists.

Third Party Service Provider Risk Management
Our third-party risk management process is designed to identify, assess, and mitigate risks associated with third-party service providers, including cybersecurity risks. An initial assessment is conducted to assess the cybersecurity risks associated with a third-party provider based on various criteria, such as whether the third-party provider has access to our network, data, and information systems. Third-party providers that are identified through the initial assessment as warranting further review are subject to additional risk assessment. In parallel, we have designed a contracting process to mitigate cybersecurity risks by specifying the rights and responsibilities of the parties.

Risks from Material Cybersecurity Threats
While we are subject to ongoing cybersecurity threats, we do not believe that the risks from previous threats have materially affected or are reasonably likely to materially affect the company, including our business strategy, results of operations or financial condition. Nevertheless, we recognize cybersecurity threats are on-going and evolving, and our program is designed to identify and manage those threats. See item 1A. Risk FactorsOur technologies, systems and networks are subject to cybersecurity threats for more information on our risks relating to our technologies, systems, and networks.

Cybersecurity Governance

Management's Role
A dedicated CISO leads the IT/OT Security Team and is responsible for our cybersecurity risk management and strategy. The CISO has over 20 years of experience in security, of which 15 years is specific to cybersecurity and has served as a CISO since 2013, having joined ConocoPhillips as CISO in 2022. The CISO holds a master’s degree and is a Certified Information Security Professional. The CISO reports to the CD&IO, who holds a master’s degree in information technology and has served as Chief Information Officer/Chief Technology Officer and various roles in information technology for over 27 years. The CD&IO reports to the Executive Vice President, Strategy, Sustainability and Technology. This management team assesses and manages risks associated with cybersecurity.

Board of Directors' Oversight
While our cybersecurity management team is responsible for the day-to-day assessment and management of material risks from cybersecurity threats, the ConocoPhillips Board of Directors has oversight responsibility for our ERM program and the individual risk management programs comprising our ERM program, including cybersecurity risk management. To help maintain effective Board of Directors' oversight across the entire enterprise, the Board of Directors delegates certain elements of its oversight function to individual committees. The AFC assists the Board of Directors in fulfilling its oversight of our ERM program and cybersecurity.

The Board of Directors receives a report on cybersecurity annually, and the AFC receives reports on cybersecurity twice a year. For meetings where cybersecurity is not on the formal agenda, the AFC will receive a pre-read that includes cybersecurity updates or discussion topics. During these reviews, management discusses various topics, including information relating to IT/OT Security strategy, program management, cybersecurity risks and threats, and provides briefings on notable cybersecurity attacks, including those relating to third-party service providers, if known. In addition to this regular reporting, significant cybersecurity risks or threats may also be escalated on an as needed basis to the AFC and Board of Directors.
29
ConocoPhillips 2023 10-K