OCCIDENTAL PETROLEUM CORP /DE/ - (OXY)
10-K Filing Date: February 14, 2024
ITEM 1C. CYBERSECURITY
RISK MANAGEMENT AND STRATEGY
Occidental has implemented and maintains processes for assessing, identifying and managing material risks from potential unauthorized occurrences on or through its IT and ICS networks that may result in material adverse effects on the confidentiality, integrity and availability of Occidental’s systems and the information residing in those systems. These include a wide variety of mechanisms, controls, technologies, methods, systems, written policies, physical safeguards and other processes designed to prevent or mitigate data loss, theft, misuse or other security incidents or vulnerabilities affecting Occidental’s systems and the data it collects, processes, stores and transmits as part of its businesses.
Occidental has developed a robust cybersecurity program which is reviewed by senior leadership including its Chief Information Officer (CIO) and other stakeholders as part of its standard general IT controls. Business network and ICS cybersecurity risks are handled by separate and dedicated Occidental teams and are incorporated into Occidental’s enterprise risk management program.
Occidental’s cybersecurity strategy is intended to mitigate cybersecurity threats identified in the risk management process and provide a framework for Occidental to have appropriate administrative, technical and physical safeguards to protect its systems and data and respond effectively to cybersecurity threats. The Company’s cybersecurity program aligns with the NIST framework and leverages people, processes and technology to identify and respond to cybersecurity threats in a timely manner. Occidental relies on continuous security monitoring, penetration testing, vulnerability scanning, personnel training and other tools to identify and mitigate potential cybersecurity threats. Occidental also has established cybersecurity policies that address its cybersecurity practices and controls. The Company conducts internal security audits, including audits conducted by third parties, and other assessments. In addition to its administrative and technical safeguards, Occidental has implemented physical safeguards intended to mitigate risks to its systems. Using a standardized written evaluation and other investigative processes, Occidental identifies and assesses cybersecurity risks flowing from its vendors and suppliers, and manages these using a risk-based approach.
24 | OXY 2023 FORM 10-K | ||||
 | OTHER INFORMATION | |||||||
Occidental has implemented and maintains a cybersecurity incident response plan that provides the organizational and operational protocol for the Company to effectively and timely respond to cybersecurity incidents. In the event of a material cybersecurity incident, Occidental’s CIO will receive regular updates and monitor detection, mitigation and remediation through reports from a team of experienced cybersecurity leaders responsible for actioning the Company’s cybersecurity incident response plan. As a material cybersecurity incident is handled by the team, the CIO will maintain communication and information flow to senior leadership as well as the Audit Committee and/or the Board, as appropriate.
Cybersecurity risks and associated mitigation strategies and efforts are analyzed by senior leadership as part of the enterprise risk assessments that are reported to and discussed by the Board. Additional information on cybersecurity risks Occidental faces is discussed in Item 1A of Part I, “Risk Factors,” under the heading “Occidental is exposed to cyber-related risks,” which should be read in conjunction with the foregoing information.
Occidental’s business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats, including as a result of previously identified cybersecurity incidents, but Occidental cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents. For more information on Occidental’s cybersecurity related risks, see Item 1A “Risk Factors” of this Annual Report on Form 10-K.
GOVERNANCE
BOARD
The Audit Committee of the Board oversees the Company’s IT security programs, including cybersecurity, which includes review of possible external threats and potential mitigations. The Board also reviews the Company’s cybersecurity program at least annually. In this review, the CIO briefs the full Board on cybersecurity and data protection matters, including analysis and review of the measures implemented by the Company to identify and mitigate cybersecurity risks. Occidental also has protocols by which material cybersecurity incidents are to be reported to the Audit Committee and/or the Board, as appropriate.
SENIOR MANAGEMENT
Occidental’s CIO, who has over 20 years of IT and cybersecurity experience at the Company and elsewhere, heads the team responsible for implementing and maintaining cybersecurity and data protection practices across Occidental’s businesses and reports directly to the President and CEO. Occidental has a centrally coordinated team, led by its CIO, responsible for implementing and maintaining cybersecurity and data protection practices across the Company. Occidental’s CIO regularly reviews risk management measures and the overall cyber risk strategy implemented and maintained by the Company. The CIO receives regular updates on Occidental’s cybersecurity program and monitors the prevention, detection, mitigation and remediation of cybersecurity incidents through reports from the Company’s cybersecurity leaders, each of whom is supported by a team of trained cybersecurity professionals. In addition to Occidental’s extensive in-house cybersecurity capabilities, Occidental also engages assessors, consultants, auditors or other third parties when necessary to assist with assessing, identifying and managing cybersecurity risks.