EXXON MOBIL CORP 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

EXXON MOBIL CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 16:37:18 EST.

Filings

10-K filed on 2024-02-28

EXXON MOBIL CORP filed an 10-K at 2024-02-28 16:37:18 EST
Accession Number: 0000034088-24-000018

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C in this Report for information on ExxonMobil s program for managing cybersecurity risks. If the measures we are taking to protect against cybersecurity disruptions prove to be insufficient or if our proprietary data is otherwise not protected, ExxonMobil, as well as our customers, employees, or third parties, could be adversely affected. We have limited ability to influence third parties, including our partners, suppliers and service providers (including providers of cloud-hosting services for our data or applications), to implement strong cybersecurity controls and are exposed to potential harm from cybersecurity events that may affect their operations. Cybersecurity disruptions could cause physical harm to people or the environment; damage or destroy assets; compromise business systems; result in proprietary information being altered, lost, or stolen; result in employee, customer, or third-party information being compromised; or otherwise disrupt our business operations. We could incur significant costs to remedy the effects of a major cybersecurity disruption in addition to costs in connection with resulting regulatory actions, litigation, or reputational harm. 6 Preparedness. Our operations may be disrupted by severe weather events, natural disasters, human error, and similar events. For example, hurricanes may damage our offshore production facilities or coastal refining and petrochemical plants in vulnerable areas. Our facilities are designed, engineered, constructed, and operated to withstand a variety of extreme climatic and other conditions, with safety factors built in to cover a number of uncertainties, including those associated with wave, wind, and current intensity, marine ice flow patterns, permafrost stability, storm surge magnitude, temperature extremes, extreme rainfall events, and earthquakes. Our consideration of changing weather conditions and inclusion of safety factors in design covers the engineering uncertainties that climate change and other events may potentially introduce. Our ability to mitigate the adverse impacts of these events depends in part upon the effectiveness of our robust facility engineering, our rigorous disaster preparedness and response, and business continuity planning. Insurance limitations. The ability of the Corporation to insure against many of the risks it faces as described in this Item 1A is limited by the availability and cost of coverage, which may not be economic, as well as the capacity of the applicable insurance markets, which may not be sufficient. Competition. As noted in Item 1 above, the energy and petrochemical industries are highly competitive. We face competition not only from other private firms, but also from state-owned companies that are increasingly competing for opportunities outside of their home countries and as partners with other private firms. In some cases, these state-owned companies may pursue opportunities in furtherance of strategic objectives of their government owners, with less focus on financial returns than companies owned by private shareholders, such as ExxonMobil. Technology and expertise provided by industry service companies may also enhance the competitiveness of firms that may not have the internal resources and capabilities of ExxonMobil or reduce the need for resource-owning countries to partner with private-sector oil and gas companies in order to monetize national resources. As described in more detail above, our hydrocarbon-based energy products are also subject to growing and, in many cases, government-supported competition from alternative energy sources. Reputation. Our reputation is an important corporate asset. Factors that could have a negative impact on our reputation include an operating incident or significant cybersecurity disruption; changes in consumer views concerning our products; a perception by investors or others that the Corporation is making insufficient progress with respect to our ambition to play a leading role in the energy transition, or that pursuit of this ambition may result in allocation of capital to investments with reduced returns; and other adverse events such as those described in this Item 1A. Negative impacts on our reputation could in turn make it more difficult for us to compete successfully for new opportunities, obtain necessary regulatory approvals, obtain financing, and attract talent, or they could reduce consumer demand for our branded products. ExxonMobil s reputation may also be harmed by events which negatively affect the image of our industry as a whole. Projections, estimates, and descriptions of ExxonMobil s plans and objectives included or incorporated in Items 1, 1A, 1C, 2, 5, 7, and 7A of this report are forward-looking statements. Actual future results, including project completion dates, production rates, capital expenditures, costs, and business plans could differ materially due to, among other things, the factors discussed above and elsewhere in this report. ITEM 1B. UNRESOLVED STAFF COMMENTS None. 7 ITEM 1C. CYBERSECURITY The Corporation recognizes the importance of cybersecurity in achieving its business objectives, safeguarding its assets, and managing its daily operations. Accordingly, the Corporation integrates cybersecurity risks into its overall enterprise risk management system. The Audit Committee oversees the Corporation s risk management approach and structure, which includes an annual review of the Corporation s cybersecurity program. The Corporation s cybersecurity program is managed by the Corporation s Vice President of IT, with support from cross-functional teams led by ExxonMobil information technology (IT) and operational technology (OT) cybersecurity operations managers (collectively, Cybersecurity Operations Managers). The Cybersecurity Operations Managers are responsible for the day-to-day management and effective functioning of the cybersecurity program, including the prevention, detection, investigation, and response to cybersecurity threats and incidents. The Cybersecurity Operations Managers collectively have many years of experience in cybersecurity operations. IT management provides regular reports to the Corporation s senior management throughout the year, and to the Audit Committee or the Board of Directors, as appropriate, in its annual cybersecurity review. Such reports typically address, among other things, the Corporation s cybersecurity strategy, initiatives, key security metrics, penetration testing and benchmarking learnings, and business response plans as well as the evolving cybersecurity threat landscape. The Corporation s cybersecurity program includes multi-layered technological capabilities designed to prevent and detect cybersecurity disruptions and leverages industry standard frameworks, including the National Institute of Standards and Technology Cybersecurity Framework. The cybersecurity program incorporates an incident response plan to engage cross-functionally across the Corporation and report cybersecurity incidents to appropriate levels of management, including senior management, and the Audit Committee or Board of Directors, based on potential impact. The Corporation conducts annual cybersecurity awareness training and routinely tests cybersecurity awareness and business preparedness for response and recovery, which are developed based on real-world threats. In addition, the Corporation exchanges threat information with governmental and industry groups and proactively engages independent, third-party cybersecurity experts to test, evaluate and recommend improvements on the effectiveness and resiliency of its cybersecurity program through penetration testing, breach assessments, regular cybersecurity incident drill testing, threat information sharing, and industry benchmarking. The Corporation takes a risk-based approach with respect to its third-party service providers, tailoring processes according to the nature and sensitivity of the data or systems accessed by such third-party service providers and performing additional risk screenings and procedures, as appropriate. As of the date of this report, we have not identified any risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected, or are reasonably likely to materially affect the Corporation, including our business strategy, results of operations, or financial condition. While the Corporation believes its cybersecurity program to be appropriate for managing constantly evolving cybersecurity risks, no program can fully protect against all possible adverse events. For additional information on these risks and potential consequences if the measures we are taking prove to be insufficient or if our proprietary data is otherwise not protected, see Item 1A. Risk Factors: Operational and Other Factors – Cybersecurity in this report. 8
ITEM 1C. CYBERSECURITY The Corporation recognizes the importance of cybersecurity in achieving its business objectives, safeguarding its assets, and managing its daily operations. Accordingly, the Corporation integrates cybersecurity risks into its overall enterprise risk management system. The Audit Committee oversees the Corporation s risk management approach and structure, which includes an annual review of the Corporation s cybersecurity program. The Corporation s cybersecurity program is managed by the Corporation s Vice President of IT, with support from cross-functional teams led by ExxonMobil information technology (IT) and operational technology (OT) cybersecurity operations managers (collectively, Cybersecurity Operations Managers). The Cybersecurity Operations Managers are responsible for the day-to-day management and effective functioning of the cybersecurity program, including the prevention, detection, investigation, and response to cybersecurity threats and incidents. The Cybersecurity Operations Managers collectively have many years of experience in cybersecurity operations. IT management provides regular reports to the Corporation s senior management throughout the year, and to the Audit Committee or the Board of Directors, as appropriate, in its annual cybersecurity review. Such reports typically address, among other things, the Corporation s cybersecurity strategy, initiatives, key security metrics, penetration testing and benchmarking learnings, and business response plans as well as the evolving cybersecurity threat landscape. The Corporation s cybersecurity program includes multi-layered technological capabilities designed to prevent and detect cybersecurity disruptions and leverages industry standard frameworks, including the National Institute of Standards and Technology Cybersecurity Framework. The cybersecurity program incorporates an incident response plan to engage cross-functionally across the Corporation and report cybersecurity incidents to appropriate levels of management, including senior management, and the Audit Committee or Board of Directors, based on potential impact. The Corporation conducts annual cybersecurity awareness training and routinely tests cybersecurity awareness and business preparedness for response and recovery, which are developed based on real-world threats. In addition, the Corporation exchanges threat information with governmental and industry groups and proactively engages independent, third-party cybersecurity experts to test, evaluate and recommend improvements on the effectiveness and resiliency of its cybersecurity program through penetration testing, breach assessments, regular cybersecurity incident drill testing, threat information sharing, and industry benchmarking. The Corporation takes a risk-based approach with respect to its third-party service providers, tailoring processes according to the nature and sensitivity of the data or systems accessed by such third-party service providers and performing additional risk screenings and procedures, as appropriate. As of the date of this report, we have not identified any risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected, or are reasonably likely to materially affect the Corporation, including our business strategy, results of operations, or financial condition. While the Corporation believes its cybersecurity program to be appropriate for managing constantly evolving cybersecurity risks, no program can fully protect against all possible adverse events. For additional information on these risks and potential consequences if the measures we are taking prove to be insufficient or if our proprietary data is otherwise not protected, see Item 1A. Risk Factors: Operational and Other Factors – Cybersecurity in this report. 8

Company Information