IMPERIAL OIL LTD 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

IMPERIAL OIL LTD reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 16:35:09 EST.

Filings

10-K filed on 2024-02-28

IMPERIAL OIL LTD filed an 10-K at 2024-02-28 16:35:09 EST
Accession Number: 0000049938-24-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity" for information on the company’s program for managing cybersecurity risks. 29 The company has limited ability to influence third parties, including the company’s partners, suppliers, service providers (including providers of cloud-based services for the company’s data or applications) and customers, to implement strong cybersecurity controls, and the company is exposed to potential harm from cybersecurity events that may affect their operations. During 2023, the company responded to several cyber-attacks on suppliers and joint venture partners, none of which caused a material impact to Imperial. The company s response included giving technical assistance, loaning equipment, and taking additional defensive measures. If the measures the company is taking to protect against cybersecurity disruptions prove to be insufficient or if the company s proprietary data is otherwise not protected, the company, as well as its customers, employees or third parties, could be adversely affected. Cybersecurity disruptions could cause physical harm to people or the environment; damage or destroy assets; compromise business systems; result in proprietary information being altered, lost or stolen; result in employee, customer or third-party information being compromised; or otherwise disrupt the company s business operations. The company could incur significant costs to remedy the effects of a major cybersecurity disruption, in addition to costs in connection with resulting regulatory actions, litigation or reputational harm. Preparedness The company s operations have been and in the future may be disrupted by severe weather events, natural disasters, human error, and similar events. The company’s facilities are designed, engineered, constructed, and operated to withstand a variety of extreme climatic and other conditions, with safety factors built in to cover a number of uncertainties, including those associated with permafrost stability, temperature extremes, extreme rainfall events, earthquakes and other events. The company’s consideration of changing weather conditions and inclusion of safety factors in design covers the engineering uncertainties that climate change and other events may potentially introduce. Imperial s ability to mitigate the adverse impacts of these events depends in part upon the effectiveness of its robust facility engineering, rigorous disaster preparedness and response, and business continuity planning. Reputation Imperial s reputation is an important corporate asset. Factors that could have an impact on the company s reputation include an operating incident or significant cybersecurity disruption; changes in consumer views concerning the company s products; a perception by the public that the company is not being fully transparent in the sharing of information regarding its operations that is or may be relevant to community decision-making; actions taken by the company’s business partners; a perception by investors or others that insufficient progress is being made with respect to the company s ambition in the energy transition, or that pursuit of this ambition may result in allocation of capital to investments with reduced returns; and other adverse events such as those described in this Item 1A. Negative impacts on Imperial s reputation could, in turn, make it more difficult for the company to compete successfully for new opportunities, obtain necessary regulatory approvals, obtain financing, and attract talent, or they could reduce consumer demand for the company s branded products. Imperial s reputation may also be harmed by events which negatively affect the image of the industry as a whole, including public and investor perception of Alberta oil sands in relation to greenhouse gas emissions, Indigenous rights and environmental impact. Reserves The company s future production and cash flows from bitumen, synthetic crude oil, liquids and natural gas reserves are highly dependent upon the company s success in exploiting its current reserves. To maintain production and cash flows over the long term, the company must replace produced reserves, which can be accomplished through exploration discovery of new resources, appraisal and investments in developing discovered resources, or acquisition of reserves. To the extent cash flows from operations are insufficient to fund capital expenditures and external sources of capital become limited or unavailable, the company s ability to make the necessary capital investments to maintain and grow oil and natural gas reserves will be adversely impacted. In addition, the company may be unable to find and develop or acquire additional reserves to replace oil and natural gas production at acceptable costs. Estimates of economically recoverable oil and natural gas reserves and future net cash flows involve many uncertainties, including factors beyond the company s control. Key factors with uncertainty include: geological and engineering estimates, including that additional information obtained through seismic and drilling programs, reservoir analysis and production and operational history may result in revisions to reserves; the assumed effects of regulation or changes to regulation by government agencies, including royalty frameworks and environmental regulations (such as the regulation of greenhouse gas emissions, including accelerated timelines and emission reduction stringency to meet government goals, which could impose significant compliance costs on the company, require new technology, or impact the economic viability of certain projects); future commodity 30 prices, where low commodity prices may affect reserves development; abandonment and reclamation costs, including reclamation and tailings requirements for mining operations; and operating costs. Actual production, revenues, taxes and royalties, development costs, abandonment and reclamation costs, and operating expenditures, with respect to reserves, will likely vary from such estimates, and such variances could be material. Item 1B. Unresolved staff comments None. Item 1C. Cybersecurity Imperial recognizes the importance of cybersecurity in achieving its business objectives, safeguarding its assets, and managing its daily operations. Accordingly, the company integrates cybersecurity risks into its overall enterprise risk management system. The board of directors oversees the company s risk management approach and structure, which includes an annual review of the company s cybersecurity program. The company s cybersecurity program is managed by the Canada IT Manager, with support from cross-functional teams led by information technology (IT) and operational technology cybersecurity operations managers in the company and in Exxon Mobil Corporation and its affiliates (collectively, Cybersecurity Operations Managers). The Cybersecurity Operations Managers are responsible for the day-to-day management and effective functioning of the cybersecurity program, including the prevention, detection, investigation, and response to cybersecurity threats and incidents. The Cybersecurity Operations Managers collectively have many years of experience in cybersecurity operations. IT management provides updates to the company s senior management throughout the year, covering, as appropriate, the company s cybersecurity strategy, initiatives, key security metrics, penetration testing and benchmarking learnings, and business response plans, as well as the evolving cybersecurity threat landscape. The company s cybersecurity program includes multi-layered technological capabilities designed to prevent and detect cybersecurity disruptions and leverages industry standard frameworks, including the National Institute of Standards and Technology Cybersecurity Framework. The cybersecurity program incorporates an incident response plan to engage cross-functionally and report cybersecurity incidents to appropriate levels of management based on potential impact. The company conducts annual cybersecurity awareness training and routinely tests cybersecurity awareness and business preparedness for response and recovery, which are developed based on real-world threats. In addition, IT management exchanges threat information with governmental and industry groups and proactively engages independent, third-party cybersecurity experts to test, evaluate and recommend improvements on the effectiveness and resiliency of its cybersecurity program through penetration testing, breach assessments, regular cybersecurity incident drill testing, threat information sharing, and industry benchmarking. The company takes a risk-based approach with respect to its third-party service providers, tailoring processes according to the nature and sensitivity of the data or systems accessed by such third-party service providers and performing additional risk screenings and procedures, as appropriate. As of the date of this report, the company has not identified any risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected, or are reasonably likely to materially affect, the company including its business strategy, results of operations, or financial condition. While the company believes its cybersecurity program to be appropriate for managing constantly evolving cybersecurity risks, no program can fully protect against all possible adverse events. For additional information on these risks and potential consequences if the measures the company is taking prove to be insufficient or if the company’s proprietary data is otherwise not protected, see Item 1A. Risk factors: Operational and other factors - Cybersecurity in this report. 31
Item 1C. Cybersecurity Imperial recognizes the importance of cybersecurity in achieving its business objectives, safeguarding its assets, and managing its daily operations. Accordingly, the company integrates cybersecurity risks into its overall enterprise risk management system. The board of directors oversees the company s risk management approach and structure, which includes an annual review of the company s cybersecurity program. The company s cybersecurity program is managed by the Canada IT Manager, with support from cross-functional teams led by information technology (IT) and operational technology cybersecurity operations managers in the company and in Exxon Mobil Corporation and its affiliates (collectively, Cybersecurity Operations Managers). The Cybersecurity Operations Managers are responsible for the day-to-day management and effective functioning of the cybersecurity program, including the prevention, detection, investigation, and response to cybersecurity threats and incidents. The Cybersecurity Operations Managers collectively have many years of experience in cybersecurity operations. IT management provides updates to the company s senior management throughout the year, covering, as appropriate, the company s cybersecurity strategy, initiatives, key security metrics, penetration testing and benchmarking learnings, and business response plans, as well as the evolving cybersecurity threat landscape. The company s cybersecurity program includes multi-layered technological capabilities designed to prevent and detect cybersecurity disruptions and leverages industry standard frameworks, including the National Institute of Standards and Technology Cybersecurity Framework. The cybersecurity program incorporates an incident response plan to engage cross-functionally and report cybersecurity incidents to appropriate levels of management based on potential impact. The company conducts annual cybersecurity awareness training and routinely tests cybersecurity awareness and business preparedness for response and recovery, which are developed based on real-world threats. In addition, IT management exchanges threat information with governmental and industry groups and proactively engages independent, third-party cybersecurity experts to test, evaluate and recommend improvements on the effectiveness and resiliency of its cybersecurity program through penetration testing, breach assessments, regular cybersecurity incident drill testing, threat information sharing, and industry benchmarking. The company takes a risk-based approach with respect to its third-party service providers, tailoring processes according to the nature and sensitivity of the data or systems accessed by such third-party service providers and performing additional risk screenings and procedures, as appropriate. As of the date of this report, the company has not identified any risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected, or are reasonably likely to materially affect, the company including its business strategy, results of operations, or financial condition. While the company believes its cybersecurity program to be appropriate for managing constantly evolving cybersecurity risks, no program can fully protect against all possible adverse events. For additional information on these risks and potential consequences if the measures the company is taking prove to be insufficient or if the company’s proprietary data is otherwise not protected, see Item 1A. Risk factors: Operational and other factors - Cybersecurity in this report. 31

Company Information