Protecting our information systems and technology advantage

With global cybersecurity threats and Devon’s digital technology use both increasing, we focus on protecting our networks, systems and the significant amount of data we use to run our business. Devon invests in state-of-the-art tools and processes to safeguard our technology advantage, operate our business safely and reliably, manage risk and deliver results.

Our highly skilled and trained digital security professionals apply artificial intelligence, process automation, data analytics and other techniques in the field and office. We require and pay for each member of our security operations team to earn technical certifications for different technologies, platforms and applications. These include certifications for security essentials and incident handling, global information assurance, information security, forensics and Lean Six Sigma.

Each week, the cybersecurity team meets to discuss cyberthreats, incidents and effective prevention measures. The team proactively develops, uses and shares information on cyberthreats to enhance our knowledge with appropriate levels and layers of automation. Our digital security professionals collaborate with Devon operations, information technology, corporate security, emergency management and other teams to strengthen our cybersecurity controls and capabilities.

We provide regular quarterly updates to our board and its Audit Committee regarding our information security program. Devon’s management team routinely updates the committee on our major cybersecurity plans and initiatives, benchmarking assessments and current events that could impact cybersecurity for our company and industry. Three of our directors have technology or cybersecurity experience that enhances the board’s risk oversight role.

Mitigating cybersecurity risk

Our corporate information security policy and program are aligned with the federal NIST Cybersecurity Framework for risk management. To further mitigate cybersecurity risk, our policy and program are assessed by third-party experts, and we maintain specialized insurance for possible liability resulting from a cyberattack on our assets.

Devon internally exercises and tests our incident response and disaster recovery plans as part of our corporate emergency preparedness program. In 2022, we continued building our disaster recovery capabilities with field and business unit exercises and training. Operational technology security remained a focus area as we continued to add robust preventive and detective controls in the field.

Devon’s digital security and emergency management teams collaborated on tabletop exercises and stress tests of our response plans in 2022. They were part of our ongoing focus on further improving our capabilities to address a technology disruption that could impact our field operations.

A culture of prevention and compliance strengthens our digital security. All employees take cybersecurity awareness training during onboarding and through annual refresher training. Teams that have access to sensitive data take specific training and employees receive recognition if they help us avoid cybersecurity events. Our Code of Business Conduct and Ethics, the Information System General Usage Policy and related policies provide guidance on our information systems.

Devon develops our own patented technologies, deploys mobile apps in the field, and commercializes and scales technology solutions in partnership with innovators. As part of its role to protect data and technology appropriately, our digital security team evaluates technologies that we build, buy and deploy, and recommends safeguards to the business owners. In 2022, we formalized a digital security role to proactively engage with technology projects and initiatives before they’re executed to identify potential security risks and recommend mitigations. We’ll keep improving alignment among our IT, operational technology and digital security groups to secure Devon’s technology initiatives and address risks.

Devon continues to proactively secure our information and infrastructure in light of the evolving global threat environment. We actively share information with peer companies, industry and IT security groups, and local, state and federal agencies to monitor and respond to the global landscape. Devon assesses our internal controls, follows federal government recommendations and takes other precautions, while enabling employees to work efficiently and effectively from any location. Through ongoing efforts to educate employees to recognize increasingly sophisticated threats like malware, ransomware and phishing attempts, we are heightening digital security awareness in our workforce.