Cybersecurity
Protecting our information systems and technology
With global cybersecurity threats and Devon’s digital technology use both increasing, we focus on protecting our networks, systems and the significant amount of data we use to run our business. Devon invests in advanced tools and processes to safeguard our technology, operate our business safely and reliably, manage risk and deliver results.
Our highly skilled and trained digital security professionals apply artificial intelligence, process automation, data analytics and other techniques in the field and office. We require and pay for each member of our security operations team to earn technical certifications for different technologies, platforms and applications. These include certifications for security essentials and incident handling, global information assurance, information security, forensics and Lean Six Sigma.
Each week, the cybersecurity team meets to discuss cyberthreats, incidents and effective prevention measures. The team proactively develops, uses and shares information on cyberthreats to enhance our knowledge with appropriate levels and layers of automation. Our digital security professionals collaborate with Devon operations, information technology, corporate security, emergency management and other teams to strengthen our cybersecurity controls and capabilities.
We provide regular quarterly updates to the board’s Audit Committee regarding our information security program. These updates cover a variety of topics, including our major cybersecurity plans and initiatives, benchmarking assessments and current events that could impact cybersecurity for our company and industry. Our full board of directors also receives regular updates from our management team regarding the program, as well as reports from the Audit Committee. Three of our directors have technology or cybersecurity experience that enhances the board’s risk oversight role.
Mitigating cybersecurity risk
We have made efforts to align our security policy and program with the federal NIST Cybersecurity Framework for risk management. To further mitigate cybersecurity risk, our policy and program are periodically assessed by third-party experts, and we maintain specialized insurance for possible liability resulting from a cyberattack on our assets.
Devon internally exercises and tests our incident response and disaster recovery plans as part of our corporate emergency preparedness program.
A culture of prevention and compliance strengthens our digital security. All employees take cybersecurity awareness training during onboarding and through annual refresher training. Teams that have access to sensitive data take specific training and employees receive recognition if they help us avoid cybersecurity events. Our Code of Business Conduct and Ethics, the Information System General Usage Policy and related policies provide guidance on our information systems.
Devon develops our own patented technologies, deploys mobile apps in the field, and commercializes and scales technology solutions in partnership with innovators. As part of its role to protect data and technology appropriately, our digital security team evaluates technologies that we build, buy and deploy, and recommends safeguards to the business owners. The digital security team performed technical assessments on over 80 different platforms throughout 2023.
We continually improve alignment among our IT, operational technology and digital security groups to secure Devon’s technology initiatives and address risks. Devon proactively secures its information and infrastructure in light of the evolving global threat environment. In 2023, Devon’s digital security and technology teams worked to separate portions of our network to better manage operational risk. Additionally, in 2023 we began performing cybersecurity assessments on key vendors and suppliers for physical goods and services. This new activity provides our core business with a better understanding of the cyber risk level for these providers so that we can better manage the operational risk.
Devon assesses our internal controls, considers federal government recommendations and takes other precautions, while enabling employees to work efficiently and effectively from any location. Through ongoing efforts to educate employees to recognize increasingly sophisticated threats like malware, ransomware and phishing attempts, we are heightening digital security awareness in our workforce.
We actively share information with peer companies, industry and IT security groups, and local, state and federal agencies to monitor and respond to the global landscape. In October 2023, Devon hosted an FBI Cyber Executive Summit at our headquarters in Oklahoma City for individuals involved in cybersecurity, law enforcement, legal and other risk management functions for private and public entities. The summit included presentations from local FBI field office agents on recent cases involving different aspects of cybercrime, an overview of ransomware operations, as well as an overview of cybercrime incidents and trends presented by the FBI Executive Assistant Director. Devon continues to forge strong partnerships with federal agencies in the interest of better protecting Devon’s assets and national security interests of critical infrastructure.