Protecting our information systems and technology

With global cybersecurity threats and Devon’s digital technology use both increasing, we focus on protecting our networks, systems and the significant amount of data we use to run our business. Devon invests in advanced tools and processes to safeguard our technology, operate our business safely and reliably, manage risk and deliver results.

Our highly skilled and trained digital security professionals apply their numerous years of experience through an advanced security toolset that uses automation, advanced analytics and artificial intelligence to protect the company’s people, data and technologies in corporate and field offices. We require and pay for each member of our security operations team to earn technical certifications for different technologies, platforms and applications. These include certifications for incident response, digital forensics, data privacy, open-source intelligence gathering, threat intelligence and data analysis.

Each week, the digital security team meets to discuss cyberthreats, incidents and effective prevention measures. The team proactively develops, uses and shares information on cyberthreats to enhance our knowledge with appropriate levels and layers of automation. Our digital security professionals collaborate with Devon operations, information technology, corporate security, emergency management and other teams to strengthen our cybersecurity controls and capabilities.

We provide regular quarterly updates to the board’s Audit Committee regarding our digital security program. These updates cover a variety of topics, including our major cybersecurity plans and initiatives, benchmarking assessments and current events that could impact cybersecurity for our company and industry. Our full board of directors also receives regular updates from our management team regarding the program, as well as reports from the Audit Committee. Three of our directors have technology or cybersecurity experience that enhances the board’s risk oversight role.

Mitigating cybersecurity risk

We have made efforts to align our security policy and program with the federal NIST Cybersecurity Framework for risk management. To further mitigate cybersecurity risk, our policy and program are periodically assessed by third-party experts, and we maintain specialized insurance for possible liability resulting from a cyberattack on our assets.

Devon internally exercises and tests our incident response and disaster recovery plans as part of our corporate emergency preparedness program.

A culture of prevention and compliance strengthens our digital security. All employees take cybersecurity awareness training during onboarding and through annual refresher training. Teams that have access to sensitive data take specific training and employees receive recognition if they help us avoid cybersecurity events. We also require all of our contractors to complete cybersecurity training as a part of the onboarding process. Our Code of Business Conduct and Ethics, the Information System General Usage Policy and related policies provide guidance on our information systems.

Devon develops our own patented technologies, deploys mobile apps in the field, and commercializes and scales technology solutions in partnership with innovators. As part of its role to protect data and technology appropriately, our digital security team evaluates technologies that we build, buy and deploy, and recommends safeguards to the business owners. Beyond risk assessments of technology vendors and applications, the digital security team has performed assessments on scores of key vendors of physical goods and services to understand potential cyber risks they could introduce.

We continually improve alignment among our IT, operational technology and digital security groups to secure Devon’s technology initiatives and address risks. Devon proactively secures our information and infrastructure due to the evolving global threat environment.

Devon assesses our internal controls, considers federal government recommendations and takes other precautions, while enabling employees to work efficiently and effectively from any location. Through ongoing efforts to educate employees to recognize increasingly sophisticated threats like malware, ransomware and phishing attempts, we are heightening digital security awareness in our workforce.

We actively share information with peer companies, industry and IT security groups, and local, state and federal agencies to monitor and respond to the global landscape. Devon actively participates in intelligence sharing through an industry intelligence sharing and analysis center (ISAC), including membership on the ISAC’s board of directors. Additionally, our digital security department manager was selected to participate in the FBI’s September 2024 CISO Academy. This program fosters partnership among security leaders of various industries along with the FBI and other federal agencies.