Protecting our information systems and technology advantage

With global cybersecurity threats and Devon’s digital technology use both increasing, we focus on protecting our networks, systems and the significant amount of data we use to run our business. Devon invests in state-of-the-art tools and processes to safeguard our technology advantage, operate our business safely and reliably, manage risk and deliver results.

Our highly skilled and trained digital security professionals apply artificial intelligence, process automation, data analytics and other techniques in the field and office. We require and pay for each member of our security operations team to earn SANS Institute certifications for security essentials and incident handling.

Each week, the cybersecurity team meets to discuss cyberthreats, incidents and effective prevention measures. The team proactively develops, uses and shares information on cyberthreats to enhance our knowledge with appropriate levels and layers of automation. Our digital security professionals collaborate with Devon operations, information technology, corporate security and other teams to strengthen our cybersecurity controls and capabilities.

We provide regular quarterly updates to our board and its Audit Committee regarding our information security program. Devon’s management team routinely updates the committee on our major cybersecurity plans and initiatives, benchmarking assessments and current events that could impact cybersecurity for our company and industry. Three of our directors have technology or cybersecurity experience that enhances the board’s risk oversight role.

Mitigating cybersecurity risk

Our corporate information security policy and program are aligned with the federal NIST Cybersecurity Framework for risk management. To further mitigate cybersecurity risk, our policy and program are assessed by third-party experts, and we maintain specialized insurance for possible liability resulting from a cyberattack on our assets. We also internally exercise and test our incident response and disaster recovery plans as part of Devon’s corporate emergency preparedness program. In 2021 and 2022, we have been building on our disaster recovery capabilities with field and business unit exercises and security training.

A culture of prevention and compliance strengthens our digital security. All employees take cybersecurity awareness training during onboarding and through annual refresher training. Teams that have access to sensitive data take specific training and employees receive recognition if they help us avoid cybersecurity events. Our Code of Business Conduct and Ethics, the Information System General Usage Policy and related policies provide guidance on our information systems.

Devon continues to develop our own patented technologies, deploy mobile apps in the field and commercialize and scale technology solutions in partnership with innovators. As part of its role to protect data and technology appropriately, our digital security team evaluates technologies that we build, buy and deploy and makes recommendations to the business owners.

The COVID-19 pandemic, 2021 Colonial Pipeline ransomware attack and the war in Ukraine have highlighted the need to secure our information and infrastructure. We continue to reassess internal controls, follow federal government recommendations and take other precautions, while enabling employees to work efficiently and effectively from any location. Through ongoing efforts to educate employees to recognize increasingly sophisticated threats like malware, ransomware and phishing attempts, we are heightening digital security awareness in our workforce.