Cyber Security

As society’s reliance on energy and information technology grows, so do the number and sophistication of cyber security threats. While Marathon Oil has avoided any material impacts to our business, operations or reputation due to cyberattacks or other cyber security-related incidents, we remain vigilant.

Our senior vice president, Technology and Innovation and CIO oversees Marathon Oil’s cyber security efforts. Our information technology steering committee approves the implementation of new technologies and upgrades of our current systems using a formal process that includes assessments of technology and vendor cyber risk.

We’ve designed our enterprise cyber security programs to fortify people, processes and technologies across our assets, facilities and operations. Marathon Oil supports our in-house cyber security professionals in obtaining industry-related certifications and participating in continuing education. We also seek to do business with partners and service providers who share our vision of implementing and enforcing effective cyber security controls across the following key areas.

• In terms of people, cyber security awareness remains one of our best cyber defenses. We leverage formal training and incorporate other training and educational opportunities through videos, hands-on training, and periodic cyber security-related bulletins and helpful tips. We also conduct phishing campaigns to keep our employees abreast of new tactics and increase their ability to identify phishing attempts.
• Our processes include a suite of IT and security policies and procedures, including a cyber security incident response plan, an Information Use and Governance Policy and tabletop simulation exercises that involve different stakeholder groups that leverage our relationships with external legal, forensics and crisis communications partners.
• Our technical controls are regularly evaluated and assessed. This includes internal audits and an annual third-party assessment of our cyber security posture and a biannual assessment of our cyber security standards, processes and team. Additionally, we test our incident response and disaster recovery plans by conducting an annual scenario-based exercise. We also have processes and technologies to provide redundant computing and backup operations should a cyber-event occur that requires a full or partial data center recovery. In 2022, we focused on improvement in the following areas: ransomware defense, user training and awareness, vendor vulnerabilities, event correlation and threat detection, both in the cloud and on-premises. We also increased our use of artificial intelligence and machine learning as part of our incident response lifecycle. These systems block, deny and contain many low-level threats, which allows our cyber security professionals to focus on higher-level alerts, events and incidents that are escalated based on the impact of the threat. Also in 2022, we performed a Cyber Security Incident Response Exercise, which included key IT, HR, Corporate Communications and HES personnel, that validated our cyber incident playbook, all supported by our Centralized Emergency Response Team (CERT), discussed in more detail here.

Our approach is informed by external cyber security experts and aligned with the U.S. National Institute of Standards and Technology (NIST) standards.

Marathon Oil’s senior leadership and the Audit and Finance Committee of our board, all of whom are independent, receive regular cyber security updates, with formal reporting to the full board two times per year. As of May 24, 2023, one board member has experience with cyber security issues facing the oil and gas industry.

Marathon Oil’s Data Privacy Policy sets out the privacy principles we have implemented for the processing of personal data about our personnel.

We endeavor to maintain physical, technical and procedural safeguards appropriate to the sensitivity of the personal data in question, and these safeguards are designed to help protect this personal data from loss, unauthorized access, copying, use, modification or disclosure.

While all Marathon Oil personnel have a responsibility to appropriately use and protect personal data, our Corporate Compliance organization has the primary responsibility and authority for implementing and monitoring compliance with our Data Privacy Policy. Our Human Resources organization is responsible for adherence to the Data Privacy Policy as it relates to Human Resources processes and procedures.