Security and Cybersecurity
The security and protection of our people, assets, information and reputation are cornerstones of our business. While risk can never be eliminated, we continuously strive to mitigate it by prudently anticipating, preventing and responding to internal and external security incidents.
As an operator of critical infrastructure and facilities in challenging locations worldwide, we work closely with governmental agencies, nongovernmental organizations, our peers and local communities on initiatives to identify, deter, prevent and mitigate a range of potential threats to company personnel, facilities and operations. Our facilities are compliant with national and international security regulations including:
- U.S. Customs-Trade Partnership Against Terrorism standards
- Department of Transportation
- Transportation Worker Identification Credential (TWIC)
- Hazmat Transportation Security requirements
- Chemical Facility Anti-Terrorism Standards
- International Ship and Port Facility Security Code
- Maritime Transportation Security Act
- Maritime Transport and Facilities Security Regulations (Australia)
- Bureau of Land Management
- All other applicable governmental security requirements
We maintain a “Tier III” status in the Customs-Trade Partnership Against Terrorism program by demonstrating effective security that exceeds the minimum program criteria. Our program ensures categories of company procedures intended to maintain the integrity and security of the international supply chain. This effort is conducted through our partnership with U.S. Customs and Border Protection who assess the overall effectiveness of our security processes.
We remain an active, participating member of the U.S. State Department Overseas Security Advisory Council (OSAC), the Domestic Security Alliance Council (DSAC), Voluntary Principles on Security and Human Rights (VPSHR) and other national and international security organizations.
Our business has become increasingly dependent on digital technologies, some of which are managed by third-party service providers on whom we rely to help us collect, host or process information. Among other activities, we rely on digital technology to estimate oil and gas reserves, process and record financial and operating data, analyze seismic and drilling information and communicate with employees and third parties. As a result, we face various cybersecurity threats including:
- Attempts to gain unauthorized access to, or control of, sensitive information about our operations and our employees.
- Attempts to render our data or systems (or those of third parties with whom we do business) corrupted or unusable.
- Threats to the security of our facilities and infrastructure as well as those of third parties with whom we do business.
- Attempted cyberterrorism.
The Information Technology Security, Strategy and Planning team is responsible for cybersecurity strategy and planning. The team reports to the Chief Information Officer who reports to the Executive Vice President and Chief Financial Officer.
While our management team is responsible for the day-to-day management of risk, the board has broad oversight responsibility for our risk-management programs. In order to maintain effective board oversight across the entire enterprise, the board delegates certain elements of its oversight function to individual committees. The Audit and Finance Committee (AFC) assists the board in fulfilling its oversight or enterprise risk management regarding the effectiveness of information systems and cybersecurity. In addition, the board delegates authority to the AFC to manage the risk oversight efforts of the various committees. As part of this authority, the AFC regularly discusses ConocoPhillips’ enterprise risk-management policies and facilitates appropriate coordination among committees to ensure that our risk-management programs are functioning properly.
To minimize the likelihood of cyberattacks, employees and contractors are required to complete information security training annually, and we frequently communicate with our workforce about best practices to avoid cyberthreats. Although we have experienced occasional breaches of our cybersecurity, none of these breaches have had a material effect on our business, operations or reputation. As cyberattacks continue to evolve, we continue to modify or enhance our protective measures and to investigate and remediate any vulnerabilities detected.