Security and Cybersecurity
The security and protection of our people, assets, information and reputation are cornerstones of our business. While risk can never be eliminated, we continuously strive to mitigate it by prudently anticipating, preventing and responding to internal and external security incidents.
As an operator of critical infrastructure and facilities in challenging locations worldwide, we work closely with governmental agencies, nongovernmental organizations, our peers and local communities on initiatives to identify, deter, prevent and mitigate a range of potential threats to company personnel, facilities and operations. Our facilities are compliant with national and international security regulations including:
- U.S. Customs-Trade Partnership Against Terrorism standards
- Department of Transportation
- Transportation Worker Identification Credential (TWIC)
- Hazmat Transportation Security requirements
- Chemical Facility Anti-Terrorism Standards
- International Ship and Port Facility Security Code
- Maritime Transportation Security Act
- Maritime Transport and Facilities Security Regulations (Australia)
- Bureau of Land Management
- All other applicable governmental security requirements
We maintain a “Tier III” status in the Customs-Trade Partnership Against Terrorism program by demonstrating effective security that exceeds the minimum program criteria. Our program ensures categories of company procedures intended to maintain the integrity and security of the international supply chain. This effort is conducted through our partnership with U.S. Customs and Border Protection who assess the overall effectiveness of our security processes.
We remain an active, participating member of the U.S. State Department Overseas Security Advisory Council (OSAC), the Domestic Security Alliance Council (DSAC), Voluntary Principles on Security and Human Rights (VPSHR) and other national and international security organizations.
Our business has become increasingly dependent on digital technologies, some of which are managed by third-party service providers on whom we rely to help us collect, host or process information. Among other activities, we rely on digital technology to estimate oil and gas reserves, process and record financial and operating data, analyze seismic and drilling information and communicate with employees and third parties. As a result, we face various cybersecurity threats including:
- Attempts to gain unauthorized access to, or control of, sensitive information about our operations and our employees.
- Attempts to render our data or systems (or those of third parties with whom we do business) corrupted or unusable.
- Threats to the security of our facilities and infrastructure as well as those of third parties with whom we do business.
- Attempted cyberterrorism.
The Information Technology Security, Strategy and Planning team is responsible for cybersecurity strategy and planning. The team reports to the Chief Information Officer who reports to the Senior Vice President, Strategy and Technology. Information security requirements for all employees, contractors and partners are detailed in the ConocoPhillips Information Security & Protection policy, which is approved by senior leaders. Our ongoing information security management strategy is to align the company’s program with the NIST Cybersecurity Framework.
While our management team is responsible for the day-to-day management of risk, the board of directors has broad oversight responsibility for our risk-management programs. In order to maintain effective board oversight across the entire enterprise, the board delegates certain elements of its oversight function to individual committees. The Audit and Finance Committee (AFC) assists the board in fulfilling its oversight or enterprise risk management regarding the effectiveness of information systems and cybersecurity. In addition, the board delegates authority to the AFC to manage the risk oversight efforts of the various committees. As part of this authority, the AFC regularly discusses ConocoPhillips’ enterprise risk-management policies and facilitates appropriate coordination among committees to ensure that our risk-management programs are functioning properly.
To minimize the likelihood of cyberattacks, employees and contractors are required to complete information security training annually, and we frequently communicate with our workforce about best practices to avoid cyberthreats. We revised internal security awareness training in 2020 to reflect current security challenges and the company's security objectives. Each employee was required to complete the annual training.
Although we have experienced occasional breaches of our cybersecurity, we continue to modify or enhance our protective measures and investigate and remediate any vulnerabilities detected. During 2020, none of these breaches had a material effect on our business, operations or reputation and do not meet the criteria to be deemed a reportable incident per SEC reporting requirements. For example, ConocoPhillips is one of many customers of SolarWinds, a major U.S. information technology firm. In December 2020, SolarWinds was subject to a cyberattack that spread to its clients, including ConocoPhillips. Upon learning of the cyberattack, both from U.S. Cybersecurity & Infrastructure Security Agency advisories and SolarWinds’ vulnerability notification, ConocoPhillips promptly initiated actions. Our coordinated response activities included a comprehensive review and analysis which did not identify any compromising activity and we continue to review emergent data against our environment.