Cyber Security

As society’s reliance on energy and information technology grows, so do the number and sophistication of cyber security threats. While Marathon Oil has avoided any material impacts to our business, operations or reputation due to cyberattacks or other cyber security-related incidents because of the safeguards we have put into place, we remain vigilant.

We’ve designed our enterprise cyber security programs to fortify people, processes and technologies across our assets, facilities and operations. We also seek to do business with partners and service providers who share our vision of implementing and enforcing effective cyber security controls across the following key areas.

• In terms of people, cyber security awareness remains one of our best defenses. We leverage formal training and incorporate other training and educational opportunities through videos, hands-on training, and periodic cyber security-related bulletins and helpful tips. We also conduct cyber security awareness campaigns to provide resources to employees.
• Our processes include a suite of IT and security policies and procedures, including a cyber security incident response plan, an Information Use and Governance Policy and tabletop simulation exercises that involve different stakeholder groups that leverage our relationships with external legal, forensics and crisis communications partners.
• Our technical controls are regularly evaluated and assessed. We also have processes and technologies to provide redundant computing operations should a cyber-event occur that requires the backup of online and offline data. In 2021, we focused on improvement in the following areas: ransomware defense, user training and awareness, vendor vulnerabilities and event correlation and threat detection, both in the cloud and on-premises.

Our approach is informed by external cyber security experts and assessed against the U.S. National Institute of Standards and Technology (NIST) standards.

Marathon Oil’s senior leadership and the Audit and Finance Committee of our board receive regular cyber security updates, with formal reporting to the full board two times per year. As of May 2022, one board member has experience with cyber security issues facing the oil and gas industry. In addition, 100% of our Audit and Finance Committee members are independent.

We also have processes and technologies to provide redundant computing operations should a cyber-event occur that requires the backup of online and offline data.

Marathon Oil’s Data Privacy Policy sets out the privacy principles we have implemented for the processing of personal data about our personnel.

We endeavor to maintain physical, technical and procedural safeguards appropriate to the sensitivity of the personal data in question, and these safeguards are designed to protect this personal data from loss, unauthorized access, copying, use, modification or disclosure.

While all Marathon Oil personnel have a responsibility to appropriately use and protect personal data, our Corporate Compliance organization has the primary responsibility and authority for implementing and monitoring compliance with our Data Privacy Policy. Our Human Resources organization is responsible for ensuring adherence to the Data Privacy Policy as it relates to Human Resources process and procedures.