delivering cybersecurity
We seek to protect our people, information and assets by using a risk-based, multilayered approach to cybersecurity. The threat landscape has evolved with increased targeting of process control networks, exploitation of trusted software in supply chains, and frequency of ransomware attacks. Chevron’s digital strategy strengthens our ability to navigate the risk environment and advance a digitally driven future.
assuring safeguards are in place
Our cybersecurity safeguards and programs align with the National Institute of Standards and Technology (NIST) Cybersecurity Framework and risk management and assurance is incorporated through our Operational Excellence Management System (OEMS). The OEMS enables us to systematically manage risk, implement and assure safeguards, and foster a culture of learning across different focus areas for our business, including security.
strengthening our readiness
Chevron cybersecurity experts undertake a range of preemptive activities to protect our people, assets and reputation, including:
- Managing vulnerabilities: we create automated threat intelligence feeds from security experts to increase vulnerability awareness, taking action to mitigate the highest risks. Our cyber risk organization schedules weekly meetings with business units to raise vulnerability risk awareness and keep diverse cybersecurity skill sets connected across the enterprise. For mobile devices, we enforce iOS upgrades while protecting communication channels, tailoring mobile security to enable business with little impact.
- Preparing for cyber threats: to maintain continuity of critical business processes in the event a cybersecurity incident results in significant loss of IT systems, our Business Continuity Plans account for cyber conditions. We work to identify critical business processes and dependent IT applications and document the processes for continuing operations without IT systems. Cross-functional teams conduct regular multidisciplinary exercises to test and continually improve our plans. For example, in 2022, more than 100 employees and senior leaders from varying disciplines and locations participated in an exercise to test and experience the impact of a large-scale outage.
- Implementing guardrails: cybersecurity guardrails are high-level technology, secure-by-design rules built into digital solutions. In 2022, we began updating our cybersecurity guardrails by migrating from a highly customized in-house technology environment to a more flexible cloud-based solution that allows for better integrations, scalability within our organization and collaborating with business partners and industry peers.
- Protecting personal data: chevron’s comprehensive privacy program is central to the success of our overall information risk management strategy. Sound privacy practices promote trust and integrity. We promote privacy by design and by default, which reduces privacy risks in systems, technologies, applications and business processes.
preparing the workforce
We require employees and contractors to complete training either annually or biannually on a range of cybersecurity best practices, including information on risk awareness, data privacy, privileged user access and email phishing. Training is updated regularly to reflect current cybersecurity challenges and Chevron’s cybersecurity objectives. We also have a cybersecurity awareness campaign to make the workforce aware of risks and threats and educate people on safe cyber behaviors.
establishing resilient operations
The intensifying threat landscape and the speed and sophistication of the ability of malicious actors to exploit vulnerabilities have made cyber attacks increasingly difficult to prevent. Therefore, we seek to quickly identify and rapidly respond to cyber incidents to limit their scope and impact and enable us to restore normal operations as fast as possible.
Although we experience cyber incidents in our business, including breaches, we have taken actions to mitigate the impact of these incidents through our cybersecurity safeguards.