Marathon Petroleum Corp 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

Marathon Petroleum Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 12:01:38 EST.

Filings

10-K filed on 2025-02-27

Marathon Petroleum Corp filed a 10-K at 2025-02-27 12:01:38 EST
Accession Number: 0001510295-25-000012

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We have processes in place designed to protect our information systems, data, assets, infrastructure and computing environments from cybersecurity threats and risks while maintaining confidentiality, integrity, and availability. These enterprise-wide processes are based upon policies, practices and standards that guide us on identifying, assessing, and managing material cybersecurity risks and include, but are not limited to: - placing security limits on physical and network access to our information technology (“IT”) and operating technology (“OT”) systems; - employing internal IT and OT controls designed to detect cybersecurity threats by collecting and analyzing data in our centralized cybersecurity operations center; - utilizing layers of defensive methodologies designed to facilitate cyber resilience, minimize attack surfaces, and provide flexibility and scalability in our ability to address cybersecurity risks and threats; - providing cybersecurity threat and awareness training to employees and contractors; - limiting remote network access to our IT and OT network environments; and - assessing our cybersecurity resiliency through various methods, including penetration testing, tabletop exercises with varying scenarios and participants ranging from individuals on our operations teams to executive leadership, and analyzing our corporate cybersecurity incident response plan. We apply an enterprise risk management (“ERM”) methodology as established and led by our executive leadership team and overseen by our Board to identify, assess, and manage enterprise-level risks. Our cybersecurity risk program directly integrates and is intended to align with our governing ERM program. We engage with external resources to contribute to and provide independent evaluation of our cybersecurity practices, including a periodic assessment of our cybersecurity program that is performed by a third party. Our cybersecurity leadership and operational teams monitor cybersecurity threat intelligence and applicable cybersecurity regulatory requirements in a variety of ways, including by communicating with federal agencies, trade associations, service providers, and other miscellaneous third-party resources. Our management team, through consultation with our Senior Vice President and Chief Digital Officer (“CDO”), Vice President and Chief Information Security Officer (“CISO”), and the Audit Committee of our Board, use the information gathered from these sources to inform long-term cybersecurity investments and strategies which seek to identify cybersecurity threats and protect against, detect, respond to and recover from cybersecurity incidents. The information systems, data, assets, infrastructure, and computing environments of our third-party service providers are also at risk of cybersecurity incidents. We manage third-party service provider cybersecurity risks through contract management, evaluation of applicable security control assessments, and third-party risk assessment processes. As of February 27, 2025, we do not believe that any risks from cybersecurity threats, including as a result of past cybersecurity incidents, have had, or are reasonably likely to have, a material adverse effect on the company, including our business strategy, results of operations or financial condition. However, there can be no assurance that our cybersecurity processes will prevent or mitigate cybersecurity incidents or threats and that efforts will always be successful. It is possible that cybersecurity incidents may occur and could have a material adverse effect on our business strategy, results of operations, or financial condition. See “Business and Operational Risks–We are increasingly dependent on the performance of our information technology systems and those of our third-party business partners and service providers” in Item 1A. Risk Factors of this Annual Report on Form 10-K. 31 T able of Contents Governance Our full Board of Directors oversees enterprise-level risks and has delegated to the Audit Committee of our Board oversight of risks from cybersecurity threats as informed through the ERM program. Our CDO and CISO are standing members of the ERM committee, comprised of members of senior management, and as part of the committee, report on and evaluate cybersecurity threats and risk management efforts, as communicated to them by way of their direct reports and the larger cybersecurity team. The CDO and CISO are responsible for managing risks from cybersecurity threats. The CDO and CISO provide regular cybersecurity briefings to the Board of Directors including the Audit Committee, with a minimum of two briefings per year and additional briefings as needed. The Audit Committee also has direct access to the CDO and CISO and their management teams for other updates on cybersecurity and information security strategy throughout the year. Additionally, the CDO and CISO, from time to time, meet with members of management to discuss cybersecurity risks, strategy, and threats. Our CISO is responsible for implementing the cybersecurity program which is comprised of Cybersecurity GRC (Governance, Risk & Compliance), Cybersecurity Architecture, Engineering & Operations, and a Cyber Fusion Center that includes Threat Intelligence, Vulnerability Management, & Incident Response. Our CISO has more than 30 years of experience in the oil and gas industry and has held various leadership and strategic roles across IT, software R&D and marketing, including collectively serving as a chief information security officer for seven years at two publicly traded companies. Our CISO also holds an Executive Master in Cybersecurity degree, a Master of Computer Science degree, and undergraduate degrees in both computer science and mathematics. Our CISO works at the direction of the CDO, who has more than 20 years of executive IT leadership experience and leads the company’s Digital and Information Technology functions that seek to provide innovative, secure, and reliable technology products and services to MPC and its customers. Prior to joining MPC in 2021, our CDO was employed by GE and its subsidiary companies for over 20 years, holding several executive IT leadership roles with increasing responsibility. He was then named Senior Vice President and Chief Information Officer of Services for parent company GE in 2017 and was later named the Vice President and Chief Information Officer of GE Healthcare. Our CDO holds a Bachelor’s degree in Business Administration, Management and Information Systems . 32 T able of Contents

Company Information