MURPHY OIL CORP 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

MURPHY OIL CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 06:20:43 EST.

Filings

10-K filed on 2025-02-27

MURPHY OIL CORP filed a 10-K at 2025-02-27 06:20:43 EST
Accession Number: 0000717423-25-000006

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY Murphy’s cybersecurity environment and risk strategy is broadly managed by the Company’s Information Technology (IT) group, which oversees the Company’s IT and Operational Technology (OT) infrastructure. Within the IT group, the Murphy Cybersecurity Team (MCT) is specifically responsible for monitoring and managing security of the enterprise IT and OT network and systems, including developing and deploying administrative policies, technical controls, and safety protocols necessary to prevent unauthorized access, theft, damage, or loss of Company data or systems. All members of the MCT hold globally-recognized security certifications and have wide-ranging experience in cybersecurity matters. The Incident Management Team (IMT) is responsible for responding to active security threats and incidents as they occur. The Chief Information Officer oversees the IT group and is a member of the IMT, and provides briefings to the CEO, the executive leadership team, and the Audit Committee of the Board regarding cybersecurity risks, strategy, and management at least annually . The Audit Committee is ultimately responsible for overseeing cybersecurity strategy and ensuring that management has sufficient resources, programs, and processes in place to identify, evaluate, manage, and mitigate relevant cybersecurity risks to which Murphy is exposed and to implement processes and programs to manage cybersecurity risks and mitigate any incidents. The Audit Committee also reports material cybersecurity risks to the Board as appropriate. We believe this visibility and oversight structure allows the Board and executive leadership team to make timely, data-driven decisions ensuring that Murphy, its employees, investors, and partners are adequately protected. Murphy considers its cybersecurity risk management framework to be a core component of its overall enterprise risk management system. The cybersecurity risk management framework directly aligns with the National Institute of Standards and Technology Cybersecurity Framework and involves regular review and update of security policies and procedures; leverage of industry-leading technologies focused on continuously monitoring, analyzing, and defending against intrusions; regular testing of such technologies and other controls; periodic simulations of security incidents; and constant monitoring of the broader cybersecurity environment for new and emerging threats. The Company also requires employees to attend regular cybersecurity training and education to mitigate cybersecurity risks. To remain informed of the cybersecurity landscape, the Company collaborates with peers, third-party advisors, industry groups and policymakers. Murphy engages cybersecurity assessors, consultants, our internal auditors, and other third parties both periodically and as appropriate when cyber threats are identified. Murphy utilizes these consultants to perform forensic analysis of data published by threat actors, to monitor and scan Murphy’s systems for threat vectors, and to consult on emerging cybersecurity environment topics. In addition to monitoring its own IT systems, Murphy also has processes in place to identify cybersecurity risks and threats associated with third party service providers and partners. These processes include conducting vendor due diligence and risk assessments, participating in industry information sharing groups, subscribing to cybersecurity notification services, and maintaining ongoing collaboration with federal agencies. To our knowledge, Murphy has not experienced any cybersecurity incidents that have had, or are likely to have, material impacts to our business, operations, finances, or reputation . PART I

Company Information