CYBERSECURITY

By implementing cybersecurity standard requirements across our organization, we protect Ovintiv’s digital assets from security breaches that could negatively impact our business, reputation, team safety, compliance record and the environment.

Our Cybersecurity Group coordinates with business and legal functions to assess and manage our risks from cybersecurity threats, including those relating to information systems owned or operated by third parties that are used by Ovintiv. Our Cybersecurity, Internal Audit, and Corporate Risk Management groups work together as a multi-disciplinary team tasked with developing and implementing processes and technologies that assess risk and recommending new technologies or changes to our existing assets. We measure our IT infrastructure and information security management system against the National Institute for Standards and Technology (NIST) cybersecurity framework. Based on a scorecard categorized by identify, protect, detect, respond and recover, we determine areas that require additional resources to mitigate cybersecurity risk.

We conduct annual internal training for employees and internal and external teams, including the Cybersecurity Group, as well as periodic penetration testing, red teaming, tabletop exercises and phishing drills. We also conduct an annual digital penetration test with a third-party specialist and other auditors. This test simulates an “attack” on our computer system and processes to identify security weaknesses. We report the results of this test to our Board Audit Committee and initiate any necessary improvements.

Additional information can be found in our Annual Report on Form 10-K.