XML 31 R9.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management, Strategy, and Governance
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Item 1C. Cybersecurity

We maintain a corporate information security policy and program (the “Program”) designed to identify, assess and appropriately manage risk from cybersecurity threats to help maintain operational continuity and protect Devon’s networks, systems and other assets, as well as the significant amount of information we use to run our business. We employ a variety of tools designed to identify, assess and manage cybersecurity threats, including monitoring and detection programs, network security measures, firewall monitoring devices and encryption of critical data. The Program includes a cybersecurity incident response plan that provides the framework for categorizing and responding to cybersecurity incidents. As part of the Program, we perform cybersecurity risk assessments of certain third-party vendors of the Company, including technology vendors and key operational suppliers and service providers. These assessments are intended to identify potential risks to Devon associated with our use of third-party vendors and, where appropriate, to recommend and implement mitigating controls or solutions. In addition, Devon maintains disaster recovery plans related to cybersecurity incidents as part of our broader corporate emergency preparedness program, and our employees and contractors receive cybersecurity awareness training as part of both onboarding and through periodic training opportunities, including phishing simulations.

We have made efforts to align the Program with the National Institute of Standards and Technology Cybersecurity Framework for risk management, and we conduct an annual assessment to identify areas for potential improvement and benchmark maturity relative to peers and other companies, as well as industry and other relevant standards. Moreover, we perform regular internal testing of our systems and programs, including disaster recovery exercises and tabletop exercises. We supplement these internal efforts by periodically engaging third-party organizations to separately review and stress-test the Program.

The Program is administered by our Digital Security team, which is led by our Manager of Digital Security. The Digital Security team meets at least weekly to discuss any cybersecurity incidents and related response actions, emerging cybersecurity threats facing the Company and preventative measures. It is important to Devon that members of our Digital Security team have the necessary expertise to oversee the Program and its related technologies, platforms and applications, whether through educational background, experience, technical certifications or other training. The Manager of Digital Security has approximately 15 years of cybersecurity experience, a degree in management information systems and multiple certifications relating to security, risk and information systems, including a security leadership certification.

Cybersecurity risk is an area of focus for our Board of Directors, and we include cybersecurity and related risks in our enterprise-wide risk-management framework that annually assesses risks to the Company. This year-round assessment of risk is guided by our Internal Audit team and involves our Board of Directors, management and certain internal subject matter experts. The Audit Committee of our Board of Directors has oversight of Devon’s risks from cybersecurity threats and reviews the steps management has taken to monitor and address such risks. Our management team provides quarterly updates to the Audit Committee on activities and other developments impacting Devon’s cybersecurity. These updates cover a variety of topics, including, among other things, (i) regular reviews of certain cybersecurity metrics for the Company, (ii) status reviews of our cybersecurity initiatives and the results of benchmarking or other assessments of the Program and (iii) briefings on current events or trends relating to cybersecurity. Our full Board of Directors also receives regular updates from our management team regarding the Program, as well as reports from the Audit Committee.

As of the date of this report, though the Company and certain of our service providers have experienced certain cybersecurity incidents, Devon is not aware of any previous cybersecurity threats that have materially affected or are reasonably likely to materially affect Devon. For information on the risks associated with cybersecurity threats, see “Item 1A. Risks Factors.”
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]

We maintain a corporate information security policy and program (the “Program”) designed to identify, assess and appropriately manage risk from cybersecurity threats to help maintain operational continuity and protect Devon’s networks, systems and other assets, as well as the significant amount of information we use to run our business. We employ a variety of tools designed to identify, assess and manage cybersecurity threats, including monitoring and detection programs, network security measures, firewall monitoring devices and encryption of critical data. The Program includes a cybersecurity incident response plan that provides the framework for categorizing and responding to cybersecurity incidents. As part of the Program, we perform cybersecurity risk assessments of certain third-party vendors of the Company, including technology vendors and key operational suppliers and service providers. These assessments are intended to identify potential risks to Devon associated with our use of third-party vendors and, where appropriate, to recommend and implement mitigating controls or solutions. In addition, Devon maintains disaster recovery plans related to cybersecurity incidents as part of our broader corporate emergency preparedness program, and our employees and contractors receive cybersecurity awareness training as part of both onboarding and through periodic training opportunities, including phishing simulations.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]

As of the date of this report, though the Company and certain of our service providers have experienced certain cybersecurity incidents, Devon is not aware of any previous cybersecurity threats that have materially affected or are reasonably likely to materially affect Devon. For information on the risks associated with cybersecurity threats, see “Item 1A. Risks Factors.”
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] The Audit Committee of our Board of Directors has oversight of Devon’s risks from cybersecurity threats and reviews the steps management has taken to monitor and address such risks. Our management team provides quarterly updates to the Audit Committee on activities and other developments impacting Devon’s cybersecurity.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

We have made efforts to align the Program with the National Institute of Standards and Technology Cybersecurity Framework for risk management, and we conduct an annual assessment to identify areas for potential improvement and benchmark maturity relative to peers and other companies, as well as industry and other relevant standards. Moreover, we perform regular internal testing of our systems and programs, including disaster recovery exercises and tabletop exercises. We supplement these internal efforts by periodically engaging third-party organizations to separately review and stress-test the Program.

The Program is administered by our Digital Security team, which is led by our Manager of Digital Security. The Digital Security team meets at least weekly to discuss any cybersecurity incidents and related response actions, emerging cybersecurity threats facing the Company and preventative measures. It is important to Devon that members of our Digital Security team have the necessary expertise to oversee the Program and its related technologies, platforms and applications, whether through educational background, experience, technical certifications or other training. The Manager of Digital Security has approximately 15 years of cybersecurity experience, a degree in management information systems and multiple certifications relating to security, risk and information systems, including a security leadership certification.

Cybersecurity Risk Role of Management [Text Block] The Manager of Digital Security has approximately 15 years of cybersecurity experience, a degree in management information systems and multiple certifications relating to security, risk and information systems, including a security leadership certification.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block]

The Program is administered by our Digital Security team, which is led by our Manager of Digital Security. The Digital Security team meets at least weekly to discuss any cybersecurity incidents and related response actions, emerging cybersecurity threats facing the Company and preventative measures. It is important to Devon that members of our Digital Security team have the necessary expertise to oversee the Program and its related technologies, platforms and applications, whether through educational background, experience, technical certifications or other training. The Manager of Digital Security has approximately 15 years of cybersecurity experience, a degree in management information systems and multiple certifications relating to security, risk and information systems, including a security leadership certification.

Cybersecurity Risk Management Expertise of Management Responsible [Text Block] It is important to Devon that members of our Digital Security team have the necessary expertise to oversee the Program and its related technologies, platforms and applications, whether through educational background, experience, technical certifications or other training. The Manager of Digital Security has approximately 15 years of cybersecurity experience, a degree in management information systems and multiple certifications relating to security, risk and information systems, including a security leadership certification
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] Cybersecurity risk is an area of focus for our Board of Directors, and we include cybersecurity and related risks in our enterprise-wide risk-management framework that annually assesses risks to the Company. This year-round assessment of risk is guided by our Internal Audit team and involves our Board of Directors, management and certain internal subject matter experts. The Audit Committee of our Board of Directors has oversight of Devon’s risks from cybersecurity threats and reviews the steps management has taken to monitor and address such risks. Our management team provides quarterly updates to the Audit Committee on activities and other developments impacting Devon’s cybersecurity.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true