|
Cybersecurity Risk Management, Strategy and Governance
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Item 1C. Cybersecurity
Governance
Board of Directors
Ovintiv’s Board of Directors is responsible for the oversight of the Company’s enterprise risk management processes, and the Board’s committees help discharge this responsibility by managing issues under their purview. The Board has delegated the primary responsibility to oversee and monitor cybersecurity risks to the Audit Committee and the Audit Committee has direct oversight, and regularly reviews, the Company’s cybersecurity risks and related mitigations. The Audit Committee receives periodic updates from the Company’s Vice-President and Chief Information Officer (the “CIO”) concerning a wide range of topics, including risks from cybersecurity threats, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to the Company’s peers and third parties. As part of the enterprise risk management process, the Audit Committee provides regular updates to the full Board on the risk categories for which it is responsible, which includes cybersecurity. The Company has processes by which certain cybersecurity incidents are escalated and where appropriate, reported in a timely manner to the Audit Committee and the Board.
Management
The Company’s Cybersecurity Group coordinates with business and legal functions to assess and manage the Company’s risks from cybersecurity threats, including those relating to information systems owned or operated by third parties that are used by the Company. The Cybersecurity Group is led by the Director, Cybersecurity (the “Cybersecurity Director”). The Cybersecurity Director has extensive cybersecurity knowledge and skills gained from over 30 years of relevant work experience. The Cybersecurity Director is a Certified Information Systems Auditor, Chartered Professional Accountant and a Certified Fraud Examiner.
The Cybersecurity Group designs and implements the Company’s administrative and technical controls against risks from cybersecurity threats. The Cybersecurity Group also maintains the Company’s policies that prescribe procedures and standards for assessing, identifying and managing cybersecurity threats, which includes the Company’s Cybersecurity Incident Response Program. The Company’s Internal Audit Group conducts periodic independent audits of the Company’s cybersecurity procedures, systems, and controls, and also provides independent oversight into the engagement of cybersecurity resources.
The Cybersecurity Group reports to the CIO, who reports to the Executive Vice-President, Corporate Services. The CIO is responsible for overseeing the Company’s information technology and cybersecurity, and, in conjunction with executive leadership, regularly reviews risk management measures implemented by the Company to identify and mitigate cybersecurity risk. The CIO receives reports from the Cybersecurity Group regarding cybersecurity matters on an ongoing basis and administers the Company’s Cybersecurity Incident Response Program. The CIO is primarily responsible for reporting cybersecurity matters, including cybersecurity incidents, to executive leadership and the Audit Committee. The CIO has 30 years of relevant information technology work experience with 10 years of cybersecurity oversight at the Company and elsewhere.
Risk Management and Strategy
Ovintiv’s risk management strategy includes identifying risks, and developing and implementing risk management practices that include mitigation activities, systems, controls and business continuity plans for specific risks, which are aligned with, and complementary to, Ovintiv’s corporate risk management policy. The identification, analysis and mitigation strategy of cybersecurity risk is incorporated into the Company’s risk practices and is a component of an internal Risk Network that is comprised of senior leadership responsible for understanding and reporting each of Ovintiv’s entity-level risks.
Our cybersecurity program is aligned with the NIST Cybersecurity Framework and is designed to assess, identify, and manage material risks from cybersecurity threats, and protect and preserve the confidentiality, integrity, and continued availability of all information owned by, or in the care of, the Company. The Company maintains an Information Management Policy, which applies to both employees and third-party service providers, for the protection of the Company’s information. Our information systems are monitored by automated tools and the Cybersecurity Group. The Cybersecurity Group conducts an initial assessment of cybersecurity incidents and determines whether escalation is warranted. The Company’s Cybersecurity Incident Response Program (“CIRP”) provides guidelines to assist the Company in identifying and mitigating cyber risk effectively and efficiently, and sets out a coordinated approach to investigating, containing, documenting and mitigating incidents, including reporting findings and keeping executive leadership and other key stakeholders informed and involved as appropriate. The Company has implemented an incident response team and incident assessment team that includes internal leadership representatives from the executive, information technology, operational, legal, and corporate teams, as well as third-party experts as appropriate. Our processes and procedures also encompass oversight and identification of risks from cybersecurity threats associated with our use of third-party service providers, which includes engagement of a managed security service provider that performs a security review and ongoing monitoring of our third-party service providers.
The cybersecurity program, including the CIRP, undergoes periodic internal and external review. The Company engages qualified external auditors and cybersecurity risk assessors to provide independent assessments of our cybersecurity program and response preparedness along with reviews and audits by the Company’s Internal Audit Group. The Company conducts annual internal training for employees, and internal and external teams, including the Cybersecurity Group, as well as periodic penetration testing, red teaming, tabletop exercises and phishing drills. The results of these tests are measured and assessed for potential improvements.
The Company is not aware of having experienced any risks from cybersecurity threats or incidents through the date of this Annual Report on Form 10-K that have materially affected or are reasonably likely to materially affect the Company, its business strategy, results of operation or financial condition. This does not guarantee that future incidents or threats will not have a material impact or that we are not currently the subject of an undetected incident or threat that may have such an impact.
Additional information on cybersecurity risks we face is discussed in Item 1A. Risk Factors of this Annual Report on Form 10-K, which should be read in conjunction with the foregoing information.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Board of Directors
Ovintiv’s Board of Directors is responsible for the oversight of the Company’s enterprise risk management processes, and the Board’s committees help discharge this responsibility by managing issues under their purview. The Board has delegated the primary responsibility to oversee and monitor cybersecurity risks to the Audit Committee and the Audit Committee has direct oversight, and regularly reviews, the Company’s cybersecurity risks and related mitigations. The Audit Committee receives periodic updates from the Company’s Vice-President and Chief Information Officer (the “CIO”) concerning a wide range of topics, including risks from cybersecurity threats, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to the Company’s peers and third parties. As part of the enterprise risk management process, the Audit Committee provides regular updates to the full Board on the risk categories for which it is responsible, which includes cybersecurity. The Company has processes by which certain cybersecurity incidents are escalated and where appropriate, reported in a timely manner to the Audit Committee and the Board.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Board has delegated the primary responsibility to oversee and monitor cybersecurity risks to the Audit Committee and the Audit Committee has direct oversight, and regularly reviews, the Company’s cybersecurity risks and related mitigations. The Audit Committee receives periodic updates from the Company’s Vice-President and Chief Information Officer (the “CIO”) concerning a wide range of topics, including risks from cybersecurity threats, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to the Company’s peers and third parties. As part of the enterprise risk management process, the Audit Committee provides regular updates to the full Board on the risk categories for which it is responsible, which includes cybersecurity.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Company has processes by which certain cybersecurity incidents are escalated and where appropriate, reported in a timely manner to the Audit Committee and the Board.
|Cybersecurity Risk Role of Management [Text Block]
|
Management
The Company’s Cybersecurity Group coordinates with business and legal functions to assess and manage the Company’s risks from cybersecurity threats, including those relating to information systems owned or operated by third parties that are used by the Company. The Cybersecurity Group is led by the Director, Cybersecurity (the “Cybersecurity Director”). The Cybersecurity Director has extensive cybersecurity knowledge and skills gained from over 30 years of relevant work experience. The Cybersecurity Director is a Certified Information Systems Auditor, Chartered Professional Accountant and a Certified Fraud Examiner.
The Cybersecurity Group designs and implements the Company’s administrative and technical controls against risks from cybersecurity threats. The Cybersecurity Group also maintains the Company’s policies that prescribe procedures and standards for assessing, identifying and managing cybersecurity threats, which includes the Company’s Cybersecurity Incident Response Program. The Company’s Internal Audit Group conducts periodic independent audits of the Company’s cybersecurity procedures, systems, and controls, and also provides independent oversight into the engagement of cybersecurity resources.
The Cybersecurity Group reports to the CIO, who reports to the Executive Vice-President, Corporate Services. The CIO is responsible for overseeing the Company’s information technology and cybersecurity, and, in conjunction with executive leadership, regularly reviews risk management measures implemented by the Company to identify and mitigate cybersecurity risk. The CIO receives reports from the Cybersecurity Group regarding cybersecurity matters on an ongoing basis and administers the Company’s Cybersecurity Incident Response Program. The CIO is primarily responsible for reporting cybersecurity matters, including cybersecurity incidents, to executive leadership and the Audit Committee. The CIO has 30 years of relevant information technology work experience with 10 years of cybersecurity oversight at the Company and elsewhere.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The CIO is responsible for overseeing the Company’s information technology and cybersecurity, and, in conjunction with executive leadership, regularly reviews risk management measures implemented by the Company to identify and mitigate cybersecurity risk.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The CIO has 30 years of relevant information technology work experience with 10 years of cybersecurity oversight at the Company and elsewhere.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The CIO receives reports from the Cybersecurity Group regarding cybersecurity matters on an ongoing basis and administers the Company’s Cybersecurity Incident Response Program. The CIO is primarily responsible for reporting cybersecurity matters, including cybersecurity incidents, to executive leadership and the Audit Committee.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef