DVN: 10-K Risk Factor Changes

Dividends, whether fixed or variable, and share repurchases are authorized and determined by our Board of Directors in its sole discretion and depend upon a number of factors, including the Company’s financial results, cash requirements and future prospects, as well as such other factors deemed relevant by our Board of Directors. We can provide no assurance that we will continue to pay dividends or execute share repurchases at the current rate or at all. Any elimination of, or downward revision in, our dividend payout or share repurchase program could have an adverse effect on the market price of our common stock. Furthermore, the IRA imposed a 1% non-deductible U.S. federal excise tax (the “Stock Buyback Tax”) on certain repurchases of stock by publicly traded U.S. corporations, such as Devon, after December 31, 2022. The Biden Administration has proposed increasing the amount of the Stock Buyback Tax from 1% to 4%; however, it is unclear whether and when such a change in the amount of the Stock Buyback Tax could be enacted and take effect.

Dividends, whether fixed or variable, and share repurchases are authorized and determined by our Board of Directors in its sole discretion and depend upon a number of factors, including the Company’s financial results, cash requirements and future prospects, as well as such other factors deemed relevant by our Board of Directors. We can provide no assurance that we will continue to pay dividends or execute share repurchases at the current rate or at all. Any elimination of, or downward revision in, our dividend payout or share repurchase program could have an adverse effect on the market price of our common stock.

We rely heavily on information systems and other digital technologies to conduct our business, and we anticipate expanding the use of and reliance on these systems and technologies, including through artificial intelligence, process automation and data analytics. Concurrent with the growing dependence on technology is a greater sensitivity to cyberattack related activities, which have increasingly targeted our industry. Perpetrators of cyberattacks often attempt to gain unauthorized access to digital systems for purposes of misappropriating confidential and proprietary information, intellectual property or financial assets, corrupting data or causing operational disruptions as well as preventing users from accessing systems or information for the purpose of demanding payment in order for users to regain access. A wide variety of individuals or groups may perpetuate cyberattacks, ranging from highly sophisticated criminal organizations and state-sponsored actors to disgruntled employees, and the nature of, and methods used in, cyberattacks are similarly diverse and constantly evolving, with examples including phishing attempts, distributed denial of service attacks or ransomware. The increase in remote working practices may also increase the risk of cybersecurity incidents, both from deliberate attacks and unintentional events. In addition, our vendors (including third-party cloud and IT service providers), midstream providers and other business partners may separately suffer disruptions or breaches from cyberattacks, which, in turn, could adversely impact our operations and compromise our information. Moreover, we and other upstream companies rely on extensive oil and gas infrastructure and distribution systems to deliver our production to market, which in turn depend upon digital technologies. Any cyberattack directed at such infrastructure or systems could adversely impact our business and operations, including by limiting our ability to transport and market our production. Geopolitical instability may also increase our cybersecurity risk. Although we have experienced cybersecurity incidents from time to time, none have had a material effect on our business, operations or reputation; however, there is no assurance that such a breach has not already occurred and we are unaware of it, or that we will not suffer such a loss in the future. We devote significant resources to prevent cybersecurity incidents and protect our data, but our systems and procedures for identifying and protecting against such attacks and mitigating such risks may prove to be insufficient due to system vulnerabilities, human error or malfeasance or other factors. Any such attacks could have an adverse impact on our business, operations or reputation and lead to remediation costs, litigation or regulatory actions. Moreover, as the sophistication and volume of cyberattacks continue to increase, we may be required to expend significant additional resources to further enhance our digital security or to remediate vulnerabilities, and we may face difficulties in fully anticipating or implementing adequate preventive measures or mitigating potential harm. 22 22 22 Table of Contents Index to Financial Statements Table of Contents Table of Contents Index to Financial Statements Index to Financial Statements Table of Contents Table of Contents Index to Financial Statements Index to Financial Statements

Our business has become increasingly dependent on digital technologies, and we anticipate expanding the use of these technologies in our operations, including through artificial intelligence, process automation and data analytics. Concurrent with the growing dependence on technology is a greater sensitivity to cyberattack related activities, which have increasingly targeted our industry. Perpetrators of cyberattacks often attempt to gain unauthorized access to digital systems for purposes of misappropriating confidential and proprietary information, intellectual property or financial assets, corrupting data or causing operational disruptions as well as preventing users from accessing systems or information for the purpose of demanding payment in order for users to regain access. In addition, our vendors (including third-party cloud and IT service providers), midstream providers and other business partners may separately suffer disruptions or breaches from cyberattacks, which, in turn, could adversely impact our operations and compromise our information. Moreover, we and other upstream companies rely on extensive oil and gas infrastructure and distribution systems to deliver our production to market, which in turn depend upon digital technologies. Any cyberattack directed at such infrastructure or systems could adversely impact our business and operations, including by limiting our ability to transport and market our production. Geopolitical instability may also increase our cybersecurity risk. 22 Table of Contents Table of Contents Index to Financial Statements Index to Financial Statements Although we have experienced cybersecurity incidents from time to time, none have had a material effect on our business, operations or reputation. However, our systems and procedures for protecting against such attacks and mitigating such risks may prove to be insufficient in the future due to system vulnerabilities, human error or malfeasance or other factors. Any such attacks could have an adverse impact on our business, operations or reputation and lead to remediation costs, litigation or regulatory actions. Moreover, as the sophistication and volume of cyberattacks continue to increase, we may be required to expend significant additional resources to further enhance our digital security or to remediate vulnerabilities, and we may face difficulties in fully anticipating or implementing adequate preventive measures or mitigating potential harm.