Halliburton Company: 10-K Risk Factor Changes

We depend greatly on the efforts of our executive officers and other key employees to manage our operations. The loss or unavailability of any of our executive officers or other key employees could have a material adverse effect on our business. Table of ContentsItem 1(b) | Unresolved Staff Comments Table of ContentsItem 1(b) | Unresolved Staff Comments Table of Contents Item 1(b). Unresolved Staff Comments. None. Item 1(c). Cybersecurity. We maintain a cyber risk management program designed to identify, assess, manage, mitigate, and respond to cybersecurity threats. An analysis of the impact, likelihood, and management preparedness of cybersecurity threats to our strategic priorities is integrated into our enterprise risk management program and enterprise risk assessment process. This provides cross-functional and geographical visibility, as well as executive leadership oversight, to address and mitigate associated risks. We engage our internal information technology (IT) audit group to audit our information security programs, and the results are reported to our executive management and the Audit Committee of our Board of Directors. We also engage third party firms to identify, assess, and manage cybersecurity risks in alignment with cybersecurity standards, such as the National Institute of Standards and Technology (NIST) Cyber Security Framework, NIST 800-53, NIST 800-82, and International Electrotechnical Commission 62443. In managing material risks from cybersecurity threats, we require that a security and technical architecture review is conducted for all new software and applications, and for all changes to the underlying information technology infrastructure that manages, processes, stores, or transmits our data or data of our customers, vendors, suppliers, joint ventures, or employees. Any deviations from our information security policies and standards are assessed by our Information Security Governance team. Any critical and high-risk levels that are identified are then documented and reported to relevant key stakeholders. Our policies and procedures also address the oversight, identification, and mitigation of cybersecurity risks associated with our use of third-party service providers. Our policy requires that all software vendors and IT related service providers submit to an IT security and governance review and obtain formal approval by our Information Security Governance team before it can be used. We have an Incident Response Plan that defines and documents procedures for assessing, identifying, and managing a cybersecurity incident. In the event there is a cybersecurity incident, an Incident Response Team will assess the cybersecurity incident’s impact as the basis for assigning a preliminary severity rating. This team then provides the Chief Information Security Officer (CISO) with a summary and preliminary severity rating and the CISO subsequently notifies the Chief Information Officer (CIO) as appropriate. The CISO and CIO will assess situational information and business impact to finalize the severity rating. The CISO is then responsible for communicating incidents to other members of management as appropriate. Were a cybersecurity incident to occur that was determined to be material by our management and Cyber Incident Response Leadership, our Chief Executive Officer would notify our Board of Directors. Should any incidents occur that have a preliminary severity rating of high or critical, our Cyber Incident Response Leadership would confer with our Cybersecurity Disclosure Committee to determine whether to report the cybersecurity incident in our public filings. Aside from more immediate reporting of material incidents to our Board of Directors as described above, our CISO provides our Board of Directors an update on cybersecurity during each of its quarterly meetings. This update includes data on certain cybersecurity metrics, information on internal and third-party cybersecurity incidents, and general discussion of cybersecurity risks. In addition, our Audit Committee receives a detailed update annually from the CIO and CISO, which includes in-depth updates on our cybersecurity program and strategy including cybersecurity risks. The CIO leads all components of our IT functions. Our CIO has over 20 years of experience with Halliburton and has had numerous global assignments across all areas of IT delivery, operations, and management. Our CISO, who reports directly to our Executive Vice President of Administration and Chief Human Resources Officer, has over 20 years of technology and cybersecurity experience across global enterprises, risk advisory, and incident response firms. We have experienced cybersecurity incidents and attempted breaches in the past, one of which resulted in an unauthorized third party gaining access to certain of our systems and exfiltrating information from those systems, which we determined was a material event as previously disclosed in a Form 8-K we filed with the SEC on September 3, 2024. The incident caused disruptions and limitation of access to portions of our business applications supporting aspects of our operations and corporate functions, required us to incur significant costs, and required a significant amount of attention from management and our work force. Related to this incident, we face risks of unknown impacts or new events, regulatory actions, or potential litigation, which could affect our business, reputation, or consolidated financial condition. Further, if our systems, or our customers’ or suppliers’ systems, for protecting against cybersecurity incidents prove to be insufficient, a future cybersecurity incident could have a material adverse effect on our business, operations, or consolidated financial condition. See additional information about our cybersecurity risks under General Risk factors in Item 1(a) Risk Factors.

We depend greatly on the efforts of our executive officers and other key employees to manage our operations. The loss or unavailability of any of our executive officers or other key employees could have a material adverse effect on our business. Table of ContentsItem 1(b) | Unresolved Staff Comments Table of ContentsItem 1(b) | Unresolved Staff Comments Table of Contents Item 1(b). Unresolved Staff Comments. None. Item 1(c). Cybersecurity. We maintain a cyber risk management program designed to identify, assess, manage, mitigate, and respond to cybersecurity threats. An analysis of the impact, likelihood, and management preparedness of cybersecurity threats to our strategic priorities is integrated into our enterprise risk management program and enterprise risk assessment process. This provides cross-functional and geographical visibility, as well as executive leadership oversight, to address and mitigate associated risks. We engage our internal IT audit group to audit our information security programs, and the results are reported to our executive management and the Audit Committee of our Board of Directors. We also engage third party firms to identify, assess, and manage cybersecurity risks in alignment with cybersecurity standards, including the National Institute of Standards and Technology (NIST) Cyber Security Framework, NIST 800-53, NIST 800-82, and International Electrotechnical Commission 62443. In managing material risks from cybersecurity threats, we require that a security and technical architecture review is conducted for all new software and applications, and for all changes to the underlying information technology (IT) infrastructure that manages, processes, stores, or transmits our data or data of our customers, vendors, suppliers, joint ventures, or employees. Any deviations from our IT security policies and standards are assessed by our IT Security Governance team. Any critical and high-risk levels that are identified are then documented and reported to relevant key stakeholders. Our policies and procedures also address the oversight, identification, and mitigation of cybersecurity risks associated with our use of third-party service providers. Our policy requires that each third-party service provider go through a mandatory IT Security Governance review and obtain formal approval by our IT Security Governance group before it can be used. We have an Incident Response Plan that defines and documents procedures for assessing, identifying, and managing a cybersecurity incident. This plan requires an Incident Manager to determine whether a cybersecurity incident has occurred and to communicate such findings to the Incident Response Team. In the event there is a cyber security incident, the Incident Manager and the Incident Response Team will assess the cybersecurity incident’s impact as the basis for assigning a preliminary severity rating. The Incident Manager then provides the Chief Information Security Officer (CISO) with a summary and preliminary severity rating and the CISO subsequently notifies the Chief Information Officer (CIO) as appropriate. Cyber Incident Response Leadership, which is comprised of the CIO, CISO, and Incident Manager, assesses situational information and business impact to confirm the preliminary severity rating assessment. The CIO and CISO are responsible for communicating incidents to other members of management as appropriate. Were a cybersecurity incident to occur that was determined to be material by our management and Cyber Incident Response Leadership, they would notify our Board of Directors. Should any incidents occur that have a preliminary severity rating of high or critical, our Cyber Incident Response Leadership would confer with our Cybersecurity Disclosure Committee to determine whether to report the cybersecurity incident in our public filings. Aside from more immediate reporting of material incidents to our Board of Directors as described above, our CISO provides our Board of Directors an update on cybersecurity during each of its quarterly meetings. This update includes metrics on the effectiveness of technical and human security controls, cybersecurity training program compliance, internal and third-party cybersecurity incidents, and cybersecurity risks. In addition, our Audit Committee receives a detailed update annually from the CIO and CISO, which includes in-depth updates on our cybersecurity program and strategy including cybersecurity risks. The CIO leads all components of our IT functions. Our CIO has over 40 years of experience with Halliburton and has had numerous global assignments across all areas of IT delivery, operations, and management. Our CISO has served in that role since 2021. Since joining Halliburton in 2010, the CISO has held various leadership roles in IT, including architecture, infrastructure management and security, and enterprise platform management. No unauthorized access to customer, vendor, supplier, joint venture, employee or our data occurred as a result of cybersecurity incidents against us that has had a material adverse effect on our business, operations, or consolidated financial condition. If our systems, or our customers' or suppliers' systems, for protecting against cybersecurity incidents prove to be insufficient, a cybersecurity incident could have a material adverse effect on our business, operations, or consolidated financial condition. See additional information about our cybersecurity risks under General Risk factors in Item1(a) Risk Factors.

We are increasingly dependent on digital technologies and services to conduct our business. We use these technologies for internal and operational purposes, including data storage, processing, and transmissions, as well as in our interactions with customers and suppliers. Examples of these digital technologies include analytics, automation, and cloud services. Our digital technologies and services, and those of our customers and suppliers, are subject to the risk of cybersecurity incidents and, given the nature of such incidents, some can remain undetected for a period of time despite efforts to detect and respond to them in a timely manner. We routinely monitor our systems for cybersecurity threats and have processes in place aimed at detecting and remediating vulnerabilities and incidents. Nevertheless, we have experienced cybersecurity incidents and attempted breaches in the past, one of which resulted in an unauthorized third party gaining access to certain of our systems and exfiltrating information from those systems, which we previously disclosed in Form 8-Ks we filed with the SEC on August 23, 2024 and September 3, 2024. The incident caused disruptions and limitation of access to portions of our business applications supporting aspects of our operations and corporate functions, required us to incur significant costs, and required a significant amount of attention from management and our work force. Related to this incident, we face risks of unknown impacts or new events, regulatory actions, or potential litigation, which could affect our business, reputation, consolidated results of operations, or consolidated financial condition. Even if we successfully defend our own digital technologies and services, we also rely on our customers and suppliers, with whom we may share data and services, to protect their digital technologies and services from cybersecurity incidents. If our systems, or our customers’ or suppliers’ systems, for protecting against cybersecurity incidents prove not to be sufficient, we could be adversely affected by, among other things: loss of or damage to intellectual property, proprietary or confidential information, or customer, supplier, or employee data; interruption of our business operations; diversion of management or work force attention; and increased costs required to prevent, respond to, or mitigate cybersecurity incidents. These risks could harm our reputation and our relationships with our customers, employees, suppliers and other third parties, and may result in claims against us. In addition, laws and regulations governing cybersecurity resiliency, governance, and incidents; data privacy; and the unauthorized disclosure of confidential or protected information pose increasingly complex compliance challenges, and failure to comply with these laws could result in penalties and legal liability. These risks could have a material adverse effect on our business, consolidated results of operations and consolidated financial condition.

We are increasingly dependent on digital technologies and services to conduct our business. We use these technologies for internal and operational purposes, including data storage, processing, and transmissions, as well as in our interactions with customers and suppliers. Examples of these digital technologies include analytics, automation, and cloud services. Our digital technologies and services, and those of our customers and suppliers, are subject to the risk of cybersecurity incidents and, given the nature of such incidents, some can remain undetected for a period of time despite efforts to detect and respond to them in a timely manner. We routinely monitor our systems for cybersecurity threats and have processes in place to detect and remediate vulnerabilities. Nevertheless, we have experienced occasional cybersecurity incidents and attempted breaches in the past, including attacks resulting from phishing emails and malware infections. We responded to and mitigated the impact of these attacks. Even if we successfully defend our own digital technologies and services, we also rely on our customers and suppliers, with whom we may share data and services, to protect their digital technologies and services from cybersecurity incidents. No unauthorized access to material financial, technical, or customer data occurred as a result of cybersecurity attacks against us and none of the attacks mentioned above had a material adverse effect on our business, operations, reputation, or consolidated results of operations or consolidated financial condition. If our systems, or our customers’ or suppliers’ systems, for protecting against cybersecurity incidents prove not to be sufficient, we could be adversely affected by, among other things: loss of or damage to intellectual property, proprietary or confidential information, or customer, supplier, or employee data; interruption of our business operations; and increased costs required to prevent, respond to, or mitigate cybersecurity incidents. These risks could harm our reputation and our relationships with our customers, employees, suppliers and other third parties, and may result in claims against us. In addition, laws and regulations governing cybersecurity incidents, data privacy, and the unauthorized disclosure of confidential or protected information pose increasingly complex compliance challenges, and failure to comply with these laws could result in penalties and legal liability. These risks could have a material adverse effect on our business, consolidated results of operations and consolidated financial condition.

Changes in or the adoption or enactment of laws, regulations, treaties or international agreements related to greenhouse gases, climate change, or alternative energy sources, including changes that may make it more expensive to explore for and produce oil and natural gas, may negatively impact demand for our services and products. International, national, state, and local governments and agencies in areas in which we conduct business continue to evaluate, and in some instances adopt, climate-related legislation and other regulatory initiatives that would restrict emissions of greenhouse gases. We closely follow developments in this area, including changes in the regulatory landscape in the United States at both the federal and state levels and in the international markets in which we operate. We cannot predict, however, how or when such changes may be effected or ultimately impact our business. For example, in the United States, presidents have certain powers to issue executive orders that can have the effect of the enactment of new laws. In January 2025, President Biden issued a Memorandum of Withdrawal that could have had the effect of preventing future leasing by the federal government (and therefore oil and gas exploration) of the lands underlying federal waters offshore the U.S. East Coast, the eastern Gulf of Mexico, the Pacific Ocean off the coasts of Washington, Oregon, and California, and additional portions of the Northern Bering Sea in Alaska. Also in January 2025, President Trump in turn overturned President Biden’s Memorandum of Withdrawal and issued a series of executive orders that signal a shift in the United States’ energy and climate change policies. Future administrations may, however, pursue executive orders similar to, or more restrictive than, those put in place by predecessor administrations. Because our business depends on the level of activity in the oil and natural gas industry, existing or future laws, orders, regulations, treaties, or international agreements related to greenhouse gases or climate change, including incentives to conserve energy or use alternative energy sources, may reduce demand for oil and natural gas and could have a negative impact on our business. The efforts we have taken, and may undertake in the future, to respond to these evolving or new regulations and to environmental initiatives of customers, investors, and others may increase our costs. These and other environmental requirements could have a material adverse effect on our business, consolidated results of operations, and consolidated financial condition. Table of ContentsItem 1(a) | Risk Factors Table of ContentsItem 1(a) | Risk Factors Table of Contents

Changes in or the adoption or enactment of laws, regulations, treaties or international agreements related to greenhouse gases, climate change, or alternative energy sources, including changes that may make it more expensive to explore for and produce oil and natural gas, may negatively impact demand for our services and products. For example, oil and natural gas exploration and production may decline as a result of environmental requirements, including land use policies responsive to environmental concerns. State, national, and international governments and agencies in areas in which we conduct business continue to evaluate, and in some instances adopt, climate-related legislation and other regulatory initiatives that would restrict emissions of greenhouse gases. For example, The President of the United States has issued Executive Orders and other directives seeking to adopt new regulations and policies to address climate change and to suspend, revise, or rescind prior agency actions that the administration identified as conflicting with its climate policies. These include Executive Orders requiring a review of current U.S. federal lands leasing and permitting practices, as well as a temporary halt of new leasing of U.S. federal lands and offshore waters available for oil and gas exploration. Also, in January 2024, the President of the United States paused approvals for pending and future applications to export liquified natural gas from new projects. During this pause, the Department of Energy will conduct a review of the economic and environmental impacts of projects seeking approval to export LNG to Europe and Asia. Changes and uncertainties resulting from proposed regulations and its actions with respect to leasing and other actions could have a negative effect on exploration and production of oil and natural gas and, consequently, negatively impact the demand for our products and services. Table of ContentsItem 1(a) | Risk Factors Table of ContentsItem 1(a) | Risk Factors Table of Contents In February 2021, the United States formally re-joined the Paris Agreement. The Paris Agreement requires countries to review and “represent a progression” in their intended nationally determined contributions, which set greenhouse gases emission reduction goals, every five years. The United States Environmental Protection Agency has proposed strict new methane emission regulations for certain oil and gas facilities. The Inflation Reduction Act of 2022 establishes a charge on methane emissions above certain limits from the same facilities. Though we are closely following developments in this area and changes in the regulatory landscape in the United States, we cannot predict how or when those changes may ultimately impact our business. Because our business depends on the level of activity in the oil and natural gas industry, existing or future laws, regulations, treaties, or international agreements related to greenhouse gases or climate change, including incentives to conserve energy or use alternative energy sources, may reduce demand for oil and natural gas and could have a negative impact on our business. Likewise, such restrictions may result in additional compliance obligations with respect to the release, capture, sequestration, and use of carbon dioxide. The efforts we have taken, and may undertake in the future, to respond to these evolving or new regulations and to environmental initiatives of customers, investors, and others may increase our costs. These and other environmental requirements could have a material adverse effect on our business, consolidated results of operations, and consolidated financial condition.