Cybersecurity Contract Requirements

CONTRACTOR CYBERSECURITY REQUIREMENTS

1. Introduction

Seadrill’s commitment to maintaining the highest standards of information security is paramount to safeguarding our industrial processes, data integrity, and protecting our people and our brand against potential cyber threats.

Considering the growing sophistication and prevalence of cyberattacks, Seadrill recognizes the significance of collaborating with our Contractors to ensure the confidentiality, integrity, and availability of our systems.

Seadrill developed these cybersecurity requirements to establish a robust cybersecurity framework that aligns with industry best practices and regulatory guidelines, encompassing a wide range of security measures. By adhering to the requirements herein, Seadrill aims to create a secure and resilient environment that fortifies against potential threats and enhances our overall operational efficiency. All Seadrill vendors, suppliers, contractors, and service providers (“Contractors”) shall adhere to the requirements as set out herein.

2. Operational Technology Security

a) During the business relationship with any Contractor, and in accordance with applicable laws and industry best practices, the Contractor shall be required to implement, maintain, and verify cybersecurity programs and procedures to ensure Seadrill’s Industrial Control Systems (ICS) and associated information technology systems are protected against loss, destruction, damage, unauthorized disclosure, or other misuse.

b) The Contractor shall have a cybersecurity program in place aligned and in compliance with recognized industry-leading frameworks and standards, such as ISA/IEC 62443, NIST Cybersecurity Framework (CSF), NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, and IADC Cybersecurity Guidelines for Drilling Assets.

3. Information Technology Security

(a) The Contractor shall have a cybersecurity program in place aligned and in compliance with recognized industry-leading frameworks and standards, such as NIST CSF, NIST Special Publication 800-53 Security and Privacy Controls for Information Systems, ISO 27001.

(b) During the term of this agreement, the Contractor shall operate an information security program designed to meet the confidentiality, integrity, and availability requirements of the service or product being supplied. The program shall include at a minimum the security measures described in Appendix B.

4. Cybersecurity Incidents

a) Contractors shall commit to transparency and are hereby required to provide immediate written notice to Seadrill of any Cybersecurity Incidents that occur at within the Contractor systems or organization that may potentially have an impact on our operations.

b) A Cybersecurity Incident shall be defined as any actual or suspected unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through an information system that jeopardizes the confidentiality, integrity, or availability of the information systems or any information residing therein.

c) Contractors shall provide prompt written notice via e-mail to information.security@seadrill.com of any Cybersecurity Incident. Such notice shall include an Incident Summary as described below.

1.1.1. Incident Summary:

· Briefly describe the nature of the incident, including the type of attack or event that occurred (e.g., data breach, ransomware attack, system outage), the systems affected, and the type of data compromised. Geographical scope.

· State the timeframe during which the incident occurred.

· Avoid disclosing specific technical details that could compromise ongoing investigations or remediation efforts.

1.1.2. Potential Impact:

· Briefly explain the potential impact of the incident on Seadrill Operations, including potential for impacts to:

· Data (e.g., customer data, employee data, financial data), Systems and operations, Financial performance, Reputation

· Emphasize if the actual impact is still being assessed and may evolve.

1.1.3. Notification Protocol: Contractor must notify Seadrill within four (4) days upon discovery of any cybersecurity incident.

d) Securities and Exchange Commission (SEC) Cybersecurity Rule. Contractor hereby acknowledges that Seadrill is a listed NYSE entity and is subject to the rules on cybersecurity risk management, strategy, governance, and incident disclosure. Contractor shall provide reasonable assistance to aid Seadrill’s compliance with SEC Cybersecurity rules. In any event, Seadrill reserves the right to make determinations regarding materiality and Seadrill’s notification requirements of any Cybersecurity Incident.

5. Confidentiality and Regulatory Compliance Reminder:

(a) As Seadrill and Contractor collaborate to address and mitigate any Cybersecurity Incidents, Contractor shall acknowledge the importance of maintaining confidentiality and integrity of information shared.

(b) Contractor shall comply with the following key principles:

1. Confidential Information Handling: All information shared regarding the Cybersecurity Incident must be treated strictly as confidential. Contractor shall only disclose details to individuals who are directly involved in the incident response and have a need to know this information to perform their duties.

2. Compliance with Regulations: Contractor shall ensure that all communications and actions taken in response to the incident comply with relevant laws, regulations, and industry standards. This includes, but is not limited to, data protection laws, information security regulations, and any contractual obligations related to information security and privacy.

3. Sensitive Information Protection: Contractor shall be cautious about sharing sensitive details that could further jeopardize security or privacy. Contractor must avoid disclosing specific technical vulnerabilities, operational weaknesses, or other sensitive information that could be exploited by malicious actors.

4. Legal and Regulatory Reporting: If the incident requires reporting to legal or regulatory bodies, ensure that such reporting is done in a timely and compliant manner, following the guidelines set by relevant authorities.

5. Continuous Communication: Contractor shall keep Seadrill informed of any significant developments or changes in the status of the Cybersecurity Incident, particularly those that might affect compliance or confidentiality considerations.

6. Additional Requirements

(a) Contractors that provide goods or services that interface with Seadrill’s Offshore Technology (OT) or ICS or are specifically designed as an OT/ICS solution shall comply with the requirements of Appendix A for identification, protection, detection, response, and recovery of cybersecurity risks and events.

(b) Contractors requiring access to or providing work that interfaces with Seadrill’s Information Technology (IT) system or networks shall comply with the requirements of Appendix B.

APPENDIX A

1. Identification

1.1. An ICS security program shall be established by Contractor, communicated with Seadrill, and maintained with defined roles, responsibilities and requirements that reduce ICS cybersecurity risk to as low as reasonably practicable (ALARP). Refer to FRM-37-01358 Risk Matrix.

1.2. All physical devices, systems, software platforms and applications part of the ICS shall be inventoried and shared with Seadrill.

1.3. Network drawings, data flow diagrams and asset inventory register shall be maintained for the ICS Zones and DMZ.

1.4. A security risk assessment, in line with ISA/IEC 62443-3-2: “Security risk assessment for system design”, shall be performed and shared with Seadrill Cybersecurity team for review before installations, upgrades and changes to ICS. The Risk Assessment shall contain:

1.4.1. Asset vulnerabilities are identified and documented.

1.4.2. Threats agents, threat vectors, and threat events, both internal and external, are identified and documented.

1.4.3. Potential business impacts and likelihoods are identified.

1.4.4. Threats, vulnerabilities, likelihoods, and impacts are used to determine risk.

1.4.5. Risk responses and countermeasures are identified and prioritized to manage the risks to an acceptable level.

1.4.6. Pre-requisites for risk assessment:

1.4.6.1. Asset inventory

1.4.6.2. Network diagram drawing based on Purdue Model

1.4.6.3. Data flow diagram

1.5. The risk mitigation plan and all relevant cybersecurity advisories regarding security issues, vulnerabilities, and exploits surrounding the ICS system should be communicated to the Seadrill Cybersecurity team to minimize the potential risk of vulnerability.

2. Protection

2.1. Identity Management, Authentication and Access Control

2.1.1. Identities and credentials shall be issued, managed, verified, revoked, and audited for authorized devices, users, and processes.

2.1.2. The ‘principle of least privilege’ should be followed for accounts that are used with ICS, with accounts only having the access required for their specific roles.

2.1.3. Use of Privileged Accounts (Admin accounts) must be strictly controlled and only used following an approved change.

2.1.4. Access to passwords for such Privileged Accounts must also be strictly controlled.

2.1.5. Default passwords should be changed by enforcing strong and complex passwords, and passwords should not be repeated across ICS, either on the same asset or across multiple assets. Where password cannot be changed the risk must be assessed by the Seadrill Cybersecurity team. 2.1.6. Contractors shall adopt Seadrill’s centralized secure remote access solution, DISPEL. Should the Contractor request an exception or alternative solution, Contractor must submit such request in writing to the Seadrill Cybersecurity team for review, risk assessment, documentation, and approval.

2.1.7. On a quarterly basis, the Contractor shall review all accounts allowed remote support access. Following the review, the Contractor must promptly inform Seadrill of any necessary updates to the system, including adding or revoking accesses. This process ensures that remote support access remains secure and up to date, mitigating potential security risks.

2.2. Network architecture shall:

2.2.1. Be documented with a topology diagram to ensure that the layout of the network is well understood and can be used as a reference for security measures.

2.2.2. A firewall shall be in place separating the ICS network from the information technology networks.

2.2.3. Encrypt network data flows between the ICS Zone or ICS DMZ and untrusted zones.

2.3. Awareness and Training

2.3.1. All personnel involved in support activity of the ICS shall go through general cybersecurity awareness training. Additional training specific to the role or function shall also be provided to ensure individuals are adequately trained to perform their information security-related duties and.

2.3.2. All Contractor personnel visiting the rigs in support of ICS solutions are required to sign a Code of Connection (CoCo) statement before starting any work. The Seadrill rig team shall guide them through such process. The Code of Connection details the asset owner requirement that Contractor personnel must meet before working on an ICS.

2.3.3. Privileged users must understand their roles and responsibilities.

2.3.4. The Contractor must furnish evidence of cyber security awareness training records annually or whenever new personnel join the support group via e-mail to information.security@seadrill.com. This evidence must demonstrate that all personnel engaged in supporting the Industrial Control Systems (ICS) have received proper training.

2.4. Data Security

2.4.1. Data-at-rest is protected.

2.4.2. Data-in-transit is protected and shall be encrypted.

2.4.3. Adequate capacity to ensure availability is maintained.

2.4.4. Protections against data leaks are implemented.

2.5. Information Protection Processes and Procedures

2.5.1. A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality).

2.5.2. Configuration change control processes are in place, properly documented, including backout process.

2.5.3. Conduct regular backups of ICS and testing the backup process to ensure that critical data is protected, and in case of a system failure or incident, data can be restored without loss of integrity.

2.5.4. A backup and restore procedure of the ICS must be produced detailing the process steps and shared with the asset owner, especially in cases where the rig crew is responsible for system restoration. Contractor shall ensure that the process is executed correctly and efficiently.

2.6. Protective Technology

2.6.1. Removable media must be protected and its use restricted unless it has been scanned to determined clean from malicious code and approved to use by Seadrill.

2.6.2. Malware protection shall be installed on Windows computers on ICS unless prohibited by Original Equipment Manufacturers (OEM), engineering limitations or due to system obsolescence. Where anti-virus protection is not implemented, Contractor shall demonstrate that appropriate mitigations are in place.

2.6.3. Contractor shall have the capability to verify that malware, other than zero-day malware, can be detected and properly handled by the installed malware protection mechanisms.

2.7. Patching

2.7.1. Operating system patching shall be implemented on automation systems unless prohibited by OEMs or due to system obsolescence. Where patching programs are not implemented, Contractor shall demonstrate that appropriate mitigations are in place.

2.7.2. The Contractor shall obtain approval from the asset owner before installing any security patch, especially security patches that could impact operations or performance.

2.7.3. The Contractor shall have the capability to ensure that the security hardening level of the ICS is retained after patch installation, e.g. by reinstalling software or changing system configuration settings.

2.7.4. Contractor shall have a lifecycle management plan that includes compensating security controls when using ICS device operating system that is no longer supported with security updates.

3. Detection

3.1. Anomaly and breach detection capability shall be implemented for the ICS Zone by:

3.1.1. Deploying system event log management or network communication analysis technology to monitor abnormal activity.

3.1.2. Remote monitoring of anomaly and breach detection technology with local notifications on the rig.

3.2. Contractor shall eliminate all malware from devices, including portable media and temporary devices, prior to connection to the IACS.

3.3. Contractor shall deploy, run and maintain end-point-protection technology.

4. Response

4.1. The Contractor shall have an incident response plan in place.

4.2. The Contractor shall immediately report Cybersecurity Incidents to Seadrill.

5. Recovery

5.1. Recovery processes and procedures must be executed and maintained to ensure restoration of systems or assets affected by Cybersecurity Incidents.

6. Assurance

6.1. Security Compliance Checks: Contractor shall ensure that the controls are implemented and operating according to the specified requirements.

6.2. An action plan should be created and communicated with Seadrill to address all gaps identified on the annual risk assessment.

APPENDIX B

Governance

(a) Information Security Policy: Contractor shall develop, implement, and maintain an information security policy and shall communicate the policy to all staff and contractors.

(b) Policy Alignment: Contractor must have cybersecurity policies that align with data privacy laws (i.e.: GDPR). Policies should address data protection, privacy, and security practices that comply with the company’s obligations.

(c) Data Governance: Implement data governance practices that ensure data integrity, confidentiality, and availability. This includes classification, handling, storage, and disposal of data in compliance with GDPR and other relevant regulations.

Risk Management

(a) Risk Management: Contractor shall employ a formal risk assessment process to identify security risks that may impact the products or services being supplied and mitigate risks in a timely manner commensurate with the risk.

(b) Risk Assessment: Contractor shall regularly conduct risk assessments to identify, analyze, and manage cybersecurity risks that could impact the confidentiality, integrity, or availability of information processed, stored, or transmitted.

(c) Vendor Risk Management: Contractor shall establish a risk management program that evaluates and manages the risks associated with third-party subcontractors and vendors. This should include due diligence, ongoing monitoring, and risk assessment methodologies aligned with NIST SP 800-53 Rev. 5 and ISO 27001.

Compliance

(a) Regulatory Compliance: Contractor shall ensure compliance with GDPR, LGPD, US data privacy laws, SOX, SEC Cyber Disclosure Rules, and any other applicable regulations. This includes implementing controls for data protection, breach notification, and rights of data subjects.

(b) Framework Alignment: Contractor shall align security controls with international industry frameworks such as NIST CSF, NIST SP 800-53 Rev. 5, and ISO 27001. Implement necessary controls for information security management, including access control, encryption, incident response, and business continuity planning.

(c) Reporting and Documentation: Contractor shall maintain comprehensive documentation and records of compliance efforts, security policies, risk assessments, and incident response activities to demonstrate compliance with regulatory and framework requirements.

Assurance

(a) SOC 2 Type 2 and ISO 27001 Certification: Contractors must have current SOC 2 Type 2 and ISO 27001 certifications, demonstrating adherence to high standards of data security and information management.

(b) External/Independent Audit Reports: Contractor shall mandate annual external or independent audit reports that verify the Contractor’s compliance with cybersecurity requirements, regulatory mandates, and industry standards.

(c) Penetration Testing: Contractor shall perform regular penetration testing conducted by reputable third-party security firms to identify vulnerabilities in systems, applications, and networks. Contractor shall remediate identified vulnerabilities in a timely manner and provide reports on the findings and remediation actions.