Like many industries, the oil and gas sector is becoming increasingly digitalised to boost performance, enhance efficiency and, in many cases, reduce costs.
However, an often overlooked consequence is the increased vulnerabilities that greater reliance on automation of business processes and technological innovation can expose companies to. This is particularly heightened during an ongoing deal.
Mergers and acquisitions are a pivotal moment for any business. The implications of a cyber incident at the same time as an M&A deal can be devastating, as valuations and negotiations can become contentious. In worse-case scenarios, the deal can fall through all together.
For the acquisition of the target, a cyber attack just prior to merger can not only significantly reduce a valuation, it could also create longer-term reputational damage. There is also the potential for legal fines or compensation to shareholders and, in the event of personal data loss, customers. Under General Data Protection Regulation rules, a fine of 20m euros or 4% of global revenue can be imposed on businesses if personal information is stolen in the event of a breach, having grave consequences on the businesses affected.
Untargeted attacks are just as regular across the industry as targeted ones. The “NotPetya” ransomware attack of 2017, for example, affected many organisations globally including Maersk. The firm’s container ships stood still at sea and its port terminals around the world were heavily impacted. The recovery, which Deloitte was actively involved in, was fast. However, even within a brief period it was clear the organisation suffered financial losses, including loss of revenue, IT restoration costs and extraordinary costs related to operations.
Oil and gas sector being targeted
The number of criminal organisations targeting the oil and gas sector appears to be increasing. In 2018, the sector was the victim of one of the highest number of cyber attacks in the US, second only to attacks on the government.
Deloitte recently supported a local business in the oil and gas sector that had suffered a ransomware attack during the negotiations phase of an M&A deal. The timing may have been a coincidence, but attacks during negotiations are particularly disruptive as the target party is vulnerable.
Energy, resources and industrial organisations are considered critical national infrastructure, so repercussions from cyber incidents often go beyond financial, operational and reputational, to nation level. We have also seen attacks grow in complexity and impact. This varies from commercial and industrial espionage to targeted spear-fishing attacks designed to cripple businesses. We have also seen instances of widespread targeted attacks on operational technology, sometimes at a nation state level. The trend now is moving towards hybrid attacks, where both IT and physical worlds are affected.
One of the first major attacks on an Industrial Control System (ICS) saw the safety systems at a refinery targeted and shut down by the infiltrators. Whilst rare, these attacks are likely to increase in frequency and severity as methods become more sophisticated. Attacks on ICS can be more serious, compared to attacks on administrative services and other business functions, given the direct impact where safety is a concern.
Cyber security preparation ahead of an M&A deal
For a transaction to proceed with an understanding of the cyber risks, an acquirer must incorporate cyber issues into their assessment of a deal target. Risks and costs can be factored into the deal model, negotiation and day one planning. This includes understanding key cyber risk indicators, including:
The maturity of the target’s cyber security capability, the resiliency of its IT operations to cyber incidents, and which applications are vulnerable to attack;
The volume and type of data and information the target is responsible for, identifying what is most sensitive and valuable and how it is protected;
If and how the target complies with regulations and global privacy requirements, and if that compliance adequately guards against industry-specific or other cyber threats;
And the costs of addressing the above concerns and the impact not only on deal negotiations and pricing but also the acquirer’s business, brand and reputation.
Focusing on these areas ahead of and during a transaction will help minimise the chances of digital disruption creating additional challenges – and result in an acquirer regretting what once was a promising deal.
Shaun Reynolds, partner in transaction services, Deloitte