Calendar An icon of a desk calendar. Cancel An icon of a circle with a diagonal line across. Caret An icon of a block arrow pointing to the right. Email An icon of a paper envelope. Facebook An icon of the Facebook "f" mark. Google An icon of the Google "G" mark. Linked In An icon of the Linked In "in" mark. Logout An icon representing logout. Profile An icon that resembles human head and shoulders. Telephone An icon of a traditional telephone receiver. Tick An icon of a tick mark. Is Public An icon of a human eye and eyelashes. Is Not Public An icon of a human eye and eyelashes with a diagonal line through it. Pause Icon A two-lined pause icon for stopping interactions. Quote Mark A opening quote mark. Quote Mark A closing quote mark. Arrow An icon of an arrow. Folder An icon of a paper folder. Breaking An icon of an exclamation mark on a circular background. Camera An icon of a digital camera. Caret An icon of a caret arrow. Clock An icon of a clock face. Close An icon of the an X shape. Close Icon An icon used to represent where to interact to collapse or dismiss a component Comment An icon of a speech bubble. Comments An icon of a speech bubble, denoting user comments. Comments An icon of a speech bubble, denoting user comments. Ellipsis An icon of 3 horizontal dots. Envelope An icon of a paper envelope. Facebook An icon of a facebook f logo. Camera An icon of a digital camera. Home An icon of a house. Instagram An icon of the Instagram logo. LinkedIn An icon of the LinkedIn logo. Magnifying Glass An icon of a magnifying glass. Search Icon A magnifying glass icon that is used to represent the function of searching. Menu An icon of 3 horizontal lines. Hamburger Menu Icon An icon used to represent a collapsed menu. Next An icon of an arrow pointing to the right. Notice An explanation mark centred inside a circle. Previous An icon of an arrow pointing to the left. Rating An icon of a star. Tag An icon of a tag. Twitter An icon of the Twitter logo. Video Camera An icon of a video camera shape. Speech Bubble Icon A icon displaying a speech bubble WhatsApp An icon of the WhatsApp logo. Information An icon of an information logo. Plus A mathematical 'plus' symbol. Duration An icon indicating Time. Success Tick An icon of a green tick. Success Tick Timeout An icon of a greyed out success tick. Loading Spinner An icon of a loading spinner. Facebook Messenger An icon of the facebook messenger app logo. Facebook An icon of a facebook f logo. Facebook Messenger An icon of the Twitter app logo. LinkedIn An icon of the LinkedIn logo. WhatsApp Messenger An icon of the Whatsapp messenger app logo. Email An icon of an mail envelope. Copy link A decentered black square over a white square.

The implications of a cyber incident at the same time as an M&A deal can be devastating

Shaun Reynolds
Shaun Reynolds

Like many industries, the oil and gas sector is becoming increasingly digitalised to boost performance, enhance efficiency and, in many cases, reduce costs.

However, an often overlooked consequence is the increased vulnerabilities that greater reliance on automation of business processes and technological innovation can expose companies to. This is particularly heightened during an ongoing deal.

Mergers and acquisitions are a pivotal moment for any business. The implications of a cyber incident at the same time as an M&A deal can be devastating, as valuations and negotiations can become contentious. In worse-case scenarios, the deal can fall through all together.

For the acquisition of the target, a cyber attack just prior to merger can not only significantly reduce a valuation, it could also create longer-term reputational damage. There is also the potential for legal fines or compensation to shareholders and, in the event of personal data loss, customers. Under General Data Protection Regulation rules, a fine of 20m euros or 4% of global revenue can be imposed on businesses if personal information is stolen in the event of a breach, having grave consequences on the businesses affected.

Untargeted attacks are just as regular across the industry as targeted ones. The “NotPetya” ransomware attack of 2017, for example, affected many organisations globally including Maersk. The firm’s container ships stood still at sea and its port terminals around the world were heavily impacted. The recovery, which Deloitte was actively involved in, was fast. However, even within a brief period it was clear the organisation suffered financial losses, including loss of revenue, IT restoration costs and extraordinary costs related to operations.

Oil and gas sector being targeted

The number of criminal organisations targeting the oil and gas sector appears to be increasing. In 2018, the sector was the victim of one of the highest number of cyber attacks in the US, second only to attacks on the government.

Deloitte recently supported a local business in the oil and gas sector that had suffered a ransomware attack during the negotiations phase of an M&A deal. The timing may have been a coincidence, but attacks during negotiations are particularly disruptive as the target party is vulnerable.

Energy, resources and industrial organisations are considered critical national infrastructure, so repercussions from cyber incidents often go beyond financial, operational and reputational, to nation level. We have also seen attacks grow in complexity and impact. This varies from commercial and industrial espionage to targeted spear-fishing attacks designed to cripple businesses. We have also seen instances of widespread targeted attacks on operational technology, sometimes at a nation state level. The trend now is moving towards hybrid attacks, where both IT and physical worlds are affected.

One of the first major attacks on an Industrial Control System (ICS) saw the safety systems at a refinery targeted and shut down by the infiltrators. Whilst rare, these attacks are likely to increase in frequency and severity as methods become more sophisticated. Attacks on ICS can be more serious, compared to attacks on administrative services and other business functions, given the direct impact where safety is a concern.

Cyber security preparation ahead of an M&A deal

For a transaction to proceed with an understanding of the cyber risks, an acquirer must incorporate cyber issues into their assessment of a deal target. Risks and costs can be factored into the deal model, negotiation and day one planning. This includes understanding key cyber risk indicators, including:

The maturity of the target’s cyber security capability, the resiliency of its IT operations to cyber incidents, and which applications are vulnerable to attack;

The volume and type of data and information the target is responsible for, identifying what is most sensitive and valuable and how it is protected;

If and how the target complies with regulations and global privacy requirements, and if that compliance adequately guards against industry-specific or other cyber threats;

And the costs of addressing the above concerns and the impact not only on deal negotiations and pricing but also the acquirer’s business, brand and reputation.

Focusing on these areas ahead of and during a transaction will help minimise the chances of digital disruption creating additional challenges – and result in an acquirer regretting what once was a promising deal.

Shaun Reynolds, partner in transaction services, Deloitte