Mergers and acquisitions in the energy industry
Merger and Acquisition (M&A) transactions are on the rise in the oil and gas industry. There is significant interest in unconventional plays in North America with the Permian Basin leading the way—as indicated by BP’s 2018 acquisition of BHP’s assets and Occidental Petroleum’s 2019 bid to acquire Anadarko Petroleum. There has also been evidence of M&A interest in the downstream sector, as seen with Marathon Petroleum’s purchase of Andeavor in 2018.
Cybersecurity: Critical for M&A execution
At one time M&A due diligence was limited to examining financial ledgers, inspecting equipment and evaluating the risk of geographical plays. Today, the deal team must also drill into the potential cyber risks that would be inherited with the agreement and consider the impact of those risks to the newly created organization.
All companies operate in a digital environment with a convergence of information technology and operational technology (IT/OT). Software feeds operational data from various field equipment to a centralized office system. That means remote points in the field (and extended supply chains with third-party partners) are intrinsically connected to the heartbeat of the organization. The cyber risk is staggeringly high.
M&A transaction value is protected by proving security rigor along the value chain—from the traditional IT software of email servers and financial systems, to the mission-critical operational technology of field assets.
Often overlooked risk dimensions
Geopolitical risk is also a factor, particularly for the oil and gas industry, which plays a role in national security. In Accenture’s Ninth Annual Cost of Cybercrime Study (2019), we found “a significant rise in economic espionage.” This includes the theft of high-value intellectual property by threat actors such as nation-states.
For the oil and gas industry, mergers and acquisitions translate into a “bullseye” for nation-state sponsored attacks which is a more sophisticated type of threat. The state’s aim could be to access inside information to underbid and/or lower the valuation, and ultimately win the deal.
Cybersecurity drives M&A success
Cybersecurity is not a one-time check; it is an essential process throughout the merger and acquisition lifecycle and must continue in the newly formed organization, from pre-deal security to during the transaction to day one of the cybersecurity transition execution.
Pre-deal cybersecurity identifies cyber risks
In the M&A pre-deal phase, cybersecurity should focus on identifying the cyber risks and gaps. This provides a better understanding of the financial and operational risks in the IT/OT environments. We recommend performing these essential cybersecurity activities during the pre-deal phase.
The benefits are to better understand a threat actor’s motives and capabilities in your target company, as well as to identify the actual threats to the business and potential compromises.
Cybersecurity during deal transactions
As a merger and acquisition deal progresses toward execution, cybersecurity activities should focus on remediating the cyber risks identified during the pre-deal assessment.
Also during this phase, the deal team’s communication and the M&A data needs increased protection. The individuals participating in a merger and acquisition ranges widely—from executive leadership, to management, to board of directors, to trusted advisors. Our research shows that “humans are still the weakest link” in the cybersecurity of sensitive information and data.
A heightened level of security can be achieved through increased monitoring of the personnel involved in the transaction. These can include a defined communications protocol, agreements for information sharing and protection technologies for deal data (encryption, DLP, VPN, etc.). We recommend performing these essential cybersecurity activities during the transaction phase:
- Remediation Activities – Address the cyber risks identified during the pre-deal activities.
- Secure Communications – Work with organizations who can provide an integrated and secure communications infrastructure to ensure confidentiality.
- Day 1 and Transition Planning – Define set of cybersecurity capabilities for Day 1 and implementation plan for integration of people, processes and technology.
Also during the transaction, both companies need to develop a transition plan for Day 1. This establishes deadlines for cybersecurity capabilities to be integrated into a single operation. A future-state operating model for the newly merged organization should include reporting structures, service catalogs, program governance and other key considerations to ensure normal business operations on Day 1.
Day 1 cybersecurity executes transition plan
In a merger and acquisition, “Day 1” refers to the first day that the two newly merged/acquired companies operate as one organization. Day 1 cybersecurity is about executing the plan and roadmap that was established during the transition plan. The plan addresses integration of security capabilities across people, processes and technology. We recommend performing these essential cybersecurity activities:
The way forward
Our research shows that the security function is largely centralized and its staff “are rarely included when news products, services and processes—all of which involve some sort of cyber risk—are being developed.” Such a silo’ed approach can result in a lack of accountability across the organization and a sense that cybersecurity is not everyone’s responsibility.