RESEARCH REPORT

In brief

In brief

  • Merger and Acquisitions (M&A) are accelerating in the oil and gas industry.
  • Cybersecurity is now a critical part of today’s due diligence in M&A deals.
  • Cybersecurity must be done throughout the M&A life cycle, not a one-time check.


Mergers and acquisitions in the energy industry

Merger and Acquisition (M&A) transactions are on the rise in the oil and gas industry. There is significant interest in unconventional plays in North America with the Permian Basin leading the way—as indicated by BP’s 2018 acquisition of BHP’s assets and Occidental Petroleum’s 2019 bid to acquire Anadarko Petroleum. There has also been evidence of M&A interest in the downstream sector, as seen with Marathon Petroleum’s purchase of Andeavor in 2018.

Cybersecurity: Critical for M&A execution

At one time M&A due diligence was limited to examining financial ledgers, inspecting equipment and evaluating the risk of geographical plays. Today, the deal team must also drill into the potential cyber risks that would be inherited with the agreement and consider the impact of those risks to the newly created organization.

All companies operate in a digital environment with a convergence of information technology and operational technology (IT/OT). Software feeds operational data from various field equipment to a centralized office system. That means remote points in the field (and extended supply chains with third-party partners) are intrinsically connected to the heartbeat of the organization. The cyber risk is staggeringly high.

M&A transaction value is protected by proving security rigor along the value chain—from the traditional IT software of email servers and financial systems, to the mission-critical operational technology of field assets.

Cyber risk can be translated into monetary amounts—with the ability to alter valuations, when necessary, based on the risk present in the target company.

Often overlooked risk dimensions

Geopolitical risk is also a factor, particularly for the oil and gas industry, which plays a role in national security. In Accenture’s Ninth Annual Cost of Cybercrime Study (2019), we found “a significant rise in economic espionage.” This includes the theft of high-value intellectual property by threat actors such as nation-states.

For the oil and gas industry, mergers and acquisitions translate into a “bullseye” for nation-state sponsored attacks which is a more sophisticated type of threat. The state’s aim could be to access inside information to underbid and/or lower the valuation, and ultimately win the deal.

Cybersecurity drives M&A success

Cybersecurity is not a one-time check; it is an essential process throughout the merger and acquisition lifecycle and must continue in the newly formed organization, from pre-deal security to during the transaction to day one of the cybersecurity transition execution.

Pre-deal cybersecurity identifies cyber risks

In the M&A pre-deal phase, cybersecurity should focus on identifying the cyber risks and gaps. This provides a better understanding of the financial and operational risks in the IT/OT environments. We recommend performing these essential cybersecurity activities during the pre-deal phase.

The benefits are to better understand a threat actor’s motives and capabilities in your target company, as well as to identify the actual threats to the business and potential compromises.

Threat Intel

Gain an understanding of the potential threat landscape via the dark web and other Internet sources.

Threat Hunt

Conduct proactive analysis across IT/OT systems throughout the target and the parent environment to identify indicators of compromise, tactics, techniques and procedures.

External Penetration Test

Test the external perimeter to identify vulnerabilities across the M&A target’s environment.

View All

Cybersecurity during deal transactions

As a merger and acquisition deal progresses toward execution, cybersecurity activities should focus on remediating the cyber risks identified during the pre-deal assessment.

Also during this phase, the deal team’s communication and the M&A data needs increased protection. The individuals participating in a merger and acquisition ranges widely—from executive leadership, to management, to board of directors, to trusted advisors. Our research shows that “humans are still the weakest link” in the cybersecurity of sensitive information and data.

A heightened level of security can be achieved through increased monitoring of the personnel involved in the transaction. These can include a defined communications protocol, agreements for information sharing and protection technologies for deal data (encryption, DLP, VPN, etc.). We recommend performing these essential cybersecurity activities during the transaction phase:

  • Remediation Activities – Address the cyber risks identified during the pre-deal activities.
  • Secure Communications – Work with organizations who can provide an integrated and secure communications infrastructure to ensure confidentiality.
  • Day 1 and Transition Planning – Define set of cybersecurity capabilities for Day 1 and implementation plan for integration of people, processes and technology.

Also during the transaction, both companies need to develop a transition plan for Day 1. This establishes deadlines for cybersecurity capabilities to be integrated into a single operation. A future-state operating model for the newly merged organization should include reporting structures, service catalogs, program governance and other key considerations to ensure normal business operations on Day 1.

Day 1 cybersecurity executes transition plan

In a merger and acquisition, “Day 1” refers to the first day that the two newly merged/acquired companies operate as one organization. Day 1 cybersecurity is about executing the plan and roadmap that was established during the transition plan. The plan addresses integration of security capabilities across people, processes and technology. We recommend performing these essential cybersecurity activities:

Security culture transformation

Begin adoption of the desired security culture with a plan to incorporate talent into lifecycles and metrics.

Process alignment

Align leading security policies, processes, standards, procedures and guidelines across both organizations.

Platform rationalization

Consolidate the critical applications and security solutions for the new enterprise.

View All

The way forward

Our research shows that the security function is largely centralized and its staff “are rarely included when news products, services and processes—all of which involve some sort of cyber risk—are being developed.” Such a silo’ed approach can result in a lack of accountability across the organization and a sense that cybersecurity is not everyone’s responsibility.

Edwin Cisneros

Managing Director, Lead – Energy Cybersecurity


Jeffrey Miers

Managing Director – North America Energy

MORE ON THIS TOPIC


Subscription Center
Stay in the Know with Our Newsletter Stay in the Know with Our Newsletter