One of the foremost threats companies face today is that posed by cybercriminals, and the unique vulnerabilities of companies in the oil and gas sector create heightened cybersecurity risks for those pursuing transactions in the sector. A 2019 study by KPMG found that oil and gas chief executives rank cybersecurity as the largest threat to their organizations’ growth. More than half of the CEOs in the sector polled said believe that their organization will at some point fall victim to a cyberattack.
While recognition is growing that cybersecurity is a key risk factor in mergers and acquisitions generally, executives and directors contemplating an acquisition in the oil and gas sector need to be aware of the unique cybersecurity challenges within the industry in order to properly assess transaction risks and value target companies.
As in other industries, companies in the oil and gas sector face the prospect of paralyzing ransomware, data breaches, and intellectual property theft, common risks that are all too familiar to executives today. Yet, cybersecurity risks are magnified in the oil and gas industry for a number of reasons.
Unlike in the power and nuclear sectors, federal regulators do not require companies in the oil and gas sector to adhere to baseline cybersecurity standards. Despite efforts by industry leaders to develop their own best practices and standards, companies in the sector sometimes lag behind other industries in their response to digital threats. And because oil and gas companies are not required to report when hackers infiltrate their systems, visibility is limited into the volume of attacks and performance of existing cybersecurity controls.
The scale of oil and gas operations also complicates the job of defending against hackers. Sprawling networks of computers, automated controls, and sensors mean a multitude of access points for attackers. Moreover, the equipment and software used to run these networks is often decades old and lacking modern security features. Seemingly straightforward upgrades can cost millions of dollars and halt operations for days.
Midstream and other oil and gas companies that own and operate critical infrastructure are particularly alluring targets for sophisticated hackers, including state actors and cyberterrorists. Increasingly, these actors seek to infiltrate and manipulate operational controls, raising the specter that malicious hackers could disrupt systems in a key industry or cause a catastrophe such as a spill or an explosion.
Failing to appreciate and account for these unique risk factors during the due diligence process can haunt acquirers of oil and gas companies. Where target companies fail to invest in effective cybersecurity controls and protect the proprietary extraction, processing, and delivery technologies and processes that provide them with competitive advantages, acquiring companies risk watching the value of their purchase erode. Worse yet, compromised systems at the target company could, when merged with the acquiring company’s network, permit hackers to circumvent the acquiring company’s own cyberdefenses and spread the breach.
Similarly, acquiring companies can emerge from the transaction to find that they have significant unexpected capital costs and potential exposure—outdated digital infrastructure in need of repair, the prospect of production disruptions, and vulnerabilities that could lead to a spill, worker injuries, or an explosion. These hidden costs could significantly reduce the value of the transaction.