There is a 29.6%[1] likelihood of a security breach at your joint venture (JV), with the FBI reporting a 300%[2] increase in cybercrime since the pandemic started. Cybersecurity is no longer optional; it is a necessity.
Yet cybersecurity risk is often overlooked or deprioritized by large companies when establishing a JV, in favor of a traditional focus on the potential for strategic and revenue growth, access to new markets, cost sharing for large capital investments, and the like. With JVs now commanding a sizeable market share in key industries like oil and gas, renewable energy, chemicals, manufacturing, healthcare and pharmaceuticals – and with the increased push for digital capabilities and for virtual workspaces in the pandemic eras – companies can no longer afford to ignore reliability and security against cyber-attacks in their JV portfolio.
Meanwhile, cyber-attacks are no longer limited to stealing data and intellectual property, but instead wreak havoc across large-scale facilities like those held in many JVs. A sample of recent attacks include:
- Major sections of the power grid in Ukraine were shut down in 2016 and 2017 by cybercriminals[3]
- In 2017, hackers shut down monitoring systems for oil and gas pipelines across US[4]
- In a 2018 attack, the safety controls of a Saudi Arabian petrochemical plan were targeted to cause failure and an explosion[5]
- In 2020, a German healthcare network outage due to cyber-attack led to the death of a patient[6]
Cyber Threats To Joint Ventures
Compounding the lack of attention on JV cybersecurity is the reality that JVs might face greater inherent cybersecurity risks than wholly owned companies for several reasons:
- Multiple parent companies: JVs have multiple parent companies, each with their own security policies and procedures. Given the need to develop an operating model and information sharing practices in the JV that work with all parent companies, there is often a patchwork of security measures spread across different data networks with limited integrated protection.
- JVs with government-controlled entity: Many large JVs in the natural resources sector have a state-owned partner, and such organizations are under constant threat and attack. In the last few years, JVs with state-owned stakeholders have been targeted not only to compromise sensitive data but to cause national unrest by stopping production, destroying files, and damaging equipment.
- JVs with local partners in emerging markets: Large companies have more capital, more urgency around cybersecurity, and more information to protect. Smaller local partners with less stringent compliance requirements do not have the same resources and often have security vulnerabilities that can be exploited to damage the systems of all companies involved in the JV.
- Absence of CISO: Most JVs do not have a dedicated Chief Information Security Officer (CISO) to define and ensure the JV’s security strategy, policies and processes align with the business risks, local compliance requirements and parent company policies
- Limited board discussion: 67% of boards have not discussed cyber insurance, 60% have not discussed engaging an outside expert and only 20% of boards have discussed a cybersecurity framework[7]. In a majority of JVs, cyber threat intelligence reports and periodic risk evaluations are rarely if ever discussed in board meetings despite the board’s mandate to manage JV risks, which includes cyber risks. Given the materiality and possible consequences of cyber-attacks, it should be a set agenda item
- Disconnect between Executives and IT department: When surveyed, 60% of senior Executives believe their systems are very safe or completely safe from cyber-attacks, while only 29%[8] of IT professionals share that point of view. This misalignment is further compounded in a JV where IT services may be provided by one parent with the other parent companies having no information on the security practices and thus be lulled into a false sense of security.
- Lack of mention in legal agreements and audits: When reviewing JV legal agreements across regions and industries, there is limited (if any) reference to cybersecurity related terms. Because of this, the Board and JV management team may not feel a specific obligation to adhere to regular cybersecurity audits and reporting – and individual shareholders may not be able to unilaterally drive such behavior if the other shareholders do not feel the same sense of urgency.
Why This Matters To Parent Companies
Large parent companies generally have advanced firewalls, security practices and dedicated teams to respond to threats and handle malicious threats to their own business, while JVs often lack the same focus on cybersecurity.
This does not mean, however, that parent companies are fully insulated from cybersecurity risk exposure via their JVs. On the contrary, when JVs are breached, they act like a trojan horse introducing parent companies to many of the same impacts that they believed were mitigated by their own internal cybersecurity efforts, including:
- Theft of parent company intellectual property
- Harm to parent company brand value and reputation
- Diminished trust from clients and partners
- Drop in parent company stock price
- Business downtime and losses
- Fines for noncompliance with data-privacy regulations
- Costs to remediate the damage caused
Case Study: Oil and Gas Joint Ventures
The oil and gas industry is adopting and expanding the use of digital technologies to optimize production, manufacturing, distribution and supply chain activities. This has revolutionized the industry by improving productivity while simultaneously reducing costs. But it has also exposed the oil and gas industry to additional dangerous and malicious cyber-attacks (Exhibit 1).
All oil and gas assets – including JVs – face cyber threats that stem from:
- Aging and outdated control systems in facilities
- Insufficient levels of separation between industrial and IT networks
- Unclear cyber security policies and procedures
- Limited training and awareness amongst employees
Exhibit 1: Oil and Gas Case Study
Is Your Joint Venture Cyber Secure?
JV Directors and management team members should be regularly asking themselves the following 10 key questions on cybersecurity in their JV:
- Do we understand our cybersecurity threats and risks?
- Are our partners aligned on our cybersecurity strategy?
- Do we talk about cybersecurity during board meetings or steering committees?
- Do we have policies, processes or standards in place to minimize cyber risk?
- Do we know how to respond in case of a cyber-attack?
- Do we have a process in place to prevent a cyber-attack from impacting parent companies?
- Do we have a CISO or someone accountable and in charge for cybersecurity?
- Do we have a designated and trained information security expert on staff or a third-party trusted information security provider?
- Are we regularly evaluating potentials threats and monitoring our network?
- Are our employees appropriately trained on cybersecurity risks?
If the answer to any of the above questions is no, it is time to take action to protect your JV, employees, clients, business and parent companies. By having cybersecurity policies and processes in place, you can rest easy knowing you are taking critical measures to protect your joint ventures.
[1] IBM Security: Cost of a Data Breach Report – 2019
[2] TheHill: https://thehill.com/policy/cybersecurity/493198-fbi-sees-spike-in-cyber-crime-reports-during-coronavirus-pandemic
[3] BBC: https://www.bbc.com/news/technology-38573074
[4] New York Times: https://www.nytimes.com/2018/04/04/business/energy-environment/pipeline-cyberattack.html
[5] New York Times: https://www.nytimes.com/2018/03/15/technology/saudi-arabia-hacks-cyberattacks.html
[6] New York Times: https://www.nytimes.com/2020/09/18/world/europe/cyber-attack-germany-ransomeware-death.html
[7] Navigating The Digital Age: The Definitive Cybersecurity Guide For Directors and Officers
[8] AT&T Business: https://www.business.att.com/learn/cybersecurity-report-volume-8.html
© Copyright 2021. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
