Cyber Diligence EY Deals Forum 2018 Ian McCaw EY Transaction Advisory Services
Finance & Commercial Diligence 2 B COMPANY: Power Life INDUSTRY: ENERGY REVENUE: 192m EBITDA: 875k (35% growth in 5 years) Power Life 1 of 3 COMPANY OVERVIEW: Founded in 2004 Power Life is a 3,500 MW power generation portfolio consisting of 15 large-scale wind farms and a new solar farm OPERATIONS Wind farms operate within Norway, Denmark and Sweden with new state-of-the-art solar farm in Italy DEAL OPPURTUNITY: Potential to be a new green energy supplier augmenting existing fossil-based generation MARKET ANALYSIS: Power Life is the market leading green energy provider in Scandinavia and holds 85% market share. Page 2
Finance & Commercial Diligence A THUNDER Corporation. 1 of 3 COMPANY: THUNDER CORP INDUSTRY: ENERGY REVENUE: 187m EBITDA: 20m (10% growth in 5 years) COMPANY OVERVIEW: Founded in 2004 Thunder is a leading oil and gas equipment and service provider specialising in the rental, sale, and service of products used in well construction. OPERATIONS Operating across 7 countries within Africa (Algeria, Angola, Cameroon, Egypt, Equatorial Guinea, Libya, Nigeria) OPPORTUNITY: Platform for regional growth with complementary services and products to core business MARKET ANALYSIS: Thunder is the second largest provider within its market, holding 25% total market share. Page 3
IT Diligence 2 B OVERVIEW Consolidated ERP system is due to be implemented in 8 months according to management plans; all plant, distribution and metering systems are local; some timesheet and HR systems that are SaaS / Cloud provided COSTS Historic IT Spend @ 1% revenues for 2015/2016/2017 with 1.25% forecast for 2018 GOVERNANCE IT organisation consists of 12 people. CIO replacement is pending Power Life DISASTER RECOVERY Evidence of Disaster Recovery plan with testing planned along with ERP consolidation programme INCIDENTS IT outages have not impacted operations (generation or transmission) in last 12 months, as reported by management 2 of 3 Page 4
IT Diligence A THUNDER Corporation. 2 of 3 OVERVIEW Multiple ERP systems running across key operating locations with limited integration. New financial consolidation system implemented in last 12 months. IT desktop operating system refresh completed 12months ago to Windows 8. Outsourced data centres for key IT Infrastructure with HR cloud services. COSTS Historic IT Spend @ 0.75% revenues for 2015/2016/2017 with 0.5% forecast for 2018. GOVERNANCE IT organisation consists of 12 people. DISASTER RECOVERY Evidence of Disaster Recovery plan with testing performed 3 years ago INCIDENTS IT outages have not impacted operations (generation or transmission) in last 12 months, as reported by management Page 5
Cyber Diligence A THUNDER Corporation. 3 of 3 INDICATORS OF COMPROMISE No evidence of historic infections in the last 12 months EXTERNAL SYSTEMS INFORMATION Incorrectly configured service could allow a malicious actor to send e-mails representing themselves as Thunder CYBER GOVERNANCE COO & CIO meet to discuss cyber security monthly. Effectiveness of security controls are reported and suppliers assessed. DATA REGULATORY Working towards GDPR compliance and the only PII data stored on Thunder systems is in relation to it s employees CYBER CONTROLS AND CAPABILITIES Thunder uses VPN firewall with 2-factor authentication between Corporate and ICS (Power Generation) networks. Third-party provides managed security services (MSSP). Page 6
Cyber Diligence B 3 of 3 Power Life INDICATORS OF COMPROMISE Conficker and WannaCry Botnet infections were detected between May to November 2017 on Power Life s systems. EXTERNAL SYSTEMS INFORMATION Some abnormal open ports such as Telnet, RPC and MySQL were found to be open to the internet CYBER GOVERNANCE Responsibility of the CFO and this may change when Power Life appoint a CIO. No regular security reporting. DATA REGULATORY No gap analysis or plan for GDPR compliance. Power Life stores consumer PII data for marketing within operating regions. CYBER CONTROLS AND CAPABILITIES No internal Security testing performed for 3 years. Corporate and ICS (Power Generation) network interconnected with legacy Windows XP systems. Logging is enabled but not monitored. Page 7
What Cyber risks do you see as important? Operating Model Change Programmes BYOD Regional Locations Maintenance HVAC Office Supplies Remote Working Staff Physical Buildings Strategy Consultants BPO Marketing HR Contractors Business Advisors System Integrators Channels to Market Finance Legal Legal Advisors Cloud Customer IT IT Outsource Partner Technology Vendors Software Dev Partners R&D Sales Business Operation Product Supply Component Supply Product Launch Change Programme Joint Ventures TSA Arrangement Divestments Channel Launch Cloud Migration Integration Programme Integrated Acquisitions De-merger Regional Expansion ERP Programme Portfolio Investments Standalone Acquisitions Restructuring Legal Jurisdiction Digital Transformatio Interim Mode of Operation Synergies Acquisition Targets Data Compliance IoT Innovation Restructuring Diligence Third-Party Vendors Capital Events (M&A) Page 8
Notified Data Breaches By Sector First half of 2017 89 112 19 125 228 35 10 76 32 53 Government Retail Hospitality Financial Services Healthcare Industrial Insurance Technology Telecom & Media Other Industries Number of Breaches by Sector in the first half of 2017 89 112 19 125 228 35 10 76 32 53 Page 9 Data Source: Gemalto
Cyber Threats across Industries The Bigger Picture Aerospace, Defense & Government Services Consumer & Retail Hospitality Financial Services Healthcare Cyber threat focus areas Big data & PII Network connected ICS Multiple outdated IT systems Complex supply chains Critical National Infrastructure Cyber threat focus areas Industrial Insurance Technology & Business Services Telecom & Media Other Industries Page 10
Have you had personal information breached? www.haveibeenpwned.com Page 11
What Cyber deal impacts would you want to know? Is Cyber Security a regular agenda item for the Board? What degree of involvement and oversight is exercised? Does the board receive and act on active Cyber metrics and reporting? Do you outsource the provision of IT, applications and data? What level of oversight do you have of your key suppliers Cyber security? Is your business heavily dependent on IT Systems and data to generate profits? What would be the impact of a breach of your key electronic information assets? Do you know what data regulations apply to your business and the potential impact of non-compliance? What level of Cyber Security investment has been made in the last 12 months as a percentage of IT spend? Have you defined a formal Cyber awareness programme that is run on a regular basis? Do you perform any security or penetrating testing to identify Cyber threats and vulnerabilities in the business? Do you know the Cyber risks and value impacts for your last transaction? Could your fund or business still be impacted? Page 12
EY Assurance Tax Transactions Advisory Ernst & Young LLP Ernst & Young LLP. Published in the UK. All Rights Reserved. The UK firm Ernst & Young LLP is a limited liability partnership registered in England and Wales with registered number OC300001 and is a member firm of Ernst & Young Global Limited. Ernst & Young LLP, 1 More London Place, London, SE1 2AF. ey.com