NOJV Cyber Security

Written By Kenny Boyce

For many companies supporting the current Energy Transition, a Non-Operated Joint Venture (NOJV) can offer several benefits, especially in industries like Oil & Gas and Energy. However, it’s also important to note that these major companies have been creating NOJV’s for decades. Those NOJV’s and their subsequent Shareholder Agreements (SHA) were created way before cyber security was thought a risk.

The result, billions of dollars of capital invested into companies with no legal requirement to their shareholders to have a formal approach to identifying, addressing, managing and reporting cyber risk. Don’t worry though, Third Party Cyber Security (TPCS) have you covered.

But before we touch on this again, let’s just familiarise ourselves with why companies set up NOJV’s: The most obvious benefit is Risk Sharing: NOJVs allow companies to share the financial and operational risks associated with these large projects. This can be particularly beneficial when working in sectors where Health, Safety, Security and Environmental issues can occur.  But what else:

  1. Resource Sharing: Partners in an NOJV can share their resources, such as capital, technology, and expertise, which can lead to more efficient and effective project execution.

  2. Focus on what they are good at: Non-operators can focus on their core business activities while still benefiting from the joint venture. They do not need to manage the day-to-day operations, which can save time and resources.

  3. Access to New Markets: NOJVs can provide access to new markets and opportunities that might be difficult to enter independently. This can be useful for expanding into different operating theatres and countries.  

  4. Limited Liability: Non-operators typically have limited liability in the joint venture, meaning they are not fully responsible for the operational risks and liabilities. One to note when thinking about cyber security, we will cover off later though.

  5. Influence Without Daily Management: While non-operators do not manage daily operations, they can still influence major decisions and ensure that the venture aligns with their strategic goals. For example, this can be achieved by having a seat on the board or having dedicated asset managers to provide support to the venture.

So now you know a little bit about the benefits of an NOJV, we can start to think about the challenges and opportunities presented in securing an NOJV from cyber threats. Let’s face it, they present unique cybersecurity challenges, but where there are challenges, lie opportunity.

Cybersecurity Challenges in NOJVs:

  1. Data Sharing and Integration: NOJVs require extensive data sharing between partners, which can increase the risk of data breaches. Ensuring secure data integration and transmission is crucial to protect sensitive information and maintain trust among partners.

  2. Diverse IT Environments: Each partner in an NOJV may have different IT systems and cybersecurity protocols. This diversity can create vulnerabilities if not properly managed, as inconsistent security measures can be exploited by cyber attackers.

  3. Third-Party Suppliers Risks: NOJVs often involve multiple third-party suppliers and contractors. Each additional party introduces potential security risks, making it essential to assess and manage supplier cyber security carefully.

  4. Regulatory Compliance: Different partners may be subject to various regulatory requirements, depending on their location and industry. Ensuring compliance with all relevant regulations can be complex but is necessary to avoid legal and financial penalties

So where are we, well we now know that creating and partnering in an NOJV has huge benefits. But we also know that because of the unique nature of an NOJV we have significant cyber risks to manage.

So what to do.

I guess that can be broken down into two main areas.

New NOJV’s and Existing NOJV’s.

For new ventures the most obvious action to take is to build clear and concise cyber security clauses into the Shareholder Agreement. This means that from day one, the company is required to manage cyber security in line with their legal obligations. They must ensure that technology is secured appropriately, employees are well trained in cyber risk and reporting, and that documented processes support the ongoing governance of cyber risk. The most cost effective way to do this is to build an Information Security Management System (ISMS). This should be based on industry standard approaches to Information and Cyber risk, such as ISO 27001.

For existing ventures, the problem is slightly more opaque. These ventures may not have any legal requirements to report cyber risk posture back to shareholders. They may not even have a requirement to comply with cyber security best practise and rely on best efforts only.

What can partners do in this situation. Well, we have already learned that because of the need to limit legal liability, partner companies cannot get involved in the day to day running of ventures. This means the venture themselves need to understand and manage their own cyber risk. That is where TPCS Cyber Red Flag Assessment comes into its own. This service is dedicated at highlighting the most critical cyber threats an NOJV has, with recommendations given as to how to manage and remediate these ongoing risks. The service looks at both external and internal threats to an NOJV and benchmarks their cyber posture against industry standards. If you want to know more then contact the team.

In the meantime, here are 5 top tips to help keep your NOJV operations cyber safe.

  1. Cyber Security Policies: Establish a unified set of cybersecurity policies and procedures that all partners must adhere to can help mitigate risks. This includes standardised protocols for data sharing, access controls, and incident response.

  2. Regular Security Testing: Conduct regular security audits and assessments can identify vulnerabilities and ensure that all partners maintain robust cybersecurity measures. These audits should include penetration testing and compliance checks.

  3. Employee Training and Awareness: Cybersecurity is not just a technical issue but also a human one. Provide regular training and awareness programs for all employees involved in the NOJV can help prevent phishing attacks and other social engineering tactics.

  4. Advanced Threat Detection and Response: Implement advanced threat detection and response systems can help identify and mitigate cyber threats in real-time. This includes using artificial intelligence and machine learning to detect anomalies and potential attacks.

  5. Incident Response Planning: Develop a comprehensive incident response plan that outlines the steps to be taken in the event of a cyber attack is crucial. This plan should be regularly updated and tested to ensure its effectiveness.

Overall Thoughts

Cybersecurity in NOJVs is a complex but essential aspect of modern business operations. By understanding the unique challenges and implementing best practices, companies can protect their sensitive information, maintain regulatory compliance, and ensure the success of their joint ventures. As cyber threats continue to evolve, staying vigilant and proactive in cybersecurity efforts will be key to safeguarding NOJVs against potential risks. TPCS are experts in securing NOJV operations and are here to help.

 

 

Kenny Boyce
Next

Pre Deal Cyber Due Diligence