Partnership Portfolios

Cybersecurity: Joint Ventures are the Trojan Horse

Protect your joint ventures, employees, clients, business and parent companies from cyber attacks.

March 2021 THERE IS A 29.6%[1]IBM Security: Cost of a Data Breach Report – 2019 likelihood of a security breach at your joint venture (JV), with the FBI reporting a 300%[2]TheHill: increase in cybercrime since the pandemic started. Cybersecurity is no longer optional; it is a necessity.

Yet cybersecurity risk is often overlooked or deprioritized by large companies when establishing a JV, in favor of a traditional focus on the potential for strategic and revenue growth, access to new markets, cost sharing for large capital investments, and the like. With JVs now commanding a sizeable market share in key industries like oil and gas, renewable energy, chemicals, manufacturing, healthcare and pharmaceuticals – and with the increased push for digital capabilities and for virtual workspaces in the pandemic eras – companies can no longer afford to ignore reliability and security against cyber-attacks in their JV portfolio.


Enter your information to view the rest of this post.

"*" indicates required fields

Communication Preferences

Meanwhile, cyber attacks are no longer limited to stealing data and intellectual property, but instead wreak havoc across large-scale facilities like those held in many JVs. A sample of recent attacks include:

  • Major sections of the power grid in Ukraine were shut down in 2016 and 2017 by cybercriminals[1]BBC:
  • In 2017, hackers shut down monitoring systems for oil and gas pipelines across US[2]New York Times:
  • In a 2018 attack, the safety controls of a Saudi Arabian petrochemical plan were targeted to cause failure and an explosion[3]New York Times:
  • In 2020, a German healthcare outage due to cyber-attack led to the death of a patient[4]New York Times:

Cyber Threats To Joint Ventures

Compounding the lack of attention on JV cybersecurity is the reality that JVs might face greater inherent cybersecurity risks than wholly owned companies for several reasons:

  • Multiple parent companies: JVs have multiple parent companies, each with their own security policies and procedures. Given the need to develop an operating model and information sharing practices in the JV that work with all parent companies, there is often a patchwork of security measures spread across different data networks with limited integrated protection.
  • JVs with government-controlled entity: Many large JVs in the natural resources sector have a state-owned partner, and such organizations are under constant threat and attack. In the last few years, JVs with state-owned stakeholders have been targeted not only to compromise sensitive data but to cause national unrest by stopping production, destroying files, and damaging equipment.
  • JVs with local partners in emerging markets: Large companies have more capital, more urgency around cybersecurity, and more information to protect. Smaller local partners with less stringent compliance requirements do not have the same resources and often have security vulnerabilities that can be exploited to damage the systems of all companies involved in the JV.
  • Absence of CISO: Most JVs do not have a dedicated Chief Information Security Officer (CISO) to define and ensure the JV’s security strategy, policies and processes align with the business risks, local compliance requirements and parent company policies
  • Limited board discussion: 67% of boards have not discussed cyber insurance, 60% have not discussed engaging an outside expert and only 20% of boards have discussed a cybersecurity framework.[5]New Navigating The Digital Age: The Definitive Cybersecurity Guide For Directors and Officers In a majority of JVs, cyber threat intelligence reports and periodic risk evaluations are rarely if ever discussed in board meetings despite the board’s mandate to manage JV risks, which includes cyber risks. Given the materiality and possible consequences of cyber-attacks, it should be a set agenda item.
  • Disconnect between Executives and IT department: When surveyed, 60% of senior Executives believe their systems are very safe or completely safe from cyber-attacks, while only 29%[6]New York AT&T Business: of IT professionals share that point of view. This misalignment is further compounded in a JV where IT services may be provided by one parent with the other parent companies having no information on the security practices and thus be lulled into a false sense of security.
  • Lack of mention in legal agreements and audits: When reviewing JV legal agreements across regions and industries, there is limited (if any) reference to cybersecurity related terms. Because of this, the Board and JV management team may not feel a specific obligation to adhere to regular cybersecurity audits and reporting – and individual shareholders may not be able to unilaterally drive such behavior if the other shareholders do not feel the same sense of urgency

Why This Matters To Parent Companies

Large parent companies generally have advanced firewalls, security practices and dedicated teams to respond to threats and handle malicious threats to their own business, while JVs often lack the same focus on cybersecurity.

This does not mean, however, that parent companies are fully insulated from cybersecurity risk exposure via their JVs. On the contrary, when JVs are breached, they act like a trojan horse introducing parent companies to many of the same impacts that they believed were mitigated by their own internal cybersecurity efforts, including:

  • Theft of parent company intellectual property
  • Harm to parent company brand value and reputation
  • Diminished trust from clients and partners
  • Drop in parent company stock price
  • Business downtime and losses
  • Fines for noncompliance with data-privacy regulations
  • Costs to remediate the damage caused

Case Study: Oil and Gas Joint Ventures

The oil and gas industry is adopting and expanding the use of digital technologies to optimize production, manufacturing, distribution and supply chain activities. This has revolutionized the industry by improving productivity while simultaneously reducing costs. But it has also exposed this industry to additional dangerous and malicious cyber-attacks (Exhibit 1).

All oil and gas assets – including JVs – face cyber threats that stem from:

  • Aging and outdated control systems in facilities
  • Insufficient levels of separation between industrial and IT networks
  • Unclear cyber security policies and procedures
  • Limited training and awareness amongst employees

Exhibit 1: Oil and Gas Case Study

Ankura Joint Ventures and Partnerships

© Ankura. All Rights Reserved.

Is Your Joint Venture Cyber Secure?

JV Directors and management team members should be regularly asking themselves the following 10 key questions on cybersecurity in their JV:

  1. Do we understand our cybersecurity threats and risks?
  2. Are our partners aligned on our cybersecurity strategy?
  3. Do we talk about cybersecurity during board meetings or steering committees?
  4. Do we have policies, processes or standards in place to minimize cyber risk?
  5. Do we know how to respond in case of a cyber-attack?
  6. Do we have a process in place to prevent a cyber-attack from impacting parent companies?
  7. Do we have a CISO or someone accountable and in charge for cybersecurity?
  8. Do we have a designated and trained information security expert on staff or a third-party trusted information security provider?
  9. Are we regularly evaluating potentials threats and monitoring our network?
  10. Are our employees appropriately trained on cybersecurity risks?

If the answer to any of the above questions is no, it is time to take action to protect your JV, employees, clients, business and parent companies. By having cybersecurity policies and processes in place, you can rest easy knowing you are taking critical measures to protect your joint ventures.


How We Help: Partnership Portfolios

We understand that succeeding in joint ventures and partnerships requires a blend of hard facts and analysis, with an ability to align partners around a common vision and practical solutions that reflect their different interests and constraints. Our team is composed of strategy consultants, transaction attorneys, and investment bankers with significant experience on joint ventures and partnerships – reflecting the unique skillset required to design and evolve these ventures. We also bring an unrivaled database of deal terms and governance practices in joint ventures and partnerships, as well as proprietary standards, which allow us to benchmark transaction structures and existing ventures, and thus better identify and build alignment around gaps and potential solutions. Contact us to learn more about how we can help you.

About the Authors

Saadhika Sivakumar

Saadhika Sivakumar is a Senior Associate at Ankura, where she supports clients and manages the firm’s proprietary databases on joint ventures and partnerships. Leveraging Ankura's proprietary databases, market outlooks and repositories of best practices, Saadhika develops actionable perspectives on joint venture and partnership transactions and governance-related matters across a range of industries.

Ankur Sheth

Ankur Sheth is a Senior Managing Director at Ankura, based in New York. Ankur has been focused on cybersecurity for more than 14 years across a variety of competencies and industries and continues to serve his clients in successfully mitigating potential cyber threats.

Subscribe to the

Joint Venture Alchemist Newsletter

Sign up below to receive the latest joint venture updates from Ankura.

"*" indicates required fields