“Carpe Diem”: Oilfield Services Companies Eye the IPO Market

 

 

By Tyler Chase, Managing Director
Energy and Utilities Industry Leader

and Steve Hobbs, Managing Director
Public Company Transformation

 

Despite the recent downward trend in oil prices, the oil and gas industry overall is feeling optimistic, as evidenced by increased rig counts and production levels. Both are signs that the industry is on the rebound after a downturn that has persisted for well over two years. Renewed confidence and optimism about future growth have many companies in the sector thinking about pursuing an initial public offering (IPO). Among them: fast-growing and capital-hungry oilfield services providers.

These service businesses play an important role in supporting the oil and gas industry. They provide innovative technology, manufacturing of critical equipment, and services that allow oil and gas companies to enhance their existing infrastructure and processes so they can produce more at less cost.

The recent volatility in the oil and gas market hit oilfield services providers hard. In 2015 and 2016, many were burdened with significant debt and selling their services at a discount just to survive; several companies ended up filing for bankruptcy.

Now, less than a year after that dark period, oilfield services providers are driving IPO activity in the energy sector — outpacing exploration and production companies. Many of these private equity-backed companies have been waiting for conditions in the industry and capital markets to improve so they can execute an IPO as their forward strategy. Others are looking to an IPO as a way to raise much needed capital fast, to fuel growth and innovation.

What many oilfield services providers learn in exploring the IPO idea is that they simply aren’t prepared to make the leap. One reason is that these firms lack maturity in their business processes, and have limited alignment with GAAP accounting and insufficient infrastructure and personnel to support expansion. They are, essentially, startups. And like any startup or other fast-growing private company in any other sector, oilfield services providers must achieve a certain level of “readiness” before attempting to go public.

These firms are also at risk of making a mistake common among other businesses with IPO aspirations: underestimating the amount of time and personnel required to address the demands of a public company transformation. These pre-public companies must address six primary infrastructure elements on their journey to IPO readiness, including:

  • Corporate policies: These include governance, financial reporting and company policies, such as human resource and marketing policies. Like most startups, oilfield services providers are so focused on delivering their technology and services and trying to grow their market that they don’t spend enough time on essential back-office infrastructure for the business, such as creating formal policies. Structure and documentation are needed not only for compliance purposes, but also to help the company communicate to everyone, from investors to current employees and potential hires, how it operates, what its values are, and more — a basic expectation from an IPO candidate.
  • Corporate processes: Financial reporting processes are just one example of corporate processes that many oilfield services providers will need to upgrade substantially and standardize before going public. For instance, documentation about business agreements is likely inadequate because of the informality with which these service companies often approach deals — confirming terms with perhaps little more than a handshake. So, firms preparing to go public need to start moving now to formalize their agreements with business partners and create an appropriate paper trail. Many accounting and financial planning and analysis forecasting processes will also need to be augmented and automated because manual practices are error-prone and time-consuming.
  • People and organization: Any company that wants to go public needs a well-structured and experienced leadership team. The IPO process places huge demands on senior executives — especially the CEO and CFO, who will need to spend much of their time on the road meeting with analysts and potential investors. Once the IPO ball starts rolling, these executives won’t be able to focus much on everyday business needs. There needs to be a strong team in place, especially in the accounting/finance organization, to help guide the company in their absence, address external auditor considerations, and meet SEC filing deadlines on time.
  • Systems and data: Pre-IPO companies frequently report that their IT departments are a major area of focus during their readiness effort. IT general controls that pertain to Sarbanes-Oxley Act compliance and data security and privacy strategies and policies are just two key areas within IT that oilfield services providers will need to pay special attention to as they lay the groundwork for a public offering. A critical risk within the realm of IT system compliance is addressing the organization’s lack of segregation of duties (SoD) and the need for comprehensive monitoring of access for all critical business IT systems. It’s imperative for management to be directly involved in the SoD design process to clearly shape the roles and duties of personnel within the company prior to an IPO. Data security and privacy can be particularly wide in scope, including everything from cybersecurity policies to business continuity management planning.
  • Management reports (e.g., on internal control over financial reporting) and methodologies (e.g., for the offering price, for financial controls, significant accounting estimates) round out the six primary elements. Oilfield services providers must ensure they have them covered — and implement a sustainable infrastructure and strong organizational capabilities as well — before pursuing an IPO.

Addressing all the above is a complex and resource-intensive endeavor, and likely will require expert assistance on many fronts. This fact is not to dissuade oilfield services companies from seizing opportunities in the current oil and gas market.  But seizing the opportunity is one thing; managing the newly public company in the weeks and months following the IPO in a manner that is consistent with the expectations of regulators and shareholders and the company’s own executives’ vision is quite another. At issue here is sustaining confidence with regulators and shareholders. According to our experience across a wide variety of sectors, covering the six elements of infrastructure above in a thoughtful, proactive manner is a vital process in moving to the next stage successfully.

Cyber Vulnerabilities of Energy Companies’ Control Systems Can Be Addressed Safely and Successfully

 

By Tyler Chase, Managing Director
Energy and Utilities Industry Leader

and

Michael Porier, Managing Director
Technology Consulting – Security and Privacy

 

The realization is growing across the oil and gas industry that the major cybersecurity threats to upstream, midstream and downstream data and operations are often aimed at operational technology (OT) systems and equipment – usually older, legacy models – rather than at the information technology (IT) side. Those operational technologies typically include industrial control systems (ICS), supervisory control and data acquisition (SCADA) devices and other related technologies implemented at operational facilities, such as plants, pipelines, terminals and rigs.

A recent survey of more than 300 oil and gas companies found:

  • More than 60 percent of companies have suffered a security compromise in the past year, which exposed confidential information and disrupted OT systems and operations
  • Two-thirds of companies believe risks to OT systems have increased substantially in recent years, and 59 percent believe they face greater risks in OT than in IT
  • Only one-third of companies report that OT and IT are fully aligned in their organizations
  • Just 35 percent rate their readiness to address cyber threats as high
  • Close to half of all attacks on OT are going undetected

These survey findings appear shocking – but they are also consistent with Protiviti’s experience in performing cybersecurity assessments for energy and utility clients, particularly evaluating their OT systems. We often find unprotected field terminals with inadequate physical security of connection points, live ports that lack deterrents, and an absence of intrusion detection capabilities. We also commonly see flat networks that are not segmented to appropriately segregate the OT systems from the corporate network environment, making it easier for potential hackers to exploit vulnerabilities across the organization.

Obviously, OT systems with any of these shortcomings present significant cybersecurity risks for the energy and utilities industry. The threat is multiplied by the fact that energy and utilities organizations are deemed critical infrastructure, whose exploitation can have devastating effects to broad geographic regions affecting multitudes of people.

More and more ICS/SCADA technologies allow for the capability to connect (via IP) to the broader corporate network infrastructure. While this provides for certain efficiencies, it can also expose oil and gas systems to unprecedented risks that occur when the previously isolated OT systems are linked to sophisticated IT networks so data can be shared, managed and analyzed.

Despite this newfound connectivity, the industry has remained stubbornly reluctant to challenge legacy OT systems from a vulnerability perspective, for fear of creating interruptions or process errors. This reluctance often leads to a failure to adequately test or update systems to optimize security and minimize cybersecurity risks.

The concerns are legitimate, but only up to a point. In our experience, there isn’t sufficient justification to hold OT systems “off limits” for cybersecurity evaluation and upgrades, given the high potential for targeting by sophisticated opponents and the alarming numbers cited in the survey. To this end, assessments should still be performed, but they must incorporate a series of precautions designed to assure both operational continuity and a complete threat risk review. These precautions include:

  • Well-defined rules of engagement, including identification of the types of reports and system information to be compiled prior to conducting a vulnerability scan
  • Performing security evaluations in a test, rather than production, environment
  • Collaboration with both engineering and IT security personnel to define the scope of the review engagement
  • Reasonable limitations on initial tests so sensitive systems can be excluded if needed to allow for the development of workarounds
  • Establishment of clear lines of communications so any network or system irregularities are reported and evaluated during testing

Working within these parameters, the end goal of testing the security control environment of the ICS/SCADA environments should achieve the following:

  • Evaluate the key security risks prevalent in the ICS/SCADA network architecture
  • Identify the network vulnerabilities and test the connectivity to the enterprise network
  • Assist with the development of a vulnerability management program specific to the ICS/SCADA infrastructure

Ideally, what energy and utilities companies want is to ensure they have an ICS/SCADA environment that can function in a secure and effective manner, and that they can be highly efficient in detecting and responding to breaches and attacks. This requires technical expertise, collaboration between departments, appropriate planning, and leveraging vulnerability assessments to periodically test security.  Testing these systems requires more work, but it is not impossible, and it should not be considered “out of the question.” In fact, testing is an essential practice to preserving the integrity of any critical system.