Cyber risks for M&A transactions in the energy sector

The energy industry has been increasingly exposed to cyber risks in recent years. The ongoing digitalisation of the energy industry is unlikely to reverse this trend. It will therefore be essential to have a strategy for dealing with these risks and to ensure that the parties involved succeed in effectively securing their infrastructures against external attacks. Especially in corporate transactions in the energy sector, the protection of assets against such cyber risks will take on a significant role. This applies in particular to the area of renewable energies such as wind farms. Purchasers must check which actual risks exist and how these can be sensibly addressed or mitigated.   

Actual risks

Wind farms are complex, networked systems that can (also) be accessed remotely in many cases - be it for maintenance or control of the system. For this purpose, systems such as CMS, SCADA or park control are used, which for the most part automatically take over the control of the entire park, as this is usually much more efficient than controlling individual wind turbines. As with any IT system, however, such a wind farm cannot only potentially be accessed remotely, but also physically via terminals or interfaces. The attack can take place externally via the penetration of vulnerabilities in the network, physical protection or internally via social engineering. In the event of a possible attack on a wind farm, various damage scenarios are conceivable, ranging from the need to completely disconnect the wind farm from the (power) grid, the impairment of the grid, to physical damage to the turbine itself or intrusion into the operator’s network via a poorly protected wind farm. Particularly in the case of dislocated but networked plants or off-shore plants, any required interventions directly at the plant by the operator are then associated with considerable effort and expense. 

Legal risks

Legally, an operator of a wind farm is liable for any damage that may arise from a cyber-attack, especially if there are legal obligations to secure its facility and the operator fails to comply with them - for example, as an operator of critical infrastructures pursuant to Section 8a German Act on the Federal Office for Information Security (BSIG). Depending on the damage scenario, a cyber-attack can also affect personal data, such as that of employees who perform maintenance and control of the facilities or personal data stored on connected IT systems. In this context, particular attention should be paid to the fact that the unavailability of data, for example due to encryption Trojan horses or the deletion of data, also constitutes a breach of the protection of personal data under the General Data Protection Regulation. In the context of an asset or share deal, the seller may be liable if the wind farm does not meet the legal requirements for cyber and IT security. The risk does not necessarily have to materialise; the defect may already lie in the fact that the mandatory IT security requirements are not met. If these breaches of duty are then also the cause of damage to the turbines or the grid, the seller may also be liable in this case.   

Contractual regulations might not be sufficient

Contractual provisions in the company purchase agreement may not be able to address fully the risks for the buyer. In addition, in the case of cyber attacks, it may not be possible to determine afterwards whether a breach of the cyber and IT security requirements is actually the underlying cause of the damage caused by the cyber-attack. The provisions for a contractual arrangement must therefore cover various areas, both in the field of compliance and cyber and IT security as well as data protection. From the seller’s point of view, attention must be paid to whether liability limitations may be ineffective where supposedly covered risks are subject to mandatory statutory liabilities or are subject to broad warranty declarations. From the purchaser’s point of view, in addition to the contractual hedging of risks, thorough due diligence might be an option as well. By way of conducting such due diligence, the buyer examines the actual state of cyber and IT security as well as the compliance of the target company in more detail. In addition to policies and guidelines as well as relevant contracts, for example with maintenance service providers, the IT systems used for control and billing as well as maintenance should also be in scope of a technical review, concerning their up-to-dateness and ability to be updated. Furthermore, the security concept must also adequately address the physical access restrictions to the relevant systems.