📊 CYCLE · Case Study

How does a 70-person E&P close 17 cyber control gaps in 21 days to preserve a sell-side deal?

How a 70-person Calgary E&P closed seventeen cyber control gaps in three weeks to preserve a sell-side transaction with an American buyer, without scrambling and without taking a price adjustment.

Read Online Download PDF

For: Operators sell-side (50-100 people)

Case Study · Operators · 21-Day Cyber Sprint

Twenty-one days.
One deal on the line.

How a 70-person Calgary E&P closed seventeen cyber control gaps in three weeks to preserve a sell-side transaction with an American buyer, without scrambling and without taking a price adjustment.

Composite case study - This is a composite case study drawn from multiple actual Vencer Group engagements with Canadian oil and gas operators of similar profile. Names, specific identifying details, and exact metrics have been altered or generalized to protect client confidentiality. The patterns described, the work delivered, and the outcomes documented are representative of what Vencer has built across 19 years and 30+ M&A transactions in the Canadian energy mid-market.

FOR: Operators · 50–100 people · sell-side cyber diligence under pressure

Quick answer

A 70-person Calgary E&P operator was 21 days from closing a sell-side transaction with an American buyer when the buyer's cyber diligence team surfaced 17 control gaps. The deal was at risk for a price adjustment or a delay. Vencer ran the sprint: 17 gaps closed in three weeks, evidence documented to the buyer's satisfaction, deal closed at original price on schedule. This is what readiness debt costs when it hits a deal timeline - and what experienced execution looks like when there's no time to scramble.

Operator type
Operators
Scale
70 people
Operational reality
Mostly On-Site
Engagement
Project (fixed scope)
01
The Situation

A 70-person E&P, a pending sale, and a cyber finding in late-stage diligence.

70 people. Mostly Montney production with a small Cardium position. A founder-led E&P that had been quietly working a sell-side process with a strategic buyer for nine months. The deal was three weeks from signing when the buyer’s diligence team flagged the cyber posture as a material concern.

The call came in on a Tuesday morning in October. The CFO - we will call her Sarah, though she could have been any of the CFOs we have helped through this exact situation - had received the buyer’s diligence findings late Monday night. The findings ran 47 pages. The cyber section ran 11 of them. The summary at the front was direct: “Current cyber posture would require remediation prior to close, or a material price adjustment to reflect risk.”

Sarah was, in her words, “not having a good morning.” The sale process had been running for nine months. Three other potential buyers had walked over the previous year for unrelated reasons. This buyer was the right strategic fit at the right price. The deal was supposed to sign in three weeks. The cyber finding was the kind of late-stage diligence surprise that either gets fixed fast or kills deals.

Their environment was a textbook Mostly On-Site setup for a 70-person E&P that had grown through one full upcycle: a small server room in their Calgary office, Microsoft 365 for email and documents, a production accounting system running on a local SQL database, a VPN appliance that had been installed in 2019, two field workstations connected to their largest pad, and a part-time IT consultant who came in two days a week. None of it was bad. None of it was current. And the buyer’s technical team had noticed.

The buyer was American, publicly traded, and operating under a parent-company cyber framework that required specific controls before any new entity could be absorbed onto their network. The diligence findings were not opinion. They were a list of seventeen specific controls the buyer’s parent required, of which Sarah’s company met four. The buyer had given them twenty-one days to close the gap or accept a price adjustment Sarah described as “ugly.”

02
The Challenge

Thirteen controls. Twenty-one days. One deal on the line.

The buyer’s list was specific. Looking at it through our experience, the seventeen controls broke down into three groups:

  • Four they already had - they just had not written down. Their existing setup actually met the requirement. Nobody had documented it in a way that satisfied the buyer’s diligence template. This was a paperwork problem masquerading as a cyber problem.
  • Eight they could implement in two to three weeks. Standard baseline controls. Enforced multi-factor authentication across the entire company (the requirement to confirm a sign-in with a code from a phone or app). Documented offboarding. Tightened email phishing protection. A written incident response plan. None of these required new infrastructure - they required focused effort and someone who knew the sequence.
  • Five that needed real technical work. 24/7 monitoring with an actual response capability, not just a dashboard. Backups that were isolated from the production environment so ransomware could not reach them. The 2019 VPN appliance replaced with something current. Network segmentation between the office systems and the field workstations. Privileged access management for the small number of accounts with top-level administrator rights.

Sarah’s actual question to us, on the Tuesday call, was: “Can you do this in twenty-one days without making things worse than they already are?” She was right to ask. Cyber work done in a panic, by the wrong firm, often produces a worse outcome than the original gap - because the panic-driven implementation introduces its own gaps that show up in the next audit.

Why this matters
The cyber wall arrives whether you are ready or not.

The Canadian Centre for Cyber Security’s 2025–2027 outlook is explicit that mid-market operators in the 50 to 100 person range are the target population for both opportunistic ransomware groups and for the cyber requirements that publicly-traded acquirers now impose. The wall is real on both sides - the threat side and the transaction side.

For operators in a sell-side process, the cost of failing late-stage cyber diligence is rarely measured in remediation expense. It is measured in deal value adjustment. A 3% to 7% price reduction for “cyber risk” on a $200M transaction is $6M to $14M - against a typical remediation cost of $300K to $600K CAD for a 70-person operator. The math is dramatic enough that even the most cost-conscious operators tend to fix the gap rather than absorb the discount, once they realize the gap exists.

03
The Work

Twenty-one days, three workstreams, one calm Tuesday meeting.

We engaged on a Project basis - a fixed-scope, fixed-fee engagement specifically designed for this kind of deadline-driven remediation work. The work split into three parallel streams, each with its own named owner on our side and its own counterpart on the client side.

Stream 1 - the paperwork that already existed (days 1 through 5).

We started here because it was the fastest win. The four controls the company already had in place needed to be documented in language the buyer’s diligence team would accept. We did the documentation work alongside the part-time IT consultant who had originally set up the systems, capturing his knowledge in the process. By Friday of week one, four of the seventeen controls were off the list. The buyer’s team confirmed the documentation by Monday of week two. Sarah told us later that this single batch of paperwork - which took less than a week - was the moment she stopped wondering whether we could pull the whole thing off.

Stream 2 - the eight controls that needed focused effort (days 3 through 14).

The administrative and policy work happened in parallel with Stream 1. Over the second week:

  • We enforced multi-factor authentication across the entire company. All 70 people, no exceptions, including the founder and the field supervisors. Two field crews initially pushed back - the second-factor app felt like one more thing to manage on a job site. We worked with them to set up app-based codes that worked offline, so the field-site experience improved rather than worsened.
  • We wrote the offboarding procedure. A two-page document, signed by Sarah and the HR lead, listing every system someone would need to be removed from when they left. Then we ran the procedure against the active user list and found four accounts that should have been deactivated months earlier - including two former contractors who still had VPN access. Those four findings alone would have been a serious problem in a real cyber assessment, not just a deal diligence.
  • We tightened the email phishing protection beyond the default Microsoft 365 settings. The defaults catch most spam but miss the targeted impersonation attacks that aim at CFOs and field supervisors. Two of those impersonation attempts had been getting through monthly. After the tuning, they stopped reaching inboxes.
  • We wrote a one-page incident response plan. Who gets called first. What gets shut down. Who notifies whom. Signed by the CEO and posted on the inside of the office server-room door, where it could not get lost. Boring work. Critical work.

Stream 3 - the five technical implementations (days 5 through 19).

The technical work needed the most attention because each piece had to be implemented without disrupting the operations that the buyer was about to take over. We sequenced the work so the highest-risk implementations came first, while we still had time to course-correct.

  • We brought in real 24/7 monitoring from our Singapore and Calgary operations - live coverage across time zones, with an actual response capability when something looked wrong, not just a dashboard nobody was watching. SentinelOne for endpoint protection, Proofpoint for email security - both 2025 Gartner Magic Quadrant Leaders. Deployment took six business days from contract to first protected endpoint.
  • We rebuilt the backup setup. Their existing backups ran to a NAS in the same office as the production systems - meaning a ransomware attack on the production systems would reach the backups too. We added immutable cloud backup storage using Veeam (2025 Gartner Leader), which the attacker cannot encrypt even with full administrative access to the environment. The first successful test restore happened on day 11.
  • We replaced the 2019 VPN appliance with current equipment under active warranty. The old appliance had not received a vendor security update in fourteen months. The replacement was deployed over a weekend so nobody noticed the cutover.
  • We added network segmentation between the office systems and the field workstations - meaning a problem on one side could not easily spread to the other. The Google Cloud Cybersecurity Forecast 2026 is explicit that this kind of segmentation prevents most lateral movement during ransomware incidents. Two days of work. High-leverage.
  • We inventoried and tightened the small number of administrator accounts. Eleven accounts had top-level access. Six of those were unnecessary. Two were former employees. After the cleanup, there were three. The buyer’s diligence team specifically called out this finding in their second-pass review as evidence of operational discipline.

The handoff back to diligence (day 21).

On day 21, we produced a 23-page response document covering all seventeen controls, with evidence for each one. The buyer’s diligence team confirmed all seventeen within three business days. The deal signed on its original schedule.

One moment is worth naming. On day 17 - with four days to go - the buyer’s team came back with a new question on one of the technical controls that had not been on the original list. The kind of thing that could have derailed the close if we had been working without margin. Because we had paced the technical work to finish on day 19, we had two days of buffer to handle the new question without scrambling. That buffer was not luck. It was a deliberate decision made in the first week, when Sarah and the CEO both wanted to attack everything in parallel.

04
The Outcome

The deal signed on schedule. Sarah slept Sunday night.

Remediation cost
~$420K
CAD total - against a price adjustment that the buyer had initially suggested would be in the $6M to $14M range if controls were not met by close.
Time to close
21 days
from Tuesday morning to a signed deal, including a two-day buffer used on day 17 when the buyer’s diligence team came back with a new question.
Deal preserved
100%
of the original transaction value. No price adjustment. No deferred close. The buyer’s parent company added the entity to their network in week one post-close.

Before and after.

Before (Monday night)
47-page diligence report. Cyber findings in 11 pages. 17 specific controls required, 4 met. Buyer threatening either remediation in 21 days or price adjustment. 9 months of sell-side process potentially at risk. Sarah, in her words, “not having a good morning.”
After (day 24, post-close)
All 17 controls met and documented. Deal signed at original price. Cyber baseline now substantially above what the buyer required - useful for the new parent company’s ongoing audits. Four former-employee accounts that should not have existed are now closed. The next cyber assessment will be a confirmation, not a discovery.

The moment it mattered.

The moment that mattered most was not the close. It was the Friday of week one, when Sarah saw the buyer’s diligence team confirm the first four controls. Up to that point, she had been operating on hope. After that confirmation, she had evidence that the timeline was real and that the work was being done to the right standard.

The CEO told us later that the most valuable thing about the engagement had not been the technical work itself - though the technical work was necessary. It was that Sarah had been able to walk into the Tuesday board meeting of week two with a written status update, named owners on every workstream, and a credible plan to close. The board stopped asking whether the deal would close and started asking what comes next. That shift, more than the controls themselves, was what made the next eighteen days bearable.

What this generalizes to
The cyber wall is real on both sides - threat and transaction.

The 12 baseline controls covered in Chapter 6 of The Operating System are not just defensive measures against ransomware. They are increasingly the criteria that acquirers, insurers, and large counterparties use to evaluate whether an operator is operationally ready to do business with. For Canadian operators in the 50 to 100 person range, falling below the baseline now creates a price-discovery problem in every commercial conversation that involves a sophisticated counterparty.

The 21-day timeline in this case study is achievable, but it is the wrong way to do the work. Doing the same controls in a planned 6 to 9 month program, at $80 oil, with the team available to run alongside operations, typically costs the same money and produces a meaningfully stronger result. The operators who win on cyber are the ones who treat it as an investment in their next renewal, their next audit, or their next sell-side process - not as a panic response when one of those moments arrives.

Next step

Does this story sound familiar?

The pattern in this case study has played out across dozens of Canadian oil and gas companies in the 10 to 100 person range. If you recognize parts of it in your own operation - or you suspect you might - the next step is a structured conversation with a Vencer engineer.

The IT-and-the-Cycle Assessment is a 3 to 5 day structured review of your specific operational situation. We pressure-test where your IT stands today, where it needs to be for what you intend to become, and what one bad day looks like at current state. You leave with a written report, a 90-day plan, and named owners. No hype. No vendor pitch. Just the truth about where you are and what to do next.

For a faster diagnostic, three free tools at vencergroup.com cover the same territory in less time: the Hidden IT Cost Calculator (12 minutes, quantifies your IT cost burden across three price-cycle scenarios), the Cyber Risk Self-Score (5 minutes, scores your cyber baseline against 12 critical controls), and the IT Myth-Buster sheet (the seven objections you’ll hear from inside your own company and how to think about them).

Vencer operates from Calgary headquarters with delivery teams across four continents. For Canadian-headquartered operators with international exposure - whether that means US basin extension, international service contracts, cross-border M&A, or international counterparties with their own cyber and audit requirements - the cross-border operational capability is built in, not bolted on.

In Business
19 years
Through two oil and gas cycle turns. Calgary-headquartered. Built for the Canadian energy mid-market.
M&A Transactions
30+ deals
IT integration delivered on 30+ acquisitions representing over $12B CAD in transaction value.
Managed Security
Zero breaches
Across 11 years of managed security operations. Four continents of delivery.
Office
700 4 Ave SW #1680
Calgary, AB T2P 3J4
Phone · Email
+1 (888) 271-6230
insights@vencergroup.com
Web
vencergroup.com
Their story. Not yours.

One operator's outcome. Your situation has different variables. These numbers are real; the applicability to your operation requires conversation. The 30-min review is where that starts.

→ Book the 30-min review
Download PDF

Next Step

Take it from here - three ways.

Self-Score · 2 min

Cyber Risk Self-Score

Where your posture stands against the 12 controls.

Take it →

eBook · PDF

The Twelve Controls

Cyber posture that survives renewal.

Read it →

30-Min Review

Talk to a sitting CIO about renewal.

Schedule a call. No pitch, no proposal. Wherever and whenever it works for you.

Book the call →
More from the CYCLE pillar
View all CYCLE articles →