This paper presents a cybersecurity risk assessment guide for mergers and acquisitions (M&A) in the oil and gas industry. The mechanisms used for assessing cyber risk are technology neutral and developed around an organization's security culture, information systems, and operating infrastructure as they apply to the M&A process. Assessing a security infrastructure includes any connections between information technology and operational technology systems. Security considerations relating to the integration of acquired operating and information system assets are also factored into the approach. For mergers, we present six open-ended questions that are linked to specific cybersecurity functions and corresponding domains. Each domain includes industry best practices for acquirers to understand the relative maturity of a target company's cybersecurity program. Asset acquisitions require a less-comprehensive approach that focuses on four relevant areas of risk. The assessment presented in this paper can be used by companies operating across the oil and gas supply chain.