European companies are increasing how much they spend on data protection and security for M&A transactions, and more than 40 per cent of survey participants are expecting higher levels of investment in data protection and security over the next 12 months.
The survey results shouldn’t come as much of a surprise—after all, for companies that engage in financial transactions or mergers, the fallout from a data breach can be particularly severe as damages or a failed transaction can easily cost participating parties tens of millions of euros.
“M&A deals typically involve a high volume of sensitive documents, large transaction amounts and multiple players with different, and sometimes competing, interests,” says Jan Hoffmeister, data security expert and managing director of Drooms, an EU-based secure cloud services firm. “All those parties must gain access to potentially sensitive documents in order to conduct their due diligence before the M&A transaction can be closed.”
The fallout from a data breach can be particularly severe as damages or a failed transaction can easily cost participating parties tens of millions of euros
With one data breach after another making headlines – for example, the United States government’s NSA spying affair, Dropbox’s millions of leaked user passwords and Apple’s iCloud celebrity photo hack, just to name a few – companies that wish to keep M&A transaction information and documents confidential face continued challenges.
Here are several points companies generally should consider when searching for a secure, server-based provider:
- What security guarantees, if any, does the provider offer?
- Is the provider a US-based company or a subsidiary of one? If it is, then keep in mind that your data is potentially accessible to US government agencies through the Patriot Act
- Does the provider rely on third-party applications, such as browser plug-ins, Java or pdf viewers to deliver its service? Note that such applications are currently the subject of a number of security concerns.
Additionally, the involved parties should think about the following features when setting up a virtual data room in particular:
- Access to documents or the data room in general should be granted via a tool that allows granular setting of permissions
- Enable a “view-only” option to prevent users from being able to print, copy or save files
- The level of security should be able to be adjusted according to the seller’s requirements, for example use of a two-step authentication process or customised password policies
- The provider should have its servers located in certified data centres in Europe.
In our view, data security and privacy will become increasingly important in a world where data breaches are happening more often, and every business should educate itself to help ensure its data is fully secure even when not participating in a transaction.
Data protection for M&A deals is a serious matter for which professional tools should be used. Investing in the right technology infrastructure is a must and, when the overall cost of a transaction is taken into consideration, a small investment.
 Press release, M&A Transaction Survey: Data Protection In Europe Is Often Inadequate, Drooms, October 14, 2014, https://www.drooms.com/en/news/959-ma-transaction-survey-data-protection-europe-often-inadequate