European companies are increasing how much they spend on data protection and security for M&A transactions, and more than 40 per cent of survey participants are expecting higher levels of investment in data protection and security over the next 12 months.[1]
The survey results shouldn’t come as much of a surprise—after all, for companies that engage in financial transactions or mergers, the fallout from a data breach can be particularly severe as damages or a failed transaction can easily cost participating parties tens of millions of euros.
“M&A deals typically involve a high volume of sensitive documents, large transaction amounts and multiple players with different, and sometimes competing, interests,” says Jan Hoffmeister, data security expert and managing director of Drooms, an EU-based secure cloud services firm. “All those parties must gain access to potentially sensitive documents in order to conduct their due diligence before the M&A transaction can be closed.”
The fallout from a data breach can be particularly severe as damages or a failed transaction can easily cost participating parties tens of millions of euros
With one data breach after another making headlines – for example, the United States government’s NSA spying affair, Dropbox’s millions of leaked user passwords and Apple’s iCloud celebrity photo hack, just to name a few – companies that wish to keep M&A transaction information and documents confidential face continued challenges.
Here are several points companies generally should consider when searching for a secure, server-based provider:
- What security guarantees, if any, does the provider offer?
- Is the provider a US-based company or a subsidiary of one? If it is, then keep in mind that your data is potentially accessible to US government agencies through the Patriot Act
- Does the provider rely on third-party applications, such as browser plug-ins, Java or pdf viewers to deliver its service? Note that such applications are currently the subject of a number of security concerns.
Additionally, the involved parties should think about the following features when setting up a virtual data room in particular:
- Access to documents or the data room in general should be granted via a tool that allows granular setting of permissions
- Enable a “view-only” option to prevent users from being able to print, copy or save files
- The level of security should be able to be adjusted according to the seller’s requirements, for example use of a two-step authentication process or customised password policies
- The provider should have its servers located in certified data centres in Europe.
In our view, data security and privacy will become increasingly important in a world where data breaches are happening more often, and every business should educate itself to help ensure its data is fully secure even when not participating in a transaction.
Data protection for M&A deals is a serious matter for which professional tools should be used. Investing in the right technology infrastructure is a must and, when the overall cost of a transaction is taken into consideration, a small investment.
[1] Press release, M&A Transaction Survey: Data Protection In Europe Is Often Inadequate, Drooms, October 14, 2014, https://www.drooms.com/en/news/959-ma-transaction-survey-data-protection-europe-often-inadequate
