Data security for M&A deals

European companies are increasing how much they spend on data protection and security for M&A transactions, and more than 40 per cent of survey participants are expecting higher levels of investment in data protection and security over the next 12 months.[1]

The survey results shouldn’t come as much of a surprise—after all, for companies that engage in financial transactions or mergers, the fallout from a data breach can be particularly severe as damages or a failed transaction can easily cost participating parties tens of millions of euros.

“M&A deals typically involve a high volume of sensitive documents, large transaction amounts and multiple players with different, and sometimes competing, interests,” says Jan Hoffmeister, data security expert and managing director of Drooms, an EU-based secure cloud services firm. “All those parties must gain access to potentially sensitive documents in order to conduct their due diligence before the M&A transaction can be closed.”

The fallout from a data breach can be particularly severe as damages or a failed transaction can easily cost participating parties tens of millions of euros

With one data breach after another making headlines – for example, the United States government’s NSA spying affair, Dropbox’s millions of leaked user passwords and Apple’s iCloud celebrity photo hack, just to name a few – companies that wish to keep M&A transaction information and documents confidential face continued challenges.

Here are several points companies generally should consider when searching for a secure, server-based provider:

  • What security guarantees, if any, does the provider offer?
  • Is the provider a US-based company or a subsidiary of one? If it is, then keep in mind that your data is potentially accessible to US government agencies through the Patriot Act
  • Does the provider rely on third-party applications, such as browser plug-ins, Java or pdf viewers to deliver its service? Note that such applications are currently the subject of a number of security concerns.

Additionally, the involved parties should think about the following features when setting up a virtual data room in particular:

  • Access to documents or the data room in general should be granted via a tool that allows granular setting of permissions
  • Enable a “view-only” option to prevent users from being able to print, copy or save files
  • The level of security should be able to be adjusted according to the seller’s requirements, for example use of a two-step authentication process or customised password policies
  • The provider should have its servers located in certified data centres in Europe.

In our view, data security and privacy will become increasingly important in a world where data breaches are happening more often, and every business should educate itself to help ensure its data is fully secure even when not participating in a transaction.

Data protection for M&A deals is a serious matter for which professional tools should be used. Investing in the right technology infrastructure is a must and, when the overall cost of a transaction is taken into consideration, a small investment.

[1] Press release, M&A Transaction Survey: Data Protection In Europe Is Often Inadequate, Drooms, October 14, 2014,