Protecting data during M&A is now a necessity rather than an option.
In her award-winning book,
This is how they tell me the world ends: the cyberweapons arms race
author Nicole Perlroth paints a picture of a world which is under threat from all angles from hackers and cyberweapons.
This includes corporations and their transactions. This is the DealRoom guide to protecting data during M&A.
What does protecting data mean?
Data protection is the process of protecting a company’s confidential data from corruption, compromise, or loss.
In M&A, companies inevitably share confidential data with external third parties, leaving all manner of important information vulnerable.
The fact that the counterparty in the M&A transaction is an honest actor does not secure the information: It could be compromised as it moves across emails, or sits on their company’s VPN (virtual private network).
Protecting data means taking all steps to prevent this from happening.
Why is data protection important?
Data is now an extremely valuable commodity for companies.
Very often, the confidential information that a company holds (e.g., credit card numbers, banking records, customers’ individual health records, etc.) account for a significant portion of the transaction size.
If these details are unwittingly disclosed to bad faith actors, the deal is immediately jeopardized.
Who’s going to pay for a company whose confidential information is open to all comers?
Data security in M&A: The numbers
A 2019 report by Forescout, a software security firm, provides useful insights into the importance of data security in mergers and acquisitions.
At that time, less than 5% of executives considered data protection a critical factor in the success of their M&A transactions.
This number was predicted to surpass 60% by 2022.
But it’s not the only number which deserved attention. Among the others were:
- 62% of respondents agreed that their company faced significant cybersecurity risk during their M&A transactions, and that cyber risk is their biggest concern post-acquisition
- 53% of respondents indicated that their company had encountered a critical cybersecurity issue or incident during an M&A deal that put the deal into jeopardy.
- 73% of respondents said that an undisclosed data breach at a target company was a deal breaker.
- 65% of company decision makers admitted to having post-acquisition regret after experiencing data security issues after their M&A transaction had closed.
- More data means more risk: Large firms (5,000 or more employees) (59%) and mid-sized firms (1,000 to 4,999 employees) (56%) encountered cybersecurity issues more often than smaller companies of less than 1,000 employees (49%).
Examples of data breaches in M&A transactions
Data breaches are increasingly common in mergers and acquisitions – and that’s just to speak of the ones that we know about.
The nature of the due diligence process is that information is flowing back and forth, which exposes that information to higher risk.
With tens of thousands of transactions occurring every year, mergers and acquisitions are a fertile ground for hackers seeking to get their hands on confidential corporate information.
One of the best-known examples of a data breach in M&A occurred before and during the 2017 acquisition of Yahoo by Verizon.
During the due diligence process, Yahoo disclosed two serious data breaches to Verizon, which it had attempted to cover up. In the months leading up to the transaction, hackers had stolen the personal data of 500 million Yahoo users.
This was followed by a hacking of one billion accounts at the company. The deal went ahead for nearly $4.5 billion but not before Verizon knocked $350 million off the transaction price.
Another high profile case is provided by Marriott’s 2016 acquisition of Starwood Hotels.
The deal was plagued with technology issues, not least of which was data protection at Starwood Hotels.
After the deal had closed, Marriott Hotels announced that 400 million guest records had been exposed to a data breach at Starwood Hotels owing to poor cybersecurity measures.
In addition to the reputational damage, Great Britain’s Information Commissioner’s Office hit Marriott Hotels with a $123 million GDPR fine.
How data is protected in M&A transactions
To safeguard data during M&A transactions, it’s important to implement various security measures, such as:
- Encryption: Use strong encryption methods to protect data both in transit and at rest. Encryption helps ensure that only authorized parties can access the data, and prevents it from being intercepted, tampered with, or stolen.
- Access control: Employ granular access control, allowing only authorized parties to access specific data. Limit access to sensitive information by restricting access to specific documents, folders, or functionalities.
- Monitoring and auditing: Monitor user activities in real-time and audit data access logs. This can help detect suspicious or unauthorized activities and ensure the integrity of data.
- Two-factor authentication: Use two-factor authentication to verify the identity of users. This can include a combination of something they know (like a password) and something they have (like a security token) or something they are (like biometric data).
- Secure communication: Use secure communication channels to ensure that data is transmitted safely and is protected from interception or eavesdropping. This can include measures such as encryption, digital signatures, secure file transfer protocols, and Secure Sockets Layer (SSL). SSL certificate cost and implementation vary depending on the type of certificate and the level of validation required. Most virtual data room providers used in M&A use SSL/TLS certificates to encrypt data in transit and ensure secure communication between servers and clients. Some VDR providers may also use extended validation (EV) SSL/TLS certificates, which provide additional security features.
Data security in due diligence
If the fines levied on companies like Verizon and Marriott Hotels seem punitive, the reality is that they don’t capture the real value destroyed by the data breaches that both companies were exposed to during their M&A transactions.
As soon as Marriott’s data breach was made public, its share price dropped 5.33% in a single day. Similarly, Yahoo is thought to have lost millions of users over its data breach.
Virtual data rooms (VDRs) are often the go-to solution for secure communication and storage. There are many important factors why companies rely on VDRs to protect their data during M&A transactions.
The main reason is that secure virtual data room is essential in M&A transactions’ due diligence process.
DealRoom and other platforms like it ensure that:
- Risks are identified and mitigated
- Information can be viewed but not downloaded
- Consent is achieved from all relevant parties
- Ongoing accountability and reporting is established
The proportion of due diligence process where data is the focus has probably jumped five-fold over the past decade. That means virtual data rooms must confront challenges such as:
- Identifying the target company’s data
- Protecting and classifying the target company’s data
- Ensure that data is merged without any security breaches.
Data protection should be considered as soon as possible in M&A transactions.
By using a professional M&A lifecycle management software like DealRoom, M&A participants can share their company’s information in the knowledge that it will not be compromised.
And with so much of a transactions value now contained in data, this means a virtual data room is adding potentially millions of dollars of long-term value to deals.
Don’t scrimp on security. Talk to DealRoom today about how we can endow your M&A transaction with the data security it requires.