In line with sharing of any sensitive information through the internet, it is imperative that inbuilt security protocols are in place to protect communication exchanges for M&A deals, and that these are unassailable.

If the platform used for the exchange of sensitive M&A information via the internet is a virtual data room (VDR), then the processes and technology that form the VDR must be secure against unauthorised access or external online threat, by being monitored and supported by a 24/7/365 technical team.

Another important consideration is that all users granted permission to work within this environment are trained how to operate when they interact with the platform.

They should also be told that all such usage will be monitored and recorded for ongoing periodic reports to senior management detailing who is accessing what document, what they did with the document during their session, how long they were in the VDR and whether they initiated a Q&A sequence on a particular bit of information. All this data will then be used to produce an end-of-deal archive for the seller and buyer.

Regulatory conformity

All such information, like corporate documents, that are made available to users and the users’ personal data during use sessions that are stored in the VDR’s database, must follow the provisions of the EU’s General Data Protection Regulations (GDPR) which, since 2016, have formed a critical component of the EU’s privacy human rights laws.

The VDR should ideally also be accredited to ISO27001, the internationally recognised standard for information security. This proves the VDR has been ‘constructed’ in line with acceptable quality systems and is safe to use.

Online threats from hackers and other malicious actors can be mitigated by ensuring all components that form the VDR technology stack are also checked for strict adherence to international security standards before the service is made available to clients.

Online security

Most companies nowadays have robust cyber security policies, and it’s important to ensure that the VDR provider’s security meets your standards as a minimum. One such reassurance is if the provider is covered by Cyber Essentials Plus, a UK government-backed certification system that rigorously tests an organisation’s cyber security systems regularly. Customers can therefore feel safe in a VDR operation that is tested regularly by such a service and will fit their needs.

In all M&A deals, a significant volume of highly sensitive documents is made accessible to prospective buyers through the VDR, including material critical to the value of the assets involved such as intellectual property. Therefore, access controls to documents need to be varied according to materiality and applied at the level of individual documents if required.  The range of permissions should include:

  • Read-only
  • Read and write
  • Read, write and annotate
  • Read, write, annotate and upload/download

Permissions attached to user profiles should provide optionality so that they can be assigned by:

  • Company
  • Position
  • Function
  • VDR access duration

It should be possible to monitor user activity by:

  • IP address or address range
  • Breach protection by watermarking accessed documents with users’ details

What all this amounts to is that VDRs can be configured to provide different layers/levels of access permissions and security profiles for separate deals’ requirements.

Sterling’s VDR service has all of the above and more, namely:

Data encryption

The three different encryption methods are symmetric, asymmetric, and hashing, and all of these encrypt/decrypt digital data by taking the source data, scrambling it according to one of the above methods, and then unscrambling it at for the end-user in their preferred format

Intrusion detection system (IDS)

These systems ‘listen’ to every byte of data going into a network and can report on anomalies. An Intrusion Protection System does the same but can also actively identify and deal with threats.

Vulnerability scanning

For identifying security weaknesses and flaws in systems, and the software running on them. They rely on pre-defined risk assessment profiles to gauge the security readiness of all devices on the network.

Penetration testing

A security test is usually performed by a company authorised to ‘attack’ a corporate network. Testers use the same tools, techniques, and processes as hackers to look for vulnerabilities in your network, ‘attack’ them if found, analyse the results and report on their impacts on the business.

Ultimate expandability

Another feature of a VDR is that it can be scaled from a few users to a virtually unlimited number of participants. Typical use cases include secure sharing of content and collaboration for M&A deals and capital markets transactions where the highest levels of security and confidentiality are required.

Sterling Technology

Sterling Technology is the leading European provider of premium virtual data room solutions for the secure sharing of content, business process automation and collaboration.

The company’s virtual data room platform has been used to manage thousands of transactions including asset sales, in- and out-licensing of intellectual property, and debt and equity capital raisings. It also has the highest levels of document encryption and security standards, including ISO 27001 and Cyber Essentials Plus.

The quickest way to destroy value in an M&A deal is for the seller to make inadvertent disclosures through using an insecure platform, or to provide buyers with a poorly organised, difficult to navigate VDR.  Sterling provides clients with VDR solutions that address all these issues and more, ensuring that they have the means to maximise value for their assets.

For more information on how Sterling Technology can support your next deal process or to contact us, please visit Sterling Technology.