The Vital Need to Guarantee Data Security in the Context of Mergers and Acquisitions

06. August 2015

A few years ago the renowned Harvard Business Review wrote: “Deal making is glamorous, due diligence is not.” Today we could add: “Cyber security is even less so.”


A few years ago the renowned Harvard Business Review wrote: “Deal making is glamorous, due diligence is not.” Today we could add: “Cyber security is even less so.” In fact, in operations relating to mergers and acquisitions, the information exchanged is highly confidential and sensitive, and therefore requires the maximum level of security. Today, with the advent of Cloud Computing, companies find themselves even more vulnerable to industrial espionage and cyber-attacks. If dealmakers have in fact woken up to the need for cyber security in the context of mergers and acquisitions, it is noteworthy that very few concrete changes have been made in order to successfully conclude such due diligence operations. Consequently, it is now more vital than ever to introduce best practices that will guarantee the confidentiality of the data exchanged in a mergers and acquisitions market that launches at top speed – the T1 2015 posts the greatest amount of data since 2008*.

Cyber security in M&A: time to react

Transactions requiring the exchange and verification of large amounts of confidential data make ideal targets for industrial spies. Calls for tenders constitute key factors in decision-making for these operations. Plans to build machines or generate products, patents, sales strategies and the results of research all represent key information that must be protected.

However, although many surveys and studies reveal a growing awareness of cyber-threats**, a fact recognised by the market, this perception has not yet given rise to any significant changes in the mergers and acquisitions process. The results of the study undertaken by Freshfields Bruckhaus Deringer reveal that 78% of dealmakers estimate that cyber security is not sufficiently analysed and quantified in the due diligence process relating to mergers and acquisitions. At the same time, 83% are of the opinion that an operation could be abandoned in the event of a security failure, with 90% believing such infringements could reduce the value of a contract.

Why is there such a disparity in performance?

It should be noted that the primary constraint for dealmakers working within the field of mergers and acquisitions is the speed of the operation. In a recent study carried out by software provider Drooms, 77.8% of respondents felt that the most important factor in a deal was speed, classed ahead of data security, which came in second place with 67.6%.

The process of mergers and acquisitions has altered over the course of several decades; where physical data rooms were widely used even ten years ago, the expansion of virtual and mobile data has changed the landscape. The threat has moved on from the theft of documents in a physical location to hacking of the cloud, which simultaneously makes it much more difficult to identify the thieves.

The need for companies to protect themselves effectively against attacks

Cyber criminals have been known to hack into companies, law firms and consultants to search for sensitive information on current deals. Up to five organisations could be hacked in search of information on a single transaction. In over two thirds of cases cyber-attacks have targeted the pharmaceutical industry, which is particularly vulnerable to patent theft***.

To protect themselves and their data, companies involved in mergers and acquisitions should follow certain rules, including:

  • Relying on the right technology
    Again, according to Freshfields’ report, where transactions are concerned the most up-to-date security procedures to protect information involve the use of electronic data rooms (65% of respondents in Europe, 57% of respondents in the United States) and the implementation of project passwords (63% of those polled).
  • Not underestimating the human factor
    Human behaviour represents more of a risk to data security than the best of hackers. A mergers and acquisitions operation may be compromised by a single negligent employee, through carelessness or lack of information. The latest PwC e-crime survey shows, moreover, that in 56% of cyber-attacks, the security failure originated within the company. It is important to restrict access and limit the number of personnel involved, and to instruct the relevant staff in data security in order to reduce risks.
  • Investing in cyber security
    Although cyber-crime has been on the rise in recent years, 43% of companies surveyed by Ernst and Young indicate that the budget allocated to security was not increased in 2014. This is despite the major financial interest in combatting cyber-crime, given that attacks may incur negative financial consequences.
  • Having a team of experts on hand
    Only 5% of the surveyed companies have a dedicated team to handle cyber-attacks. Beyond this it is equally important for companies to take legal advice, particularly where data storage location is concerned, and most especially in order to protect strategic data. Given that legislation regarding the intellectual property of information is not as strict in the United States, for example, we would recommend that European companies use European cloud service providers, whose servers are located within the European Union.

With the digital revolution and the subsequent mobility and multiplication of exchanges with external parties, many new risk areas have appeared. Companies need to meet these in the context of merger and acquisition operations. Today, the question is no longer how to prevent any potential cyber-attacks, but how to be prepared to confront them and to limit the consequences.

* Towers Watson Quarterly Review on mergers and acquisitions – 1st Quarter 2015
**Report on cyber security in mergers and acquisitions, Freshfields Bruckhaus Deringer, 2014
***Source: FireEye