Cyber Security and Online Datarooms
With the encouraging signs of economic recovery comes the inevitable increase in corporate finance activity including mergers and acquisitions, investments and IPOs.
Often the largest task in such activity is the due diligence undertaken by the buyer/ investor on the company it is looking to buy or invest in. To do this the ‘target’ gathers together commercially sensitive and other confidential information to be analysed by the buyer’s or investor’s advisers, help inform the terms of the purchase or investment and manage, primarily, the buyer’s or investor’s risk.
Over the past five years there has been a shift to online solutions for hosting this information, online data storage services such as OneDrive, Google Drive, DropBox etc or bespoke services, typically provided by an adviser, are replacing physical ‘datarooms’.
These services are more efficient and convenient, but the risk that this information can be compromised online is arguably higher than using a physical dataroom. Unauthorised access to confidential information can have a dramatic impact on a transaction and the target.
The Corporate Finance Faculty at the Institute of Chartered Accountants in England and Wales (ICAEW) recently published a short paper (Cyber Security in Corporate Finance) highlighting the cyber security risks associated with sharing such information online.
The paper highlights the various stages of a transaction, providing guidance and detailed considerations for businesses, and examples of security breaches and their consequences.
We briefly consider below the limited legal protections and some practical measures to reduce the risk of a breach.
What legal protections are there?
The ICAEW recommends that everyone with access to the online dataroom should be subject to confidentiality agreements, prohibiting them from disclosing or using such information outside of the transaction.
Additionally, where an online data storage service is used, the users and provider will be bound by the terms for the service. A breach of security, where the provider is responsible (e.g. insufficient security measures) may breach these terms.
Effectiveness of these protections
Confidentiality agreements and the law on confidentiality may provide a remedy (e.g. damages and/or an injunction to prevent distribution of compromised information) but the immediacy of the damage caused by a breach and the potential time to remedy or counteract it may mean such remedies are too little too late.
Additionally, it is generally perceived that the security of transmitting or storing information online cannot be relied upon (and seemingly less so with each report of an IT security breach or DDoS attack). Any service which suffers a security breach, resulting in unauthorised access to confidential information, is likely to exclude or limit the losses which the user can claim.
These potential contractual protections will not cover all risks and more importantly are unlikely to provide instant or sufficient relief from a security breach where key confidential information is compromised. In the extreme a breach may cause the potential buyer or investor to abort the transaction and cause irreparable harm to a target.
Practical steps to take
As legal protections may not provide effective remedies to breaches, there is added importance to the steps that can be taken to reduce the risk of such breaches. The ICAEW provides detailed guidance and considerations for businesses. Some of the simpler steps which can be taken are:
- restrict access to the information to individuals who need access;
- keep highly confidential information offline, provide this by other means and subject to restrictions regarding copying and printing; and
- where possible, consider advisers who adhere to higher standards of information security (e.g. some advisers have achieved the ISO’s Information Security Management certification (ISO27001)).
In addition to the ICAEW’s recommendations, businesses may consider, where possible, using an adviser’s bespoke dataroom solution rather than a generic service provider. As a product specifically designed to store confidential information, security measures may be similar to, if not better than, those used by service providers whilst the adviser or buyer may be less of a target from cyber security attacks than well known service providers.
The rise of online datarooms has its obvious advantages in ease of access but their use must be combined with consideration of the legal protections available and practical steps that businesses should take to protect their information. The ICAEW provides considerations and guidance for all businesses these should be looked at in context of the size, resources and acceptable risk for each such business when involved in a corporate finance transaction.