TechnologyManaging M&A data threats

Managing M&A data threats

As M&A activity starts to gain pace in a saturated accountancy market, firms must be aware of the holes in their data security explains Vinod Bange

IT IS NO SURPRISE that advisory firms are reportedly facing increased cyber and data breach threats. After all, if a perpetrator is looking to ‘acquire’ valuable information, why not target such information when it’s with other parties, such as in an M&A environment? Within M&A there will inevitably be multiple layers of information that will be of value to a range of ‘underground stakeholders’, such as personal data about senior executives; trade/business secrets; and information on contractual positions including pricing models to name a few.

Many specialist data breach consultants will tell you that it’s a matter of ‘when and not if’ an organisation will suffer a breach incident. So preparation and readiness to deal with an incident is vital, especially if it happens and relates to an M&A transaction when time pressures already stretch the engagement team with little or no time available to focus on anything else. However, preparation and taking preventative steps are ignored at the firm’s peril.

It has been normal M&A practice for some time to have documents relevant to a transaction housed online in data centres, either housed internally or using specialist third party providers.

These centralised “data rooms” if you will, allow for enhanced security, because it gives the user greater control over access to documents based on permission rights. However, beyond this initial centralised and controlled data room environment, the teams working on those documents will analyse and create reports and documents – much of which will not then be stored in the same place.

All this happens outside of the data room environment and is subject to that data, stored in electronic formats such as email, document, spreadsheet, presentations and therefore on the firms ‘systems’. An external attack, whether that’s though the IT systems alone or via an insider threat, can have enormous consequences and create a legal risk that ranges from breach of data protection laws or breach of confidentiality owed to clients.

It’s not surprising that given the risks, that a breach event such as data theft would most likely be extremely damaging and raise liability issues for the firm that suffers the attack.

Recommended practice on what steps should be taken to minimise such risks requires a bespoke solution to each firm, depending upon the many factors that make it different, including the type of systems used, security protocols and training given to staff. But some measures will require consideration for almost all firms in order to help measure and quantify the firm’s risk profile in the face of such threats.

5 key steps a firm should take:
1. Assess the risk: So many organisations fail to carry out this obvious step which is crucial to understanding the measures required to minimise opportunities for threats to succeed.

2. Full scope review: The scope of the ongoing threat assessment should look at all key infrastructure:
o technical
o operational, and
o human

3. Use appropriate expertise: Given the critical nature of the threat, use the resources of technical and operational expertise, often not found within the firm’s own IT team.

4. Take remediation seriously: When the experts tell you what type of remediation is required, for example, data loss prevention tools and/or real-time detection technologies you will need a good reason as to why you didn’t follow this advice when explaining that after the event.

5. Take action: Test, rehearse and remain prepared. This also engages a culture of readiness and continual improvement to meet an ever changing threat.

Professional advisers may be seen as easy-prey and that’s not surprising given the industrial nature of data theft. These steps represent some, but not all, of the key questions which will be asked if a breach occurs. When legal liability is at stake, firms should expect other parties, advisers, stakeholders, regulators – and of course the client – to ask searching questions. Will the firm be prepared to demonstrate that it took the proper precautions and that liability lies elsewhere and that this was not an accident waiting to happen?

Vinod Bange, partner at Taylor Wessing

Related Articles

Sage purchases Intacct in its largest ever acquisition

Accounting Software Sage purchases Intacct in its largest ever acquisition

9m Alia Shoaib, Reporter
PwC acquires data technology firm Selera Labs

Accounting Firms PwC acquires data technology firm Selera Labs

2y Richard Crump, Writer
PwC buys Scottish cyber security outfit Praxism

Technology PwC buys Scottish cyber security outfit Praxism

2y Chris Warmoll, Writer
PwC to buy Polish cloud company

Accounting Firms PwC to buy Polish cloud company

2y Chris Warmoll, Writer
PwC acquires technology start-up Kusiri

Accounting Firms PwC acquires technology start-up Kusiri

3y Richard Crump, Writer
Baker Tilly buys esl to boost HR offering

Technology Baker Tilly buys esl to boost HR offering

3y Chris Warmoll, Writer
HP to sue Autonomy founder and ex-CFO for $5.1bn

Accounting Firms HP to sue Autonomy founder and ex-CFO for $5.1bn

3y Chris Warmoll, Writer
KPMG acquires IT consultancy Safira

Accounting Firms KPMG acquires IT consultancy Safira

4y Richard Crump, Writer