Managing M&A data threats

IT IS NO SURPRISE that advisory firms are reportedly facing increased cyber and data breach threats. After all, if a perpetrator is looking to ‘acquire’ valuable information, why not target such information when it’s with other parties, such as in an M&A environment? Within M&A there will inevitably be multiple layers of information that will be of value to a range of ‘underground stakeholders’, such as personal data about senior executives; trade/business secrets; and information on contractual positions including pricing models to name a few.

Many specialist data breach consultants will tell you that it’s a matter of ‘when and not if’ an organisation will suffer a breach incident. So preparation and readiness to deal with an incident is vital, especially if it happens and relates to an M&A transaction when time pressures already stretch the engagement team with little or no time available to focus on anything else. However, preparation and taking preventative steps are ignored at the firm’s peril.

It has been normal M&A practice for some time to have documents relevant to a transaction housed online in data centres, either housed internally or using specialist third party providers.

These centralised “data rooms” if you will, allow for enhanced security, because it gives the user greater control over access to documents based on permission rights. However, beyond this initial centralised and controlled data room environment, the teams working on those documents will analyse and create reports and documents – much of which will not then be stored in the same place.

All this happens outside of the data room environment and is subject to that data, stored in electronic formats such as email, document, spreadsheet, presentations and therefore on the firms ‘systems’. An external attack, whether that’s though the IT systems alone or via an insider threat, can have enormous consequences and create a legal risk that ranges from breach of data protection laws or breach of confidentiality owed to clients.

It’s not surprising that given the risks, that a breach event such as data theft would most likely be extremely damaging and raise liability issues for the firm that suffers the attack.

Recommended practice on what steps should be taken to minimise such risks requires a bespoke solution to each firm, depending upon the many factors that make it different, including the type of systems used, security protocols and training given to staff. But some measures will require consideration for almost all firms in order to help measure and quantify the firm’s risk profile in the face of such threats.

5 key steps a firm should take:
1. Assess the risk: So many organisations fail to carry out this obvious step which is crucial to understanding the measures required to minimise opportunities for threats to succeed.

2. Full scope review: The scope of the ongoing threat assessment should look at all key infrastructure:
o technical
o operational, and
o human

3. Use appropriate expertise: Given the critical nature of the threat, use the resources of technical and operational expertise, often not found within the firm’s own IT team.

4. Take remediation seriously: When the experts tell you what type of remediation is required, for example, data loss prevention tools and/or real-time detection technologies you will need a good reason as to why you didn’t follow this advice when explaining that after the event.

5. Take action: Test, rehearse and remain prepared. This also engages a culture of readiness and continual improvement to meet an ever changing threat.

Professional advisers may be seen as easy-prey and that’s not surprising given the industrial nature of data theft. These steps represent some, but not all, of the key questions which will be asked if a breach occurs. When legal liability is at stake, firms should expect other parties, advisers, stakeholders, regulators – and of course the client – to ask searching questions. Will the firm be prepared to demonstrate that it took the proper precautions and that liability lies elsewhere and that this was not an accident waiting to happen?

Vinod Bange, partner at Taylor Wessing

Related reading