Managing M&A data threats

Managing M&A data threats

As M&A activity starts to gain pace in a saturated accountancy market, firms must be aware of the holes in their data security explains Vinod Bange

IT IS NO SURPRISE that advisory firms are reportedly facing increased cyber and data breach threats. After all, if a perpetrator is looking to ‘acquire’ valuable information, why not target such information when it’s with other parties, such as in an M&A environment? Within M&A there will inevitably be multiple layers of information that will be of value to a range of ‘underground stakeholders’, such as personal data about senior executives; trade/business secrets; and information on contractual positions including pricing models to name a few.

Many specialist data breach consultants will tell you that it’s a matter of ‘when and not if’ an organisation will suffer a breach incident. So preparation and readiness to deal with an incident is vital, especially if it happens and relates to an M&A transaction when time pressures already stretch the engagement team with little or no time available to focus on anything else. However, preparation and taking preventative steps are ignored at the firm’s peril.

It has been normal M&A practice for some time to have documents relevant to a transaction housed online in data centres, either housed internally or using specialist third party providers.

These centralised “data rooms” if you will, allow for enhanced security, because it gives the user greater control over access to documents based on permission rights. However, beyond this initial centralised and controlled data room environment, the teams working on those documents will analyse and create reports and documents – much of which will not then be stored in the same place.

All this happens outside of the data room environment and is subject to that data, stored in electronic formats such as email, document, spreadsheet, presentations and therefore on the firms ‘systems’. An external attack, whether that’s though the IT systems alone or via an insider threat, can have enormous consequences and create a legal risk that ranges from breach of data protection laws or breach of confidentiality owed to clients.

It’s not surprising that given the risks, that a breach event such as data theft would most likely be extremely damaging and raise liability issues for the firm that suffers the attack.

Recommended practice on what steps should be taken to minimise such risks requires a bespoke solution to each firm, depending upon the many factors that make it different, including the type of systems used, security protocols and training given to staff. But some measures will require consideration for almost all firms in order to help measure and quantify the firm’s risk profile in the face of such threats.

5 key steps a firm should take:
1. Assess the risk: So many organisations fail to carry out this obvious step which is crucial to understanding the measures required to minimise opportunities for threats to succeed.

2. Full scope review: The scope of the ongoing threat assessment should look at all key infrastructure:
o technical
o operational, and
o human

3. Use appropriate expertise: Given the critical nature of the threat, use the resources of technical and operational expertise, often not found within the firm’s own IT team.

4. Take remediation seriously: When the experts tell you what type of remediation is required, for example, data loss prevention tools and/or real-time detection technologies you will need a good reason as to why you didn’t follow this advice when explaining that after the event.

5. Take action: Test, rehearse and remain prepared. This also engages a culture of readiness and continual improvement to meet an ever changing threat.

Professional advisers may be seen as easy-prey and that’s not surprising given the industrial nature of data theft. These steps represent some, but not all, of the key questions which will be asked if a breach occurs. When legal liability is at stake, firms should expect other parties, advisers, stakeholders, regulators – and of course the client – to ask searching questions. Will the firm be prepared to demonstrate that it took the proper precautions and that liability lies elsewhere and that this was not an accident waiting to happen?

Vinod Bange, partner at Taylor Wessing

Share

Subscribe to get your daily business insights

Resources & Whitepapers

Why Professional Services Firms Should Ditch Folders and Embrace Metadata
Professional Services

Why Professional Services Firms Should Ditch Folders and Embrace Metadata

3y

Why Professional Services Firms Should Ditch Folde...

In the past decade, the professional services industry has transformed significantly. Digital disruptions, increased competition, and changing market ...

View resource
2 Vital keys to Remaining Competitive for Professional Services Firms

2 Vital keys to Remaining Competitive for Professional Services Firms

3y

2 Vital keys to Remaining Competitive for Professi...

In recent months, professional services firms are facing more pressure than ever to deliver value to clients. Often, clients look at the firms own inf...

View resource
Turn Accounts Payable into a value-engine
Accounting Firms

Turn Accounts Payable into a value-engine

3y

Turn Accounts Payable into a value-engine

In a world of instant results and automated workloads, the potential for AP to drive insights and transform results is enormous. But, if you’re still ...

View resource
Digital Links: A guide to MTD in 2021
Making Tax Digital

Digital Links: A guide to MTD in 2021

3y

Digital Links: A guide to MTD in 2021

The first phase of Making Tax Digital (MTD) saw the requirement for the digital submission of the VAT Return using compliant software. That’s now behi...

View resource