Growing concerns over cyber security in corporate finance transactions prompted a group including the Corporate Finance Faculty of the Institute of Chartered Accountants in England and Wales, the Law Society, the CBI and the London Stock Exchange, to publish
guidance notes on 16 January 2014.
Recognising the importance of corporate finance transactions to the economy, and the having regard to increasing concerns over the vulnerabilities that can be exploited when there is so much flow of information (including commercial data, IP and client sensitive
data), the guide offers some suggestions on how risk can be recognised and managed.
The threat to businesses comes from a wide range of people and organisations, including organised crime networks seeking to take advantage of, for example, stock exchange gains before transactions are officially announced, competitors trying to gain access
to confidential or client/price sensitive information, hackers driven by political/moral motivations and disgruntled employees and contractors seeking to damage a business.
Based on our review of the guidance notes, we would make the following recommendations:
· Map out information and process flows where practicable and consider whether a separate data storage system is required.
· Recognise that the very act of collating information in readiness for a transaction may alert others that a deal is imminent. Consequently, the number of people involved in the early stages should be limited as far as possible and strict rules of confidentiality
should be observed.
· If at all possible, information which is shared with third parties should all flow through one individual within the target business. Colleagues should report to that person, but should not be given the freedom to disseminate the information to third parties.
· Organisations should consider applicable legal and regulatory frameworks and in particular those relating to risk identification and management obligations. Additional security obligations may apply to some sectors, such as telecoms, which is now subject
to an obligation to report breaches to the relevant regulatory authority and, in some cases, the individuals affected.
· Obtain confidentiality agreements with all parties to whom the information will be shared, but recognise that confidentiality agreements have their limitations. In our view, they provide more of a deterrent than a remedy.
· Ensure on-going monitoring of access to information, in an attempt to highlight suspicious activity; most decent virtual data room providers include a service which allows the designated data room controller(s) to see who has accessed which documents and
with what frequency.
· Consider providing information in different formats; electronic communication may not always be appropriate. A physical data room might be a safer option with those granted access being restricted in terms of the information that they are allowed to copy.
· Although virtual data rooms have generally made transactions more streamlined, they carry the risk of information being stored online and therefore vulnerable to attack. Choose a reputable data room provider and try to restrict personal information (for
example redact employee names until closer to completion) and think about releasing information in stages (so that, for example, all parties have access to a certain amount of information and then only those shortlisted as potential buyers gain access to more
sensitive information later in the process).
For practical advice on how management can get their company’s house in order before deciding to proceed with a corporate finance transaction, how best to manage systems and processes during the course of a deal, or corporate finance advice generally, please
talk to any member of Berg’s corporate team.
To discuss any of the issues raised in this article and arising from new or existing commercial contracts please contact
Keith Kennedy, Corporate Partner at
firstname.lastname@example.org or by telephoning 0161 833 9211.
The information and opinions contained in this article are not intended to be comprehensive or to provide legal advice. No responsibility for article’s accuracy or correctness is assumed by Berg or any of its partners or employees. Professional legal advice
should be obtained before taking, or refraining from taking, any action as a result of the contents of this article.