ICAEW.com works better with JavaScript enabled.

insight

Proceed with caution

Author: Jason Sinclair

Published: 10 Sep 2024

electric computer cables in a row virtual data rooms

Virtual data rooms are now almost universally used in M&A transactions. Jason Sinclair looks at how to choose the right one for you.

When we look back a decade or so ago to when physical data rooms were still reasonably commonplace, apart from the analogue nature of them, there was something of the Cold War about them – parties to a transaction visiting a secure office, with windows blocked out, to pore over documents, but never remove them. It wasn’t especially efficient, but it was definitely secure. Now – except for the particular security requirements around some specific deals with defence or national security implications – the locked rooms for M&A due diligence are online in virtual data rooms (VDRs).

There’s now a wide choice of providers in the M&A market. So, what should advisers look for from a VDR provider? What distinguishes the providers from each other? Is there a balance between security and efficiency, or do both need to run at 100%? For Charlotte Devlin, director in the cyber team at Grant Thornton, “the VDR serves as a repository of key documentation that is held and looked at and assessed as part of the deal. Everything goes in there, from financial information through to strategy, as well as information about employees. It’s basically the most commercial and sensitive information for the business.

“If you’ve got all of that sitting in one place online, then the risk around that repository suddenly becomes quite heightened. What you need to be thinking is: ‘I’ve got all of this information here – how protected is it?’”

Spot the differences

Jamie Iles, Deloitte’s UK cyber M&A lead, says: “There is a fine balance between cyber-security controls and enabling the intention behind them. In this, there is quite a difference between providers in the market.” Good providers, he says, “are the ones that have a flexibility in what you can do, while still maintaining a good level of underpinning security controls. Transactions are fast paced and it is typically when security controls become blockers that users will find ways of circumventing controls for convenience. Finding the right balance is key.”

VDRs are typically chosen by the vendor, whose interest is in as frictionless a bidding process as possible. Large providers include DealRoom, Datasite, Intralinks, iDeal and Box, but there are many smaller providers – something of an aside, the space itself is ripe for M&A. 

Beauty of a VDR

Document management

Streamlining the document collection, upload and permissions process can shave days off deal timelines when leveraging a VDR built around the workflow of an M&A deal. Having those files properly indexed and structured will help save time when counterparties are looking for information quickly.

Centralised collaboration

Integrating key diligence processes such as Q&A will shorten deal timelines, as well as allow all stakeholders to more easily track, obtain and answer questions.

Manual repetitive tasks

A good VDR can help to eliminate or reduce the number of manual tasks an M&A adviser may have to engage in and therefore free them up for higher value add activities. Features such as AI-redaction along with ancillary services such as translation and NDA management allow the deal participants to focus on the strategic elements of closing a deal, while eschewing the need for time to be spent on time-consuming manual, but highly necessary, tasks.

Advanced analytics and reporting

Understanding who is accessing which documents and how engaged buyers are enables dealmakers to gain an understanding of where best to allocate time and resources, as well as better informing negotiation strategies.

Hands-on support

A VDR support team should have a dedicated customer support manager with deep experience of M&A due diligence across a number of sectors. This will save the deal team significant amounts of time in setup and provide assistance to all deal participants throughout the process.

Amit Toren, senior VP for corporate and business development at private content network Kiteworks, says the company is “highly acquisitive and looking to expand further including in the UK”. He offers the perspectives of both a user and a vendor of VDRs. “Access control, audit control and real-time notifications” are just some of the helpful features VDRs can provide the deal team, he says. 

“In M&A, it’s really important for people like me to know what the other side is doing. When you’re on the sell side, I want to know who opened what on the buy side, and when and who they shared it with because it’s all intelligence for negotiation.”

Matthew Wells, VP of global product marketing and strategy at Intralinks, one of the main VDR providers, says that in the past decade, “VDRs have evolved significantly from basic content repositories to an essential piece of technology critical to the dealmaking process. The security controls around encryption with data in transit, at rest and in use are far more significant than they were 10 years ago, as well as the focus around data privacy and sovereignty.”

Wells adds that the use of VDRs has started to expand beyond due diligence to deal preparation and aiding in the deal marketing process. Someone who is in a position to take advantage of that trend is Jamie Loder, MD private equity, Europe, for global supply chain and operations consulting firm SGS Maine Pointe.

“We interact with these rooms when we’re providing due diligence to M&A clients,” Loder says, “making high-level assessments from information in the data room.” Charting the development of VDRs, he explains: “Nascent data rooms were just basically Dropbox. Then they became fancier versions of Dropbox, but now they can cope with the entire M&A process.  

Latest applications

AI is helping develop the Q&A process within data rooms. “It takes the drudgery out of some of the back-and-forth processes, allowing management to be available for more strategic conversations,” says Loder.

“If you’re Goldman Sachs, and you’re handling the sale of a family-owned multi-billion dollar life sciences company, there may be five bidders in the process and multiple technical questions from those five bidders. That is the kind of critical pathway that AI handles very efficiently.”

Digital generated image of abstract glowing neon coloured lines moving along data tunnel.

For Toren, AI “is a huge opportunity” for VDRs: “Security-wise, metadata analysis using AI will allow more controls for monitoring and blocking, while VDR vendors will have to ensure sensitive content does not leak to AI tools”. And in terms of efficiency, “There will be step changes in VDR efficiency over the next couple of years.”

VDRs, says Iles, are “in essence, a secure file transfer mechanism” that dealmakers have traditionally viewed from an ‘ease-of-use’ perspective rather than through a security lens. They’re observed more as an enabling technology for transactions where really they should be looked at as a method of securely sharing and controlling sensitive data. Dealmakers should factor this into their decision-making when looking at VDR suppliers and consider the long-term control of the data that they share once the VDR is no longer required.”

Tight control

But how secure can a VDR be if there are humans as the end user and possible criminals looking for ways into the vault? 

“What’s happened recently is that investors and private equity firms and corporate finance specialists have all become increasingly aware of cyber security as part of their transactions,” says Devlin. “The types of controls that we’re now seeing in virtual data rooms, which are really important for both advisers and investors to be thinking about, are multi-factor authentication, stronger passwords, good access control and audit logs.”

The main issue in choosing a VDR, according to EY M&A cyber partner Michael Young, “is not the cost, it’s the security of the data – especially when you’re talking about IP”. He adds: “There are things you don’t want to be known flooding out across various organisations as part of this process, especially if those companies don’t end up being the buyers. You’ve basically told them IP information and given them all your weak points within your organisation.”

And then there’s the risk of ‘bad actors’ and cyber crime. “Security and data compliance over the past 10 years have gone from being an IT issue that no one cared about to a business risk issue,” says Young. “And the point about M&A is, obviously, it’s public, even just as speculation, which is a focus for criminal organisations because if they can find a weak spot and get into this process, there is a lot of money to be made.”

Furthermore, big VDR providers should “provide an archiving service. That’s important because when you close the deal, you want to give a record of everything in the data room to the buyer so that there’s no dispute further down the line.”

Young finds that many sellers “haven’t really given much thought” to what features they need from a VDR. “It’s really important to understand your requirements,” he says. “Do you need a red room, where only selected deal participants can go? How much data are you actually going to put in and how much storage do you need? A lot of people just massively overestimate the amount of storage they’re going to need; documents are quite small, even quite big documents don’t take up much space.”

In any case, he adds: “VDR costs are not high compared to the value of deals. You want the process to be frictionless – you don’t want to give buyers any excuse not to bid.”

Work on the record

After a transaction is completed, the deal may be revisited and an adviser asked to show how conclusions were reached. Matthew Wells of Intralinks explains how a VDR provides the audit trail of work done:

“Depending on their role, advisers retain access to VDR information for regulatory compliance, legal and other internal/business compliance needs. This is done through several archiving options, from simple downloadable archives to a more dynamic cloud-based archiving solution that allows authorised prior deal participants to retain a library of prior deal activity and data for compliance and business needs. Archives include all key data and documents reviewed during the diligence and Q&A processes, and historically have come in the form of a downloadable or physical media (such as a USB or DVD). With our DealVault we’re enhancing the security, collaboration, accessibility and overall usefulness of archives, which can unlock even more value in the post-close period.

“Just as an adviser would want to retain transaction data, so would the seller from a transaction record-keeping perspective. There are a number of factors from confidentiality and data privacy to data ownership and regulatory compliance that need to be considered. However, client data retention – as well as activity data – is important, especially with any post-close litigation, audits or questions around what data was provided as the ‘source of truth’ during a transaction.”

Open AddCPD icon

Add Verified CPD Activity

Introducing AddCPD, a new way to record your CPD activities!

Log in to start using the AddCPD tool. Available only to ICAEW members.

Add this page to your CPD activity

Step 1 of 3
Download recorded
Download not recorded

Please download the related document if you wish to add this activity to your record

What time are you claiming for this activity?
Mandatory fields

Add this page to your CPD activity

Step 2 of 3
Mandatory field

Add activity to my record

Step 3 of 3
Mandatory field

Activity added

An error has occurred
Please try again

If the problem persists please contact our helpline on +44 (0)1908 248 250