When we look back a decade or so ago to when physical data rooms were still reasonably commonplace, apart from the analogue nature of them, there was something of the Cold War about them – parties to a transaction visiting a secure office, with windows blocked out, to pore over documents, but never remove them. It wasn’t especially efficient, but it was definitely secure. Now – except for the particular security requirements around some specific deals with defence or national security implications – the locked rooms for M&A due diligence are online in virtual data rooms (VDRs).

There’s now a wide choice of providers in the M&A market. So, what should advisers look for from a VDR provider? What distinguishes the providers from each other? Is there a balance between security and efficiency, or do both need to run at 100%? For Charlotte Devlin, director in the cyber team at Grant Thornton, “the VDR serves as a repository of key documentation that is held and looked at and assessed as part of the deal. Everything goes in there, from financial information through to strategy, as well as information about employees. It’s basically the most commercial and sensitive information for the business.

“If you’ve got all of that sitting in one place online, then the risk around that repository suddenly becomes quite heightened. What you need to be thinking is: ‘I’ve got all of this information here – how protected is it?’”

Spot the differences

Jamie Iles, Deloitte’s UK cyber M&A lead, says: “There is a fine balance between cyber-security controls and enabling the intention behind them. In this, there is quite a difference between providers in the market.” Good providers, he says, “are the ones that have a flexibility in what you can do, while still maintaining a good level of underpinning security controls. Transactions are fast paced and it is typically when security controls become blockers that users will find ways of circumventing controls for convenience. Finding the right balance is key.”

VDRs are typically chosen by the vendor, whose interest is in as frictionless a bidding process as possible. Large providers include DealRoom, Datasite, Intralinks, iDeal and Box, but there are many smaller providers – something of an aside, the space itself is ripe for M&A. 

Amit Toren, senior VP for corporate and business development at private content network Kiteworks, says the company is “highly acquisitive and looking to expand further including in the UK”. He offers the perspectives of both a user and a vendor of VDRs. “Access control, audit control and real-time notifications” are just some of the helpful features VDRs can provide the deal team, he says. 

“In M&A, it’s really important for people like me to know what the other side is doing. When you’re on the sell side, I want to know who opened what on the buy side, and when and who they shared it with because it’s all intelligence for negotiation.”

Matthew Wells, VP of global product marketing and strategy at Intralinks, one of the main VDR providers, says that in the past decade, “VDRs have evolved significantly from basic content repositories to an essential piece of technology critical to the dealmaking process. The security controls around encryption with data in transit, at rest and in use are far more significant than they were 10 years ago, as well as the focus around data privacy and sovereignty.”

Wells adds that the use of VDRs has started to expand beyond due diligence to deal preparation and aiding in the deal marketing process. Someone who is in a position to take advantage of that trend is Jamie Loder, MD private equity, Europe, for global supply chain and operations consulting firm SGS Maine Pointe.

“We interact with these rooms when we’re providing due diligence to M&A clients,” Loder says, “making high-level assessments from information in the data room.” Charting the development of VDRs, he explains: “Nascent data rooms were just basically Dropbox. Then they became fancier versions of Dropbox, but now they can cope with the entire M&A process.  

Latest applications

AI is helping develop the Q&A process within data rooms. “It takes the drudgery out of some of the back-and-forth processes, allowing management to be available for more strategic conversations,” says Loder.

“If you’re Goldman Sachs, and you’re handling the sale of a family-owned multi-billion dollar life sciences company, there may be five bidders in the process and multiple technical questions from those five bidders. That is the kind of critical pathway that AI handles very efficiently.”

For Toren, AI “is a huge opportunity” for VDRs: “Security-wise, metadata analysis using AI will allow more controls for monitoring and blocking, while VDR vendors will have to ensure sensitive content does not leak to AI tools”. And in terms of efficiency, “There will be step changes in VDR efficiency over the next couple of years.”

VDRs, says Iles, are “in essence, a secure file transfer mechanism” that dealmakers have traditionally viewed from an ‘ease-of-use’ perspective rather than through a security lens. They’re observed more as an enabling technology for transactions where really they should be looked at as a method of securely sharing and controlling sensitive data. Dealmakers should factor this into their decision-making when looking at VDR suppliers and consider the long-term control of the data that they share once the VDR is no longer required.”

Tight control

But how secure can a VDR be if there are humans as the end user and possible criminals looking for ways into the vault? 

“What’s happened recently is that investors and private equity firms and corporate finance specialists have all become increasingly aware of cyber security as part of their transactions,” says Devlin. “The types of controls that we’re now seeing in virtual data rooms, which are really important for both advisers and investors to be thinking about, are multi-factor authentication, stronger passwords, good access control and audit logs.”

The main issue in choosing a VDR, according to EY M&A cyber partner Michael Young, “is not the cost, it’s the security of the data – especially when you’re talking about IP”. He adds: “There are things you don’t want to be known flooding out across various organisations as part of this process, especially if those companies don’t end up being the buyers. You’ve basically told them IP information and given them all your weak points within your organisation.”

And then there’s the risk of ‘bad actors’ and cyber crime. “Security and data compliance over the past 10 years have gone from being an IT issue that no one cared about to a business risk issue,” says Young. “And the point about M&A is, obviously, it’s public, even just as speculation, which is a focus for criminal organisations because if they can find a weak spot and get into this process, there is a lot of money to be made.”

Furthermore, big VDR providers should “provide an archiving service. That’s important because when you close the deal, you want to give a record of everything in the data room to the buyer so that there’s no dispute further down the line.”

Young finds that many sellers “haven’t really given much thought” to what features they need from a VDR. “It’s really important to understand your requirements,” he says. “Do you need a red room, where only selected deal participants can go? How much data are you actually going to put in and how much storage do you need? A lot of people just massively overestimate the amount of storage they’re going to need; documents are quite small, even quite big documents don’t take up much space.”

In any case, he adds: “VDR costs are not high compared to the value of deals. You want the process to be frictionless – you don’t want to give buyers any excuse not to bid.”