EXPOSED: Risk management gaps in dodgy data room selection processes

Is a night of all-expenses-paid Sales entertainment worth the 9 month hangover? It’s time to uncover the security and information governance gaps posed by the lack of inspection processes.

By Sam RileyMon May 04 2020Due diligence and dealmaking, Advisors, Virtual Data Rooms, Security and risk management

There’s a serious problem in the data room business.
I’m talking about the process by which certain top-tier data room providers set their pricing based on entertaining junior decision-makers, taking advisors and analysts on extravagant nights out in exchange for their business. 

As CapLinked puts it (very well), they operate like ‘cartels’, buying loyalty for inferior technology.
“A significant portion of the virtual data room (VDR) market is ruled by an uncompetitive cartel of three companies…These companies got into the data room business back in the Nineties and have protected their market position not by building the best products or offering a great value proposition to customers. Instead, they have held onto market share by bribing the employees of their customers and spreading negative information about SaaS companies outside of the cartel.”
CapLinked have witnessed firsthand the spending of ‘huge sums of money on lavish dinners, sporting events, night club parties, and other indirect payments to the employees of their customers, or their customer’s bankers’, which has made it impossible for these providers to properly invest in upgrading their technology (despite charging high prices).

This ties into a much larger issue of security and poor data management

The type of data that goes into the data room is critical information - strategy documents, customer details, contracts. By definition, this is your most sensitive information. The risk of it being compromised can be severe.
Companies are increasingly spending millions on IT and cybersecurity to make sure their information is carefully governed, protected and tracked. Then, they go to execute an M&A deal or other critical transaction, and the data room is picked by a 23-year old analyst with no understanding or inspection into whether the provider can deliver the level of security and governance required.
As anyone in the industry would tell you, it’s common practice for junior level advisors to make decisions on which data room – and they are heavily influenced by entertainment.

Barclays was among the first to crack down on the receiving of gifts or entertainment to and from brokers, after paying out at least $1.36billion in fines and settlements for manipulation of interest rates. Brokers are audited every 6 months to confirm they have neither given nor received any gifts from Barclays, and if they have, to explain themselves. 
Given the growing complexity of information governance and the depth of compliance requirements in these processes, how an advisor is managing data is absolutely critical. And it will continue to be a key priority. 

Bloomberg notes that cybersecurity and climate change were two of the top concerns in 2019 at Davos when world leaders met. The quantity of breaches of major software providers continues to grow year on year, so you are right to be concerned.” - Owen Senior, Chief Technology Officer, Ansarada

What about the company’s security in all of this? 

We frequently hear ‘yes, we’re ISO 27001 compliant’ from providers – but ISO 27001 is about a scope of your business. It takes a tremendous amount of determination, effort, training and cost to achieve and maintain the widest scope of ISO 27001 compliance, leading many providers to provide only a narrow scope in order to ‘wave around the shiny certificate’. 

If the scope is just live production systems, you’ve already ruled out 90% of the areas that cause information leakage; areas which can include unsecure deal preparation, Q&A, and all the operational processes within a business.

Risk management for these types of transactions must cover the full scope of the business - from organisational security and application documents, to the infrastructure it all runs on. If the scope narrows, your protection narrows. 

Law firms and advisors have been the most targeted for cyber attacks, and there is a real opportunity and a growing movement to tighten up these practices. 
Advisors need to operate at a more granular level. They need to be following through with checks on up-to-date ISO 27001 certification and asking other essential security questions, not simply ticking an initial box – and certainly not accepting at face value that a junior advisor has done it. Light inspection is the key issue here. You shouldn’t be making a selection this important based on enticement.

The wider issue: Prevalence of these practices in junior ranks

While letting juniors make the choice of data room based heavily on bribes might be justified by senior advisors as giving them one small thing to own, it fails to acknowledge the behaviour it teaches – even encourages. They develop the mindset, ‘that’s just what banking is like’. 

When those characteristics are advocated and bred in the firm, it becomes an issue of leadership. As juniors move further up the ranks, they cultivate these toxic behaviours, which grow and go on to have far reaching impacts on people and economies.

You’re either making choices based on what’s in the best interest of your client, or you’re not. If you aren’t, you’re obviously placing something else as a higher choice than your client’s best interest – and unfortunately, that’s usually one driven by self-interest and greed.
How do you select a data room for your client? How do you recommend them? I’d love to hear your feedback. 

In the meantime, our CTO Owen has put together an excellent series on deal security for advisors that will help you ensure all the bases are covered.

You may also be interested in