Ultimate Deal Security Part 1: Are you asking the right questions?   

Learn how to achieve ultimate deal security in part 1 of our 8-part series for advisors, written by Ansarada CTO Owen Senior.

By AnsaradaMon Apr 20 2020Security and risk management

As an advisor, you take clients through the most significant events that their business will ever undertake - be it in times of growth (e.g IPOs and capital raise) or times of stress (e.g. restructuring). Either way - good times or bad - the most sensitive information is prepared, reviewed and shared under time constraints.

This requires tight, efficient collaboration and it also requires a high degree of security - because if the wrong information goes to the wrong party, the ramifications can be immense.

This is why advisors seek Virtual Data Rooms as a way of protecting their clients, and indeed their own reputation.
The question is, what does good security look like? What do you need for ultimate deal security?

Before we give ‘the right answers’, let’s check we are asking the right questions. The right questions matter.

As a platform provider, we are often asked technical questions about encryption and document watermarks. Sure, those things are important, but they are a narrow view of what securing a deal actually looks like. They ignore the fact deals are done by humans, and we can all make simple mistakes.

Here are some good questions. Maybe they’re not what you’d expect!

Q: How do we protect advisors and clients in the preparation stage (as we gather the relevant documents and review them) from accidentally leaking information?

  • This is not about malice; it’s about human error - and it is common.

  • The common approach of email exchange of due diligence checklists (via spreadsheets) and emailing requested documents is fraught with risk. All of us in our lives have emailed the wrong person. There is an irony that ‘fortress security VDRs’ are desired for due diligence, but the very same documents that will go in these fortresses are often exchanged insecurely when preparing.

  • This is understandable, but not good enough. Understandable, because most VDRs fall short of what you are trying to achieve - they cannot match the collaborative workflow you run via your checklist/spreadsheet process. But it still isn’t good enough. Humans err and it’s just a matter of time before that spreadsheet or document gets emailed to the wrong person.

Q: In due diligence, when sharing information with the buy-side, how can we prevent accidental leakage based on sell-side mistakes?

  • Again, this is human error.

  • It is especially common in a Q&A process driven by emails.

  • This is understandable; most VDR Q&A systems are frustrating. But email is not secure enough.

  • It’s also about clarity of the security model for your document index….are you sure the new analyst you’ve hired completely understands the security model and who can see what?

Q: How do we secure data in terms of preventing buy-side leakage?

  • Here we move to more classic VDR considerations, those of digital watermarking and similar concerns.

  • You need absolute confidence that the buy-side has the convenience they need to consider your information, but equally, that they cannot leak the information.

Q: How do we secure data from cyberattacks that are based on user naivety?

  • So your system requires a complex password? That’s great - but it’s of no value if your user picks a complex password that happens to be on a breach list. 

  • To make this clear - maybe your user chooses a complex password that is the same as one they use for another system, maybe a social networking site that’s been breached.

  • They might as well have chosen 123456, because cyber criminals use ‘credential stuffing’ attacks based on those lists.

Q: How do we secure data and the software platform in terms of cybersecurity?

  • Here we come to the classic concerns of cybersecurity, but even here the questions need thought. The questions asked of VDR providers tend to date from the 1990s, not the 2020s.

  • We tend to see advisors ask static questions like, “how do you know you are secure now?” or “show me your latest cyber penetration test by an external expert/consultancy”. That is a useful question, sure. But if the penetration test was on the 1st of March, and your VDR provider delivers improvements to the software monthly, weekly or (in Ansarada) daily, where do you stand on 31st March? What risks have been created in that time? You might end up with great new features, but the penetration test is still out of date.

  • A better question: “How do you know you are secure now and how do you ensure you remain secure as you evolve your system?” That is a tougher question. A better question.

Q: How do you secure my data holistically - not just storage, but the whole process of dealing with my data? How do you secure EVERY aspect of your business and how it works with me?

  • Here we come to the classic concerns of information security. The mistake here is to allow a narrow lens.

  • Got ISO 27001? Great! But for what scope? For the storage and hosting of the data?  Not good enough - what about the very process of the entire business? The way customer support handles your data? How was Mary hired? How was she trained? When she leaves, is her access revoked? What about the security of the office where she sits and helps you via screen-sharing?

  • Unless the scope is broad and covers the entire business (not just the technology), the compliance is not sufficient. You wouldn't trust your safety to a car with a warranty that covered the seatbelt and airbags…but not the steering or the brakes.

  • A better question: “How do you secure my data holistically - every aspect of your business and how it works with me and my data?”

As we dig into ultimate deal security, it is important to ask all these questions.

We can too rapidly default to the image of a hacker in a hoodie wearing an Anonymous mask. Yes, those cybersecurity questions must be answered. But much information leakage is based on human error - unintended errors by clients and by advisors - and the ultimate deal security needs to deal with those as well as malicious concerns.

In this series we dig into all these questions - with some useful tips along the way.
Owen Senior has been working with software product companies for over 20 years and with secure SaaS products since 2004 -  working with business stakeholders, technology and information security experts to ensure systems are both easy to use and secure.
Owen Senior, Chief Technology Officer, Ansarada