Managing and securing your data room in a pandemic
By Owen Morris, operations director at Doherty Associates – Covid-19 has presented multiple challenges to those working in private equity and finance, not least remote working, which looks set to continue for the future. When it comes to compliance the FCA expects it to be business as usual, despite the effects of the pandemic.
In private equity, the data room is key to ensuring the deal-making process is secure, facilitating the due diligence and regulatory process during an M&A transaction, loan syndication, or private equity and venture capital transaction. Confidential information can all be housed and shared with prospective investors as appropriate, as well as managing ongoing relationships with partners and suppliers.
During Covid-19, PE firms have had to ensure that their data rooms have additional layers of security, while being accessible to a raft of remote employees and in some instances, third parties, to maintain regulatory compliance, work collaboratively and best practice is upheld.
Enforce corporate information security standards
As a repository of company data shared with third parties, a data room is both a company asset and a source of risk to the company. It's important that, prior to implementing a data room solution, compliance teams define the importance and sensitivity of the data and manage the risk of sharing it with third parties.
Digital assets are by their very nature easy to copy and distribute, and appropriate controls need to be enforced. When choosing a data room platform, ensure that it offers features to either prevent data leaving the data room or to protect it even if downloaded. These controls need to be set up and enforced within the data room platform as part of the companies' wider information security controls.
Have the right tools available to stay compliant
Some next generation products offer encryption within documents that can be used to allow features such as ensuring that documents can only be read by the person that they are sent to and cannot then be forwarded to other parties. It's also possible to prevent documents being printed or screenshot using Information Rights Management solutions. These features can also be used to allow documents to be 'time-bombed' - for example, a PR release might only be made visible on the day of the release to prevent leaks, or documents could be made inaccessible after an NDA expires.
Managing access of third parties to the data room
Once a data room has been set up and secured then users need to be invited. For both usability and security reasons it's helpful if the platform offers integration with single sign-on solutions - so that users can use their own user-names and passwords to access the data, minimising the storage of passwords within the data room platform. Beware though - poorly setup sign in solutions can be a source of both internal effort and frustration for the parties that you're trying to work with.
Traditional data room solutions are very focused on document management - whether Office documents such as word processing and spreadsheet or PDFs such as contracts. While still extremely important, data rooms can offer much more and be used to maintain a complete record of the interactions between two companies.
With Covid-19 accelerating a wider industry trend for remote working and video conferencing, most meetings can be recorded and the data within them can be extracted for business use. Features such as saving of video meetings within the data room for later review, automatic transcription of meetings to text and synchronisation of the transcription with the video can be extremely powerful during a transaction (no more 'what was the context around that decision') and later for audit purposes.
Have an integrated data management system
When looking at a data room solution it's important to ensure that the data loaded on it is both the correct data and can be easily accessed and updated by both parties. Having a process and a system that supports simple classification of documents for release and easy transfer from internal repositories while applying the appropriate sensitivity and retention settings for sharing with third parties are valuable. Most benefit comes from an integrated system where internal systems are part of a single digital workplace.
Single service platforms are the way forward
Single service platforms such as Microsoft Teams can be used to provide this digital workspace. This allows a single set of compliance policies to be defined within the platform and that can be used across the organisation instead of having to duplicate policies within multiple different systems, making the job of compliance and security teams much easier. Creating policies around the creation of internal and externally facing teams means that there can be a clear delineation between locations where third parties can be involved, and automation developed around the movement of documents between internal only and third party accessible areas. Areas accessible only to internal users can be locked down tightly and external areas can have the appropriate sharing, download and encryption policies applied.
Implementing some, or all these practices will help the data room remain secure, compliant and accessible, in a challenging financial world going through a pandemic.