Security & Sensitive Documents – Mergers & Acquisitions

mergers and acquisitions

Mergers and acquisitions, more commonly known as Mergers & Acquisitions (M&A) transactions, often involved vast amounts of money and an almost endless stream of data and documentation.

It is necessary to perform due diligence properly in any M&A transaction, and this means allowing access to sensitive documents, while also retaining a high level of security. Amazon and MGM have announced that they will enter into a merger agreement, where the former will acquire the latter’s property for around $8.5 billion. A deal of this size will involve a lengthy due diligence process that will require documents to be studied without the risk of unauthorized people viewing them.

How do banks, investors, and businesses involved in M&A transactions, control the access to sensitive files while keeping them safe? And, what happens if there are breaches of due diligence that are not performed correctly?

How are businesses able to share sensitive documents safely?

Mergers and acquisitions have been happening for years. According to one website, the first M&A deal may have happened thousands of years ago between two cavemen. Whatever the truth is, thousands of M&A transactions happen every year in the states, and the deals conducted between 2019 and 2020, were worth around $170 billion.

The importance of due diligence in transactions and accounting cannot be underestimated, and the banks and lawyers in the notorious Enron scandal were accused of not having their eyes open. The failure of so many people not to see what was happening has now led to a phrase when performing a higher level of due diligence. The Andersen Effect was named after the accounting firm employed by Enron who bit the dust due to the scandal.

With M&A deals, it is important to read and study all the relevant documents intensely. Many M&A transactions have gone wrong due to a lack of proper due diligence, but documents cannot just be allowed to be passed around either. To get the balance right between authorized access and security, companies use what is called data rooms. 

What are data rooms?

Previously when businesses were involved in an M&A transaction, they would allow relevant parties, such as lawyers, access to their files. This meant having a physical room in a secure location. Normally, this would mean there would be a file room in the company headquarters, a law firm, or perhaps the business’s bank.

While this worked in the past, it wasn’t entirely convenient. The cost of having a secure area such as this could be high, access would be limited to certain times, and geography would be a hindrance.

Many M&A deals cross continents and having one data room in a fixed location is not convenient. Also, the complexity of these deals, the money involved, and the level of due diligence performed today, means that they are no longer practical.

Now, with high-speed internet, and online security measures, virtual data rooms have largely taken the place of the traditional ones. 

Virtual data room setups

Once technology and software made it viable, virtual data rooms started to appear. Companies such as Firmex supply virtual data rooms to many famous names such as Barclays, Roche, Deloitte, and J.P. Morgan. These VDRs fulfill the same purpose as traditional data rooms did but in a very different way.

A virtual data room is an online storage facility for documents and files about financial transactions, normally M&A, but can be used for other deals too. A virtual data room can be described as being an extranet. An extranet is a website that has strictly controlled access rights that allows only authorized individuals to enter.

The two parties that have access to the virtual data room would normally be the vendor and the bidder. Each of these sides would have their own people involved in finance, data security, and legal areas, who would have access.

Access can be allowed 24/7 or it can be time-restricted. Due to its virtual nature, anyone needing to view documents can do so from anywhere in the world, as long as they have access rights. These rights can also be limited or expanded according to the wishes of the VDR’s owner.

What are the features of VDRs?

A typical virtual data room will come with a list of useful features that make tracking and controlling document access easier and secure.

Sensitive documents must be viewed in M&A deals, but not everyone in the business needs to see them, and even some of those involved may not need to see all of the documents. VDRs have the ability to limit who can see what files and information can be redacted.

The room’s owner may allow downloading and printing, or they may allow some users to only view files on the screen. Which documents and pages are viewed can be monitored and recorded so that the vendor can see what areas are of most interest.

One of the biggest features of VDRs is the security involved. VDRs are considered to be extremely secure and are trusted by the biggest companies in the world. A good VDR will be ISO certified, use digital watermarks, have two-factor authentication, and also use very strong encryption.

Data breaches can have devastating effects on M&A deals, finances, and reputations. 

What happens when a data breach occurs, or due diligence fails?

Virtual data rooms can help data breaches from occurring at all, and they provide a sophisticated way to perform due diligence. If these areas are neglected then there can be catastrophic results in an M&A transaction.

In the UK and the European Union, there are recognized data protection laws that are enforced. Individual data is protected and breaches can result in millions of dollars worth of fines. Data is valuable to businesses and hackers alike, and there have been some high profile cases such as Yahoo!

In the states it is somewhat different, there is no real Federal data protection act similar to the EU, and most laws are made at the state level. There is, however, the Data Security and Breach Notification Act which can lead to 5 years in prison if a business fails to comply.

In the case of Yahoo!, millions of dollars were wiped from their valuation during their acquisition by Verizon. The largest merger in history was between AOL and Time Warner, worth a whopping $350 billion. This deal is now taught in business schools to show how not to perform a merger.

Although security was so tight that the deal was kept secret until a few hours before it was finalized, the due diligence wasn’t so good. Failure to perform proper due diligence led to an unholy financial disaster. Simply put, AOL was valued far too high, and when the dot com bubble burst only two months later, the valuation plummeted. The documents were available, but due diligence was not performed correctly. 


In M&A transactions sensitive documents need to be accessed, and the safest way to do this is through virtual data rooms. When understanding M&A investment banking and how to succeed in it, you also need to follow certain procedures.

Due diligence must be performed, and document security is essential. Although virtual data rooms cannot make people perform due diligence correctly, they can provide an excellent platform for it, and help avoid data breaches.