Deal leaks: data protection during M&A

March 2025  |  FEATURE | MERGERS & ACQUISITIONS

Financier Worldwide Magazine

March 2025 Issue

Data integrity is a fundamental component of a successful M&A transaction. It is a requirement that spans the entire deal lifecycle, from the evaluation of target companies, through identifying areas of synergies to ensuring effective integration.

Should data be leaked, however, and integrity lost, a transaction is potentially in jeopardy. In many instances, data leaks are the reason why some deals fail to get over the finish line entirely, or are only completed with a substantially revised valuation.

The reality is that M&A practitioners, in their quest to negotiate the best possible deal, may be less focused on the tools that are used to store and share confidential transactional data – both internally and externally. This can leave such data highly vulnerable to hackers with malicious intent.

“Threat actors often target companies in the midst of M&A activity, and more recently upon deal announcement, aiming to exploit the urgency of the situation, lack of integration or preparedness,” attests David Dunn, senior managing director at FTI Consulting. “During an already high-stakes time, this places additional pressure on organisations to understand the nature of the breach and the scope of the data impacted.”

“Personal data, intellectual property, confidential company data and other sensitive information may be exposed, all of which carry unique implications across legal, regulatory, reputational and financial, and can delay or even prevent the completion of a transaction,” adds Nina Bryant, a senior managing director at FTI Consulting. “A history of breaches, fines and data protection failures can potentially erode a company’s value.”

Prevalence

As a wealth of research can testify, the likelihood of a data leak occurring at some point during the M&A lifecycle is high, particularly given the range of interested parties typically involved in a transaction.

“A data leak can critically undermine the success of a transaction, potentially derailing it entirely,” says Ms Bryant. “The exposure of sensitive data, including financial details or proprietary information, can damage trust between parties, deter investors or result in regulatory scrutiny.”

According to a study by Forbes, 40 percent of acquiring organisations involved in an M&A transaction detected a cyber security vulnerability during the acquired company’s post-acquisition integration process.

“Data breaches are becoming more common within the lifecycle of the M&A process given that the success of a deal is dependent on both the investor company and the target company,” concurs Maggie Rose, vice president of client solutions at K2 Integrity. “This increases the threat landscape and potential entry points for attackers.

“As such, the cyber security maturity postures of both companies must be considered,” she continues. “Separate entities, even if in the same industry, commonly have discrepancies among key areas in information technology and governance, risk and compliance which can lead to unforeseen risks that were not previously relevant.”

Moreover, notes Ms Rose, the creation of a new entity also creates an opportunity for attackers to take advantage of reorganisation initiatives, given that many new entities are primed for distraction by not prioritising cyber security as a key issue.

Before the commencement of an M&A transaction, dealmakers are well-advised to have in place a series of security measures to help minimise the risks of a data leak.

Testifying to this contention is a 2023 survey by Aon – ‘Top 5 Cyber Threats To Mergers and Acquisitions’, which reveals that while 42 percent of respondents acknowledged that a failure to identify cyber security and technology risks in M&A targets could prevent a successful deal, only a quarter of said respondents cited cyber security as an important focus area for due diligence.

“Cyber security is critical to safeguarding sensitive information and ensuring the success of transactions,” argues Mr Dunn. “Ensuring robust data security measures is therefore crucial to protecting confidentiality and preserving a transaction’s integrity and success.

“Leaked transaction information may disrupt negotiations, impact deal valuation, or attract competing bidders,” he continues. “The harm caused by a leak can also have long-term consequences for stakeholder confidence and customer retention.”

Security measures

Before the commencement of an M&A transaction, dealmakers are well-advised to have in place a series of security measures to help minimise the risks of a data leak.

“The merging of two distinct companies with possibly varying information technology systems, data handling processes and regulatory requirements makes it vital for companies to consider data protection measures during the pre-investment process of the M&A lifecycle,” concurs Ms Rose. “The investor company and target company will need to integrate IT systems and other information security capabilities to ensure business continuity and align on incident response measures.”

According to analysis by MergerWare, there are a number of measures, outlined below, that dealmakers can take to help protect their company’s interests and ensure a secure M&A process.

First, identify and classify sensitive data. M&A deals involve vast amounts of data, from financial records to intellectual property and customer information. Companies should begin by identifying and categorising sensitive data, especially ‘crown jewel’ assets that require heightened protection. By knowing what critical data is and what it contains, organisations can apply more precise security measures.

Second, implement access controls. Limiting access to sensitive data is essential in preventing leaks. Only authorised team members should have access to specific types of information, and access levels should be adjusted as the deal progresses. Role-based access controls and multifactor authentication add layers of security to ensure that only the right people have access to critical data.

Third, utilise secure M&A technology. Using a secure, purpose-built M&A platform can provide the structure and tools needed to handle large volumes of sensitive data safely. These platforms often include features for data discovery, secure sharing, compliance tracking and automated access controls, which help reduce the risks of human error or unintentional exposure.

Fourth, encrypt data in transit and at rest. Encryption is crucial to protect data, whether it is stored within the platform or shared across teams. Encrypting data both in transit (while being transmitted) and at rest (when stored) ensures that even if data is intercepted, it remains unreadable and secure.

Fifth, monitor and audit activity. Regular monitoring and auditing of user activity can help identify unusual access patterns or suspicious behaviour early. By setting up alerts and reviewing access logs, organisations can respond quickly to potential breaches or leaks, minimising damage.

Lastly, conduct education and training. Data security is not just about technology, it is also about people. Training around data handling best practices, phishing detection and secure collaboration practices can help reduce the risk of accidental data leaks.

“Regulatory requirements should also be considered given that companies may be subject to different data protection and privacy regulations, and are therefore required to update policies and procedures accordingly to build a comprehensive new cyber security framework,” adds Ms Rose.

Also important to consider, in the view of Merlin Piscitelli, EMEA chief revenue officer at Datasite, is the use of a virtual data room (VDR) to share and store documents and artifacts, particularly for sensitive M&A transactions. “VDRs provide high-level security features such as data encryption, access controls and audit logs to enable secure file sharing, while also offering efficient process management,” he contends. “These measures ensure that sensitive information is protected.

“It is crucial for dealmakers to consider data protection from the outset,” he continues. “Leveraging a VDR demonstrates a high level of professionalism and preparedness, and signals to the buyer that the seller is serious about the transaction. This, in turn, cultivates a well-organised due diligence process, building trust and confidence.”

Posture and culture

A vital aspect of the M&A process is that of culture management. Given the probability of a data leak occurring, it makes sense for organisations – both buyer and seller – to have a strong compliance culture in place to create a solid foundation for countering risks before they materialise.

“The culture of both organisations should not be overlooked,” affirms Ms Rose. “Implementing an employee training programme to motivate awareness as it relates to cyber security threats is key, especially as the M&A process can create uncertainty among employees.

“While it is ideal to conduct cyber-related due diligence prior to a deal, risks should be considered throughout the lifecycle of the M&A process,” she continues. “It can take a significant amount of time to properly integrate security systems and protocols, which is why it is also recommended to implement ongoing monitoring of the IT environment via monitoring tools to continuously evaluate risk.”

Also a key component in establishing a strong security posture and culture is to obtain information security management certification such as ISO27001, which helps companies set out a framework to establish, implement, operate, monitor, review, maintain and continually improve an information security management system.

“Following data minimisation principles is important and reduces the overall surface of potential exposure if a data breach occurs,” says Ms Bryant. “Encryption and anonymisation or pseudonymisation of all sensitive data and strong risk and control frameworks are also essential.”

“Additionally, companies engaging in M&A should consider data protection risks and controls early in the transaction cycle, conducting specific and detailed security and privacy due diligence assessments pre-acquisition,” she continues. “Any companies that expect an acquisition in the near future should take proactive steps to strengthen trust and compliance to reduce data risks and prevent downstream delays.”

An M&A priority

With the growth of AI likely to increase the volume and heighten the impact of cyber attacks in the years to come, the protection of data during the M&A lifecycle should now be considered a priority for dealmakers – essential rather than simply advisable.

Indeed, evaluating existing security measures, identifying new vulnerabilities and assessing future risks is becoming more imperative than ever, particularly given the rise in M&A transactions in many jurisdictions.

“A surge in deals is automatically accompanied by a vast amount of sensitive data, which can include financial records, customer personally identifiable information, company proprietary information and trade secrets, and needs to be properly accounted for,” says Ms Rose. “As tools and technologies supporting the sharing of data continue to evolve, cyber security risks will follow suit, which will make each M&A transaction more complex than the last.”

Certainly, in many quarters, M&A deals have already attained a degree of complexity where it is now critical for dealmakers to prioritise data protection to reduce friction during the transaction process and, ultimately, protect company value.

“Acquiring companies should see data protection due diligence as key to understanding and reducing risks associated with the target company,” concludes Ms Bryant. “This includes associating the target’s data protection posture to the value of the company and the projected costs involved in remediating potential data protection issues.”

© Financier Worldwide

BY

Fraser Tennant

©2001-2025 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.