By Karen Perkins, President, V-Rooms
From expediting mergers and acquisitions (M&A) to satisfying compliance imperatives and facilitating risk oversight, technology has come to play an increasingly critical role in boardroom activities. The challenge of balancing timely access to sensitive communications with ensuring absolute information security has propelled many corporations and other global entities to rely on virtual data rooms (VDRs).
A virtual data room enables companies to globally share information securely and more efficiently. As a platform for due diligence, M&A transactions that use a data room result in 20-30 per cent higher bid values1 than traditional lock-and-key, physical data rooms and close 30 per cent faster.2
Choosing a data room that meets your needs
Organisations that rely on virtual data room technology should seek the most appropriate, capable and secure solution for their specific requirements and needs. Optimally capitalising on their secure functionality for transactions, projects and other sensitive boardroom applications requires a provider that offers best-of-class capabilities and follows best practices. An organisation’s own due diligence and internal practices when selecting and using a VDR will impact effectiveness.
Streamlined, secure sharing and storage
Simply put, a virtual data room replaces the paper-based document vault with a digital, cloud-based repository. It enables an organisation to store and selectively distribute sensitive documents potentially related to transactions and/or to the core interests of the business, where intellectual property and governance are potentially involved. Unlike general cloud storage solutions that are sufficient for the general consumer, virtual data rooms are specifically designed to meet the high standards required for corporate-level secure document sharing. They layer in additional security, significantly more reliability and features specifically designed for and demanded in critical transactions and projects, such as audit trails, compliance reports and digital rights management (DRM) with the ability to revoke document access, even after files have been downloaded to a user’s computer.
Virtual data rooms satisfy any due diligence or business transaction process where control and audit of document access are critical. They ably support M&A activities, business capital fund-raising efforts and dissemination of investor reporting information by private equity and hedge fund companies. They are also advantageous for document management associated with clinical trials, contract management and corporate projects that use external consultants. Typically, a virtual data room has a start, an end and a life cycle that tracks with a project or transaction.
Although archiving capabilities are key, VDRs are designed to facilitate secure document sharing outside of the business’ network and firewall – not for enterprise storage backup. A virtual data room is centred on protecting the client and their documents and assuring that information ownership is absolutely retained by the client. This is why consumer-based storage options are not suitable – no organisation can afford the risks associated with storage providers whose terms and conditions contain enormous legal loopholes regarding document ownership, usage and access rights.
Simultaneous virtual viewing provides time and cost savings
Clearly, a secure VDR offers distinct advantages over print-intensive, linear processes. Because it provides simultaneous access, welcoming all invited parties into the ‘boardroom’ at once, it compresses the project or deal cycle and reduces time-to-close by as much as 30 per cent. It also eliminates the costs associated with travel, such as when road shows are conducted virtually with video and PowerPoint presentations rather than flying an entire team to show prospective buyers a company.
They are also beneficial for documenting business plans, expediting negotiations, archiving transaction data and ensuring compliance with industry-specific requirements. Pharmaceutical companies frequently employ them for conducting clinical trials, using a VDR electronic trial master file that adheres to legislative compliance requirements of the Food & Drug Administration (FDA).
Maintaining readiness to respond
This accelerated process hinges on online access to these documents being extraordinarily secure, private and reliable. The data room must be fully operational whenever it is needed and easy to use. Further, it must maintain version control accuracy, ensuring that the user is delivered the latest, correct version of a particular document.
At the conclusion of a deal, transaction or project, archiving capabilities streamline the document and audit trail preservation process. Regardless of whether archiving them is required for compliance purposes, it is important to create a backup, which should be easily accomplished by the client at any time without reliance on the vendor. Indeed, archiving should always be an administrator-controlled responsibility, not a function of the VDR provider.
“A virtual data room replaces the paper-based document vault with a digital, cloud-based repository & enables an organisation to store & distribute sensitive documents”
Security imperatives
To assure secure access to and sharing of documents, it is incumbent on VDR clients to carefully research their current or prospective provider’s capabilities and practices. There are three primary layers of security to scrutinise: infrastructure, application and access security.
■ Infrastructure security Where is the provider hosting the information and what network security protocols are in place? Is there sufficient SSL security encryption? Do they provide effective intrusion and virus protection? The vendor’s capabilities at a minimum need to satisfy the security standards set forth for the corporation’s particular industry, such as, in America by the Securities Exchange Commission (SEC), Financial Industry Regulatory Authority (FINRA), Federal Trade Commission (FTC) or FDA. Most companies will require a SSAE 16 Type II Certified Data Center for the infrastructure. Is there a backup and disaster recovery process for redundancy? Is the VDR vendor performing penetration testing on their application? There are many boxes to check to assure that you are relying on a highly secure VDR provider, not simply a new entrant with a shiny application and questionable infrastructure security.
■ Application security This addresses best practices relative to password management and user and password authentication. What password complexity requirements secure the application itself? Does the provider use penetration testing to ensure hackers cannot get into the application through back doors? Best practices call for the ability to offer two-factor authentication and utilise OAuth 2.0 protocol as the standard for authorising users with access across any cloud-based application. Leading virtual data room providers will also have a prepared checklist that details the security protocols and parameters used within their application and can readily address specific client requirements.
■ Access security Once the user is able to ‘enter’ the data room, what are they allowed to do? VDR clients must have granular access control to designate and easily change which users can take which actions at specific points in time. Your data room capabilities must align with the desired amount of control that can be exerted over the documents in the data room and the users accessing them. Which users can only view a specific document versus view, print and/or save? Can access to documents be revoked after documents are downloaded?
Additional valuable security-driven features to look for include:
■ Audit tracking It is extremely important to record and track activity in the data room in order to maintain visibility and control over what your users are accessing.
■ Watermarking Best practices call for dynamic watermark capabilities – a customisable imprint that displays on a document whether it is printed or simply viewed on the screen. Dynamic watermarks can tailor the information that appears and indicate that a specific copy has been accessed by a particular individual on a specific day and time and from which IP address.
■ Digital rights management capabilities The VDR’s document viewer should build in digital rights management capabilities to control offline access to documents. It allows a user’s authorisation to view, print and save documents to be revoked after the file is downloaded, such as after a deal is completed or after a deadline has passed.
Seek out robust search and reporting
Beyond security considerations, VDR capabilities should readily align with your specific project, organisation and industry requirements. They should make the data room easy to use and easy to administer along with providing detailed information on usage. Newer functionality being added by best-in-class providers further boosts efficiency by leveraging online connectivity.
■ Search capabilities It must be fast and easy for users to find the document they’re looking for in the VDR.
■ Reporting is critical Administrators must have documented audit trails, which can be satisfied by files accessed, file history and login history reports. Administrators need to know which documents were viewed by whom – when, where and how many times. They also need to know when documents were uploaded, replaced and/or deleted and by whom. In addition to users who accessed documents, a login history
is needed to reveal who logged in to the VDR but did not open anything.
■ Communication history This tracks any communications that have occurred from the application or through the application to users. Maintaining an archive of these communications is frequently essential for compliance purposes.
■ Third-party application integration Increasingly, leading VDRs are integrating other industry-related solutions, like electronic signature with their electronic document access application, accelerating the transaction or project process. It pays to ask whether the provider offers API application interface capabilities and integration with other third-party services.
■ Private-label branding This enables organisations to make the VDR an extension of their companies or offerings by allowing the VDR client to customise the look and feel of the data room with their corporate logos and colour choices.
Assure optimal usability
The data room’s interface should be simple and intuitive to use, with consistent functions and usability throughout the platform for effortless onboarding. Users should not have to undergo a training session on the application to access documents. They should be able to get their login information, click a link, enter their user name and password, reset their password if necessary, agree to the most appropriate, client-specific disclaimer upfront (another important feature to have) and be presented with the documents that are available to them in an easy-to-navigate, easy-to-access way. While administrators’ use of the application is a bit more complex, it should still be easy to upload documents, add users and identify and set the proper type of security for a document without an extended training session.
Best practices for utilising virtual data rooms
VDR clients derive maximum benefit by taking an active – indeed, proactive – approach to their VDRs. The following practices strengthen security and control of sensitive documents, while providing visibility into users’ activity.
■ Assign one or two internal company administrators to your data room to ensure that you retain control of that information. Make this a responsibility within your organisation rather than giving it up to a contractor or third party. An employee is far more invested in protecting the business they work for.
■ Monitor document access and availability. Even when they know they shouldn’t, people tend to share user names and passwords. Keeping close tabs on the audit trail should not be limited to FINRA or other regulatory mandates. Monitoring your reports reveals the login practices of the individuals afforded access. An authorised user logging in from 15 different IP addresses signals a compromised user name and password, regardless of whether the username and password may have been stolen or likely shared. Access needs to be turned off until the user has reset their password and you have reestablished control. Monitoring what users access can also help reveal any potential information leakage.
■ Keep information up-to-date and check periodically to ensure the right people have the right access. In addition to logging
into the data room as an administrator, set up and log-in as a test user. Make sure the test user can access designated materials and not others and that the user experience reflects positively on your organisation.
■ Establish naming conventions for files for better document management. If someone downloads multiple versions of the same file with a similar name, it should be clear which is the most recent version. Include the date and even the time in the files names for frequently changing documents to ensure that the most recent copy is being presented and accessed.
■ Maintain standards for user definition and user setup. Follow a consistent naming convention for user names if email addresses are not used, so that a user can be reminded of the pattern rather than requiring a lookup. For example, first-initial-last name-year.
■ Make sure that you’re using complex password requirements. A user name and its password should never be identical and the system should not allow this. Ensure that your users are resetting their password every 30-60 days at a minimum and, depending on the corporate security needed, it may need to be more frequent.
Get the most from your VDR investment
Virtual data rooms designed specifically for business securely satisfy a myriad of boardroom activities with greater efficiency, flexibility, control and compliance-driven documentation. They accelerate opportunities, save money and avoid headaches when both VDR providers and clients uphold best practices.
About the Author:
Karen Perkins is President of V-Rooms and directly managed all operational aspects of the company. She is responsible for ensuring that the product direction continues to align with V-Rooms’ core values and mission while continuing to maintain excellence in customer satisfaction.
Footnotes:
1https://www.techopedia.com/definition/24342/virtual-data-room-vdr
2https://www.accenture.com/us-en/~/media/Accenture/Conversion-Assets/DotCom/Documents/Global/PDF/Strategy_6/Accenture-Intelligent-Clean-Room.pdf