Nowadays, businesses always focus on information security during operations to protect important information, maintain reputation, and bring competitive advantages to businesses. Like other activities, information security is extremely important during the legal appraisal process. In this article, we will focus on providing notes on the information security of the Seller and Buyer when performing legal due diligence for an M&A deal.
To secure business information during the legal appraisal process when carrying out an M&A deal, the Seller and Buyer need to pay attention to the following issues:
1. Establish an information confidentiality agreement
In all cases, sharing information with any party in any form to serve the legal due diligence process should only be done after the parties have established a confidentiality agreement or a non-disclosure agreement with each other. This Agreement will bind the parties to their obligations to maintain protection of Confidential Information.
It should be noted that not all information provided by one party is considered Confidential Information and is binding on the other party’s security compliance. Therefore, whether the Seller or the Buyer is in an M&A deal, it is necessary to clearly define what Confidential Information is.
The parties must also establish commitments on compliance, limits of compliance (if any), the validity period of the agreement, and related responsibilities if the information security agreement is violated and measures to prevent violations. These issues will bind and direct the behaviour of the parties.
Please note that information confidentiality agreements can be established between the Seller and/or the Buyer, and individuals and organizations performing legal appraisal services. If the Buyer transfers information provided by the Seller under a confidentiality agreement between the two parties to a third party, ensure compliance with the Seller’s commitment under the previously established agreement.
2. Determine the information to provide
Not all information is necessary or required to serve legal appraisal activities. The purpose of legal appraisal activities is to assess legal compliance and possible legal risks that may arise. It will be extremely risky if the Seller provides business data and business strategies for the Buyer or a third party to perform legal appraisal.
In addition, determining the information that needs to be provided or required also depends on the assessment of the target audience of the M&A transaction. For example, a target audience of a real estate project will have different information to provide for legal appraisal activities than a target audience of a computer software company.
Therefore, be alert and know what you need with a list of specific information with clearly divided levels of security and priorities to avoid wasting time, money, effort, and the risk of having to shoulder additional security responsibilities with unused information.
3. Take self-protection measures
Don’t completely push the responsibility for information security to the receiving party. The information provider also needs to take self-protection measures.
Nowadays, businesses often focus on using encryption tools to protect important information such as strong encryption algorithms, and only providing encryption keys to responsible persons as designated by the receiving party. This ensures that even if information is stolen, it will limit access to those who do not have the corresponding encryption key.
In addition, businesses also pay attention to building a corporate data warehouse with clear access and monitoring rights based on each person’s role.
At the same time, businesses need to apply additional authentication and identity confirmation measures before granting access to important information. Use authentication methods such as two-factor authentication (2FA) or another form of authentication to ensure that only people whose identities are confirmed can access information.
We also note that transferring information in physical form should be avoided when providing information for the legal appraisal process to avoid risks such as loss, misplacement, and leakage.
4. Monitor and supervise
One of the tasks that needs to be done throughout the legal due diligence process is to monitor the activities of the receiving party and check whether they comply with established regulations and confidentiality agreements or not. This may include reviewing access logs and checking for signs of violations or untrustworthy behavior. If there are any of the above unusual signs, the business can take necessary measures to protect Confidential Information in a timely manner such as warning, or temporarily stopping providing information when the information provision is divided into stages, access termination, etc.
Consequently, during the legal appraisal process to carry out an M&A deal, information security is the most important factor for the information provider to ensure legal rights and interests, maintain reputation and its competitive advantages. Accordingly, businesses must establish effective information security measures and violation handling mechanisms to ensure that Confidential Information is only accessed by authorized people and kept safe from outside threats.
