Much has been written about the benefits of using a virtual data room (VDR) for your due diligence process, but why do you need separate technology in the first place - could you just use a cloud storage solution instead?
It’s a fair question - like most organisations, you’ll probably be using cloud technology to manage files and collaboration. Tools commonly used in many businesses, like Dropbox, Zoom, Teams and Google Drive, run from the cloud.
Perhaps then, the simplest solution would be to use the technology you already have to manage your merger and acquisition (M&A) deals. But do cloud storage solutions have the levels of security needed to protect the sensitive business information stored and exchanged during a complex deal? Plus, are there advantages to using specialist data room technology, and can it offer additional features that are tailored to the processes dealmakers manage?
In this post, we’ll take a closer look at the pros and cons of cloud versus virtual data rooms for managing a typical M&A deal lifecycle, including:
-
What is cloud storage?
-
What are the differences between cloud storage and a data room for dealmakers?
-
Why use a data room for your due diligence process?
-
How does the security of a data room differ from cloud storage solutions?
When considering the difference between cloud storage and a data room, one of the first things to recognise is that a data room uses cloud computing too. It is a cloud-based solution that enables both secure storage and collaboration. However, a data room also offers additional features and benefits over and above publicly or privately accessed cloud technology. Before jumping into those, let’s clarify what cloud storage is and why it is so fundamental to organisations around the globe.
What is cloud storage?
Cloud storage is a computing model that enables digital data to be stored on multiple servers that are managed by a hosting company. The data is then accessed either via the public internet or through a private connection such as a virtual private network (VPN).
In practical terms, this means files and documents can be easily stored, accessed and shared on any device with an internet connection. The growth in remote and hybrid working has, in part, been fuelled by the development of cloud computing technology, offering flexibility and scalability to help companies stay agile.
The most common types of cloud computing and their uses include;
- Software-as-a-Service (SaaS) - software accessed over the internet via an ongoing subscription fee. Benefits include ease of access in multiple locations and on any device. Plus, IT resources and costs of ‘on-premise’ installation and maintenance are reduced. Examples: Google Drive and Gmail, Microsoft OneDrive and Teams, Zoom
- Platform-as-a-Service (PasS) - the systems and hardware that IT teams use to run software on. It also provides an environment for developing, testing and operating components like databases and other cloud-based applications. Examples: Google App Engine, Oracle Cloud Platform, IBM Cloud Platform
- Infrastructure-as-a-Service (IaaS) - hardware such as servers that provide virtual storage and network access. Similar to the foundations of a house on which everything else is built, IaaS creates the infrastructure for PaaS and SaaS hardware and applications. Examples: Microsoft Azure, Rackspace, Amazon Web Services
These are just some of the examples of cloud computing and the permutations of how they can work together. Aside from the flexibility and convenience of access for end-users, cloud computing also benefits in-house developers and IT teams. For those tasked with implementing their organisations' systems and tools, cloud technology means they can leave maintenance and technical updates to others and focus on strategic aspects, such as optimising workflows or planning for future needs.
According to Gartner, worldwide spending on cloud services is expected to grow by 20.7% in 2023 to a total value of $591 billion.
How secure is cloud storage?
We’ve established the usefulness of cloud technology, but how secure is it? Are confidential data and files stored in the cloud 100% safe? The simple answer is there is no such thing as a system, software application or hardware that offers total and guaranteed security. Cyberattackers are increasingly skilled at hacking any type of technology, including cloud storage, and it is sensible to assume that attacks are a question of when rather than if.
At a glance - cybersecurity in Europe
-
The UK had the highest number of cybercrime victims in 2022 – up 40% over 2020
-
In 2022, Europe had the second-highest number of attacks, higher than North America
-
The Netherlands saw the greatest rise in cyberattack victims – 50% increase since 2020
Although it is impossible to eliminate all risk, it is important to remember that the servers on which your data and documents are stored are usually in large warehouses that have limited human access. The stored data should also be encrypted, meaning it is unintelligible if it is accessed or stolen. There are other security features that cloud storage offers, too:
-
Regular and consistent backups implemented by the solution provider
-
Security updates and patching to defend against viruses and malware
-
Provision of firewalls to control web traffic accessing your network and data
These features are the basis of security for cloud storage solutions whether they are accessed over a private or public network. As such, businesses can benefit from the accessibility of data and improved collaboration while ensuring confidential information is stored as securely as possible.
How cloud computing is used?
We’ve already seen that cloud computing manages file and data storage. However, it has many other uses and applications too.
Big data and analytics
In a business context, collecting and storing ‘big data’ can be done with ease with cloud technology. Gathering data on customer and sales trends from diverse sources such as social media, transaction processing, emails, customer databases, and mobile apps is straightforward for cloud technology. The insights it can generate are invaluable for dealmakers evaluating a prospect or when building a case for a sale or merger.
Big data is defined as larger data sets that are too complex or varied for traditional software to manage. The data comes from distributed sources across an organisation in increasing volumes, revealing trends and patterns that offer greater statistical insight.
Continuity and disaster recovery
Imagine for a second that a cyberattack on a manufacturing company is underway. A data breach could compromise the data held, including personal information such as email addresses and telephone numbers, which could lead to identity theft. Alternatively, confidential information relating to patents or products could be accessed and stolen.
The impact would be far-reaching, potentially stopping production, preventing employees from accessing critical systems, and impacting sales and brand reputation. Having a disaster recovery plan in the cloud allows a business to create a replica of data, systems and processes that can be deployed quickly to resume normal functions and help reduce disruption.
Archiving
For files and data that do not need to be accessed regularly, cloud storage offers a simple and effective method of archiving information. Archive databases are especially useful for storing information needed for regulatory compliance or for managing data and documents after an M&A transaction has closed for example.
Now that we’ve looked at what cloud storage is and how it can be used, let’s consider how the same technology powers the functionality of a data room.
What is the difference between cloud storage and a data room?
A data room is built using the functionality of cloud computing. It is an online environment for storage, distribution and collaboration, most often used to facilitate complex negotiations and the due diligence involved in M&A transactions.
A virtual data room (VDR), also known as a deal room, is a secure online repository for document storage and distribution. It is typically utilized during the due diligence process preceding a merger or acquisition to review, share, and disclose company documentation.
Investopedia
Therefore, while a data room is used for storage in a similar way to a standard cloud solution, it is the nature of the outcomes related to that storage that raises the stakes. As a result, one of the critical aspects to consider when looking at the differences between cloud storage and a data room is ensuring an appropriate level of security.
Advanced security should come as standard
Since a data room contains vast amounts of the most sensitive business documents, many of which are to be shared with external third parties and accessed via different networks, the impact of a data leak or document loss could be catastrophic.
At worst, information being accessed without limits and control could derail a deal entirely but also expose the organisation to every other risk associated with a data leak or loss. But even if that situation is avoided, information in the hands of the third party at the wrong time could mean they have additional leverage in negotiations when you least expect or want them to.
Data rooms use enhanced security
Compared to traditional cloud storage solutions, data rooms utilise enhanced security protocols that are critical to large or corporate institutions involved in complex M&A transactions.
When choosing a data room solution, however, we recommend you look for a combination of security aspects. Some are principles and actions hardwired into the development of the data room, and others are features of the data room itself that affect how it is accessed and used. At Admincontrol, for example, we adopt the security measures we believe are essential to every data room, including:
Certifications and complianceSOC 2 (System and Organisation Controls)
SOC 2 reports are issued by third-party auditors. They independently evaluate the effectiveness of a data room provider in managing the security, availability and integrity of a system or tool that stores and processes confidential data. Since the evaluation runs over a continuous 12-month period, the audit is comprehensive and requires ongoing monitoring and reporting to maintain active certification.
ISO 27001:2013
As an international standard, ISO 27001:2013 establishes best practices for secure information management, and its main purpose is to ensure the risk of data breaches is reduced. Like SOC 2, audits are conducted by a specialist independent third party.
Additionally, since it governs good data security, it also creates a foundation for compliance with privacy laws such as The General Data Protection Regulation (GDPR). These privacy regulations and their equivalents are applicable across the European Union (EU), the UK and the European Economic Area (EEA).
Penetration testingPenetration testing is performed by third-party specialists who are commissioned to look for security vulnerabilities or flaws in software or other applications. The tests will include simulating a cyber attack and looking for weaknesses that could be exploited by cybercriminals to access confidential data. The results enable developers and solution providers to fix any problems before an application or product is released to customers.
User permissions, encryption and two-factor authentication
By their nature, data rooms will have many different people accessing the documentation stored within them. Of course, a good number of those people will be from external organisations, including third parties involved in the potential deal as well as external consultants such as legal counsel and financial advisors.
The additional complexities of controlling access by internal and external parties, and given the confidential context of an M&A, mean that layers of permissions and control are vital in a data room.
Naturally, data must be encrypted both during transfer to or from the data room and when ‘at rest’ - meaning when it is idle and stored but not being actively accessed. Data rooms encrypt data at all times, including at rest, and while most reputable cloud storage solutions also offer the same, there can be some variances depending on the provider.
Besides protecting the data and documents, data room solutions also offer simple but highly effective ways to manage who can log into that data room through two main features.
The first is two-factor authentication (2FA) which requires two separate steps of self-identification during the login process. Once a username and password have been entered, a unique code sent by SMS to the user’s mobile device must also be provided - very similar to how many of us log into online banking and other confidential online accounts.
Next, once access is granted, another layer of protection applies in the form of user permissions that can be controlled by the data room administrator. This means that some users can be assigned higher privileges than others, so information access is limited and controlled at all times. Although access can, of course, be managed to data stored in a traditional cloud solution, a data room provides greater flexibility since user permissions can be based on role and tasks and not only access. For example, they may be granted permissions to read data but not download or print it. Or they may only have access to certain folders, a feature that is not offered by standard cloud solutions. User permissions and folder access are especially relevant when inviting an external third party into the data room to help safeguard sensitive information.
Additional complexities of controlling access by large numbers of external parties, and in the context of an M&A, mean that layers of permissions and control are vital in a data room.
So far, we have looked at some of the different types of security a data room requires to keep highly sensitive information safe and secure. We’ve seen how a combination of critical elements working together is further enhanced by granular access permissions making it simple to automatically grant or deny access to the entire data room or specific documents within it.
A more efficient deal lifecycle
When considering the difference between cloud storage and a data room, it is important to look beyond the enhanced security a data room provides and to understand how it also supports the specific tasks undertaken during due diligence and a deal’s lifecycle. Many of these tasks are time-critical but admin-heavy, creating time pressure that can slow down deal progress or even lead to deal abandonment.
Huge quantities of documents must be uploaded to the data room but also read and evaluated with points for discussion noted and raised. There will undoubtedly be an array of contracts that require reviewing by legal counsel- employment contracts, legal documents relating to patents or trademarks, complex financial statements, and forecasts are just some examples.
Some of the information in these documents will need to be redacted, and trawling through large documents to find instances of a specific word or phrase to block it out manually takes up huge amounts of time.
Someone needs to keep track of and actively manage the many tasks associated with a deal - from reviewing documents to requesting clarification from the other party. Assigning and chasing up tasks is another time-consuming administrative task that can deflect from progressing to the terms of an agreed deal.
Of course, on paper, there are a vast number of tools that could be used for this, and some might already be used by the deal team - email, spreadsheets, and Dropbox or Google Drive, just as a few examples. A sensible question to ask, therefore, is why can’t I just set up a data room in Google Drive or Microsoft Teams?
Well, the answer is simple. Setting up a data room in Microsoft Teams, Google Drive, Dropbox, or any other cloud storage solution is not really possible simply because this type of software is not a data room. While they can provide secure storage, they don’t offer the additional features of a data room that efficient dealmakers need.
Well, the answer is simple. Setting up a data room in Microsoft Teams, Google Drive, Dropbox, or any other cloud storage solution is not really possible simply because this type of software is not a data room. While they can provide secure storage, they don’t offer the additional features of a data room that efficient dealmakers need.
Tools exclusive to data rooms
In a data room, every aspect of a deal lifecycle works alongside each other; project communications, Q&As, document redaction, and task management are all managed within the secure environment of the data room. Since dealmakers are not bouncing from one piece of software to another, this not only reduces the risk of a data breach or leak but also speeds up processes and tasks.
Many data rooms also include artificial intelligence (AI) tools that use machine learning technology to automate the review of large quantities of information. This helps remove a laborious and time-consuming task for dealmakers. Since finding potential roadblocks to a deal often falls to external legal counsel, the associated costs of their time can be saved, and the whole process made less manual and more efficient. Once the AI tool has flagged up content during the first stage of this process, it can then be further reviewed by a legal expert, so they are using their expertise on the issues that really matter.
Automatic indexing of folders is another feature of a data room and something you won’t get from standard cloud solutions. During the set-up of the data room, administrators can customise the folder structure to suit their requirements. Given the large quantities of information held in a data room, this helps users find relevant folders more quickly and keeps everything organised throughout the deal lifecycle.
Setting up a data room in Microsoft Teams, Google Drive, Dropbox, or any other cloud storage solution is not really possible simply because this type of software is not a data room. While they can provide secure storage, they don’t offer the additional features of a data room that efficient dealmakers need.
In summary, the varied tools and features built into a data room are a differentiating factor that set data rooms apart from traditional cloud storage solutions. Using a data room for your due diligence process means the technology takes care of the administrative burden leaving you to focus on the bigger picture - the outcome of which really can make or break a deal.
While cloud storage has many benefits for dealmakers, it should be seen as the foundation that enables a powerful data room with its many additional features and benefits rather than the end solution. Using a data room for your due diligence helps keep deals on track, safeguards sensitive information, controls access and activity at a granular level, and takes care of numerous manual tasks involved in a deal.