Back

Overcoming compliance hurdles in M&As

Cybersecurity M&A

As compliance issues become embedded into the due diligence process, especially for cross-border transactions, dealmakers face a growing set of challenges to avoid delays and deal abandonment.

17.August 2023
Written by Mari Nygaard

 

High-profile cases highlight the impact of compliance on deal success. One example is the failed merger between Aon and Willis Towers Watson in 2021. The deal, valued at $30 billion, faced regulatory scrutiny from multiple jurisdictions, ultimately leading to its abandonment.

In another case in 2021, the UK Competition and Markets Authority (CMA) cited concerns about the acquisition of UK-based semiconductor chip manufacturer Arm by US competitor Nvidia. Despite Nvidia committing to a behavioural remedy, the regulator remained unconvinced, and the deal was later abandoned due to 'significant regulatory challenges'. 

According to McKinsey, 14% of deals over €1 billion are cancelled due to regulatory and compliance issues with an impact that can reach beyond the deal's failure. McKinsey cites a negative effect on reputation and share price for the parties involved. There may also be termination fees and the costs of advisors to cover.

The impact of poor compliance is, therefore, significant and warrants a proactive and timely approach. However, antitrust issues are only some of the compliance hurdles to overcome. Managing large volumes of data that go hand in hand with a transaction is an increasingly complex process that can also fall foul of regulators. 

While privacy regulations such as GDPR and UK GDPR are designed to protect personal information, data privacy implications become far more complex during an M&A. In fact, poorly managed data is one of the reasons why the legal advisory firm, Rodl & Partner, believes 'the significance of compliance in M&A transactions is often underestimated or not appreciated at all.'

The pressure to complete deals quickly while ensuring the legal processing of vast volumes of data during due diligence has intensified. Therefore, navigating consent, transferring information to a new data controller and streamlining data systems are all issues to address early in compliance due diligence.

Two colleagues discussing about a project

Staying ahead of regulatory changes

In October 2023, the notification period for the EU Foreign Subsidies Regulation (FSR) came into force, creating a mandatory requirement for wide-ranging data and information to be stored and provided for scrutiny on demand. 

Passed into EU law in January 2023, the regulation aims to reduce the impact of competition distortion by foreign subsidies. The FSR outlines a mandatory notification and approval process for significant EU public tenders and company acquisitions. 

‘Under the Regulation, the Commission will have the power to investigate financial contributions granted by non-EU governments to companies active in the EU. If the Commission finds that such financial contributions constitute distortive subsidies, it can impose measures to redress their distortive effects.’

European Commission

The regulations will apply to transactions where an acquired or merged company creates a turnover of €500 million or more, at least €50 million of that generated by foreign financial contributions outside the EU. 

Additionally, the EU is planning changes to the foreign direct investment (FDI) control that screens the security risks associated with investment transactions. Applicable since 2020, FDI gives the European Commission powers to review private sector transactions. 

For both pieces of legislation, waiting for approval and managing the outcome of a decision by the Commission will add time to the deal lifecycle and demand additional expertise and resources. But, significant amounts of data will also need to be supplied. 

For example, in the case of FSR, information going back three years may be required, including contracts, tax incentives and grants of exclusive rights.

Managing large volumes of data

Storing and producing company-wide information going back several years in a format suitable for regulatory review means utilising tools designed to securely manage vast amounts of data. For example, preparation portals are fully functioning virtual data rooms that a deal team can use to upload, store and organise data and documentation. 

Preparation portals are perfect for meeting other aspects of compliance requirements, too, as they have enhanced levels of security compared to standard cloud storage. They also offer all the usual benefits of a data room and differ only because a third party, i.e. a prospective buyer, has not been given access. 

Opening a preparation portal at the very start of a deal lifecycle helps dealmakers stay on top of compliance, privacy and security requirements and feeds into the wider due diligence process further down the line. Plus, with artificial intelligence (AI) taking the strain of document review, dealmakers can use automation to quickly sift through information folders to locate specific data that might be needed for compliance purposes. 

In fact, our own research shows that data rooms are increasingly used as a business-as-usual storage and collaboration platform. The nature of a data room’s functionality and its advanced security features help protect valuable information from cyberattacks and enable businesses to meet the obligations of GDPR. Data is encrypted and stored securely with limited human access, with audit trails verifying data management processes. 

Data rooms can therefore perform a vital role in demonstrating to regulatory bodies and other parties in the M&A transaction that compliance matters are being prioritised and met. Ultimately, this approach can help overcome possible delays or objections that may surface during due diligence. 

Manager explaining to her staff

Using a clean room

For information considered highly sensitive and where it is necessary to limit access to as few people as possible, a clean room is another tool dealmakers can rely upon to prevent compliance roadblocks. 

Taking its name from a physical space kept pristine and free of outside influence in the technology development process, a clean room in M&As is a data room within a data room. It utilises even stricter security controls, and access is restricted to minimal users, known as the clean team. This smaller team, often only the advisors to a buy-side team, will analyse the information provided and present aggregated data to their client. This protects individuals' identities and personal information that may be referenced and ensures that sensitive information, such as trade secrets, cannot be revealed. 

Of course, sharing trade secrets before a deal closes is undesirable, but a certain level of sharing has to happen for a deal to progress. However, antitrust regulations also legislate that the negotiating parties should not provide or receive information that may lead to anti-competitive practices or price fixing. A clean room can help a seller share safely and in a controlled manner while also complying with regulatory obligations. 

Enhanced security is non-negotiable

For data and clean rooms, data and user access security is paramount. Sellers and buyers need confidence that each party can only access information, documents and data that is essential to their role in the transaction. 

It’s why data room technology is developed with advanced security features when compared to standard cloud storage solutions. For example, regulatory bodies and the other side of an M&A deal expect data handling to comply with best practices designed to prevent cyberattacks. Providing evidence of cyber security is necessary as part of cyber due diligence. A data room can support this during a deal lifecycle and at any time when data needs to be stored or shared. Since a data room encrypts data in storage and during transfer to other parties, it also provides an ultra-secure environment for business-as-usual purposes. 

Controlling user access to the data room is another way of illustrating compliance on cyber and privacy issues. Data room administrators can control access at role level and manage who can do what once inside the data room environment. Additional login checks, such as two-factor authentication (2FA), also contribute to enhanced security measures to help avoid problems that can slow down a deal.

Similarly, a data room software provider's approach to developing, testing and maintaining their technology is subject to stringent security requirements. Penetration testing and quality assurance certifications are essential tools to look for and ensure the software provider takes a proactive and independently audited approach to continuous improvement. Ultimately, all of these features, processes and principles combine to create an environment that supports deal progress and helps to overcome compliance-based hurdles. 

In summary

In the fast-paced world of M&A transactions, compliance has become a critical factor that can make or break a deal. Regulatory bodies scrutinise transactions more closely than ever, and data privacy regulations have become increasingly complex. 

However, as antitrust, foreign investment and data laws continue to evolve, successful dealmakers must proactively address compliance issues early in the deal lifecycle. Doing so, alongside leveraging the power of data room technology, minimises compliance-based delays so that barriers to a successful deal are navigated more efficiently. 

Download the report:  Under attack: Cyber due diligence demands more of dealmakers