The evolution of virtual data rooms in M&A



FW speaks with Justin Tinker, Marketing and Business Development Director at Imprima Group, about the evolution of virtual data rooms in M&A.

FW: What factors account for the increasing use of VDRs in the M&A process? For example, how do VDRs help vendors, as well as potential buyers, reduce costs during the M&A process?

Tinker: The increased capabilities of VDRs, thanks to technological developments, have created powerful platforms on which mergers and acquisitions can be managed. VDRs are no longer just used for due diligence processes; rather, the platform has often become a medium for conducting the entire deal course itself. Audit trail functions can track access from different parties and be used to assess the potential buyers. Those interested buyers can also pose questions securely and confidentially through the VDR to the seller, helping to develop relationships between those involved in the deal. Beside these additions, the more fundamental functions of a VDR – editing of documents, different levels of secure access for different stakeholders, intelligent file indexing, and so on – have all been developed, expanded and refined over time. Access through smartphones and tablets is now possible, allowing secure access 24/7 from anywhere. The combination of these improved functions creates an efficient and more beneficial acquisition procedure, leading to a ‘better’ price as parties understand the positions of each other and proceed accordingly. This assessment also allows the seller to quickly come to a conclusion on who is the most appropriate buyer. Finally, the resources required to conduct an acquisition through a VDR are smaller than ever before. The efficiencies created by constant access and assessment theoretically lead to a shorter time required to complete a transaction. This is not a hard and fast rule, but is likely to account for the majority of modern VDR experiences.

VDRs have revolutionised the due diligence process for M&A deals and related transactions within the financial and legal sectors over the past 10 years.

FW: Have VDRs significantly altered the due diligence process for M&A transactions? Do they allow parties to balance speed and efficiency with depth and thoroughness when it comes to analysing the information available?

Tinker: VDRs have revolutionised the due diligence process for M&A deals and related transactions within the financial and legal sectors over the past 10 years. Allowing interested parties to securely view confidential information in a variety of file formats, begin discussions via Q&A’s and manage updates within one platform, has all helped to speed up the deal process. This in turn has reduced overheads, saved time and improved the bottom line. With security being one of the key requirements – most leading VDR providers utilise 256-bit encryption to secure data – enabling more and more financial service companies to extend the benefits of data rooms within their core day-to-day business, turning them into corporate repositories to be utilised for ongoing collaboration and information sharing purposes. This extension of VDR technology outside of the M&A deal process, and in the process utilising its functions for a wide range of collaborative work, has proven a popular decision amongst banks, law firms and within corporate and enterprise organisations. The advancements available have meant that the secure sharing of and access to confidential files, or cloud storage for more generic file keeping and communication, has moved out of the internal IT department and into a flexible, dynamic environment. With changes in legislation and the continued recovery of the economy resulting in more financial transactions being executed, making the most of this cost effective, collaborative technology will enable continued growth and improved returns.

FW: Are there any particular risks or challenges associated with using VDRs?

Tinker: Data security is naturally the number one challenge associated with VDRs in the current climate. The technology is used to share some of the most confidential information in the corporate world, so must be of the highest grade possible. This challenge is most clearly noted by the difference between US and EU VDR operators. The USA Patriot Act, which came into force in 2001 and was further extended in 2011, does not protect business records based in and transferred within the United States from access by US government agencies. Compare this to the Data Protection Directive introduced by the EU, which established a comprehensive data protection law for all member states, ensuring that any client data physically stored within the confines of the EU through an EU controlled company is protected from outside intrusion. The crux of the matter is that once an outside organisation becomes involved in viewing and assessing this data, can its integrity be assured? The short answer is no. So the challenge for VDR users is ensuring that the technology they are using protects their data to the highest degree.

FW: To what extent, and with what level of success, do you believe VDR providers have tackled the issue of cyber security, which is a major concern given the sensitivity surrounding M&A documents?

Tinker: Cyber security is a key concern for VDR providers and their clients involved in mergers and acquisitions, due to the highly confidential nature of the information, such as pre-IPO due diligence reviews, bankruptcies and restructurings, audits, proprietary intellectual property and fundraising initiatives. Cyber security threats are growing in many new forms that were previously unknown. Threats capable of compromising online security have significantly increased and become more sophisticated in terms of ability, coming in the form of anything from viruses, worms, Trojan horses, phishing, various forms of advanced persistent threats and social engineering. There is a need to implement innovative and sophisticated technologies to protect against various types of security threats, especially in today’s climate where recent events such as the Heartbleed vulnerability highlights the constant threat we face. VDR providers need to be vigilant against cyber security threats and ensure that they follow best practice and procedures to mitigate potential threats. The unauthorised access or disclosure of sensitive information can have significant economic consequences. It is important that strong data protection and cyber security practices are in place. At the very least most, if not all, VDR solutions should include the following. First, strong username and password control to prevent unauthorised users from gaining access. Second, end-to-end encryption using Secure Sockets Layer (SSL). Third, document encryption. And finally, deterrence features, such as watermarking all documents on the computer screen to prevent photographing or printing of sensitive data.

FW: What advice can you provide on structuring and setting up a virtual data room? What variables need to be considered at this stage, to create a robust platform that meets buyer and seller needs?

Tinker: Keep it simple. The easier it is for a user or potential buyers to navigate the data room, the quicker and easier the process will be. This will mean less support questions from users and fewer delays to the process. If there are multiple entities involved, separate them and clearly mark out the main areas of your business. With state-of the-art platforms it is possible to create the structure on your computer with folders and sub-folders and then upload the information quickly and easily to the data room via the ‘drag and drop’ functionality. Those that offer project management can provide and create an index on your behalf. When looking to delegate this area, ensure you choose a provider with extensive experience in data room management – who should also be able to provide an index template if needed. Some full service offerings include assistance in initial data room builds and with the creation of the structure. Those that specialise in M&A due diligence can also include a comprehensive questions and answers area to ensure that all communication is encrypted with a full audit trail. Confirm whether a provider has this functionality and a variety of search methods to make life easier for users, namely: the date a file has been made available for users, the title of a folder or document, and words inside the text of the document. Lastly, consider what kind of permissions you would like your users to have. You can hide the documents until later in the process, and then choose to make them visible, printable or saveable.

VDR providers need to be vigilant against cyber security threats and ensure that they follow best practice and procedures to mitigate potential threats.

FW: In what ways have the functions and service offerings of VDR platforms evolved over the years? How do today’s systems compare to those available five years ago?

Tinker: Over the last five years, we have seen the use of VDRs evolve very rapidly. Clients are using VDRs much earlier in the life of a transaction and are even using them internally between advisers and sell side clients to prepare documents before initiating discussions with potential investors or bidders. This shift in the role of VDRs is driven by the positive experiences that advisers and clients have had with the convenience, simplicity and functionality of the main platforms and with their satisfaction and trust in the level of service provided by the VDR specialists. VDRs have extensively evolved over the years and have slowly changed the way we work by offering tools to facilitate content management, workflow, collaboration and analytics. In addition there’s more added security, customisable workflows and intuitive user interfaces and today’s systems are more focused on improving the end users’ experience. Ease of use is just as important as security. VDR providers have also embraced the mobile market by offering native or browser responsive UIs. Five years ago, before the rapid advancement of today’s browsers, VDRs were limited in what they could offer in terms of plug ‘n’ play for the end user. The experience was cumbersome for users since they required special plug-ins to view or upload content. Advancements in browser technology with the introduction of HTML5 have enabled VDR providers to evolve their platforms into user friendly, plug-in free platforms without compromising on security and features.

FW: Are all VDRs the same? If not, what are the key differentiators?

Tinker: The underlying service that each provides is very similar: a repository for documents and information. Yet there are major differences with regards to the service on offer as well as the security provided. Service often ranges from the very basic – access to a system with no customer support, training or induction – to full service offerings with access to 24/7, 365 days a year support. Users have dedicated teams on call to solve any and all problems, as well as format and update data within the data room. The security on offer can be equally varied, with some providers opting to apply security only to the service itself, with some vendors certifying the entire organisation, ensuring both processes and staff are accredited to the highest standard.

FW: What can a VDR provider do to support a transaction before or after the actual investor due diligence?

Tinker: Before the investor due diligence, the VDR provider should start by organising a ‘kick-off’ meeting with the project manager to establish the current ‘status’ of documents, whether electronic or physical. Then, they should first establish a critical path of getting from A – the current state of documents and index – to B – a well structured VDR to be handed over to the deal manager – within the expected timeframes. Second, provide the digitalisation services, dealing with the physical documents and scanning for optimal VDR user experience. Third, advise on best practices as to how to name, number and structure documents- for example, if there are many different subsidiaries, a unified naming process is useful. Also, chapters listed geographically or per business area, for example. Fourth, centralising the document collection process can be done into a dedicated email address or into an empty room later to be converted into the due diligence data room. Fifth, quality controls should involve checking the quality of what the client supplies, by checking each document and not just uploading what is received. Sixth, optimising files involves reducing the size of files delivered due to inappropriate scanning or saving settings. Finally, using virtual data rooms for VDD purposes so the working group can have a central repository to agree on what documents will actually be disclosed during the due diligence. This should be priced differently giving the client flexibility ensuring that charges are not on a page price basis during the ‘build phase’. After investor due diligence, the VDR provider should provide archive copies in standard or bespoke format from any user view after the deal has closed. There is also an option to continue the data room as a permanent platform for reporting purposes or with a view to a further transaction. Due to less activity and usually only internal usage, a reduced monthly or yearly fee can be expected. Reactivation of the data room from an archive copy at any time after the initial deal is closed – with a guarantee that this can be set up again within 24 hours. Finally, there should be a project review to evaluate what went well or not and discuss optimised services and processes with relevant pricing.

Enabling quick, secure access to information, whether via conference call or virtual data room, is pivotal to ensuring that deals continue to completion with confidence.

FW: Given the rise in litigation associated with corporate transactions, how can VDRs assist with managing the legal, regulatory and compliance issues faced by a company and its D&Os?

Tinker: The dialogue opened between interested parties about a highly confidential corporate transaction is now structured, secure and held for compliance post deal. This ensures all parties involved are completely clear with the deal process and outcome, minimising the potential for post-deal litigation while also maintaining an in-depth record of exactly what happened.

FW: Do you believe the advent of VDRs has actually helped to facilitate M&A activity? What does the future hold for this service offering as part of the M&A process?

Tinker: For a merger or acquisition to be successful, both parties must be empowered to access the information they need when they need it. Developments in VDR technology have made this process much easier. There are the little things we already take for granted, like the ability to have a video conference call across continents between the two boards of cross-border merging companies. The more technical aspects of the deal process have also been made easier, such as the process of due diligence. This process used to involve a locked room replete with sensitive documents and guarded 24/7. These days, the technology exists to enable companies to allow access to confidential documents to a chosen few in a highly secure environment. Enabling quick, secure access to information, whether via conference call or virtual data room, is pivotal to ensuring that deals continue to completion with confidence.


Justin Tinker graduated from the University of Wales Cardiff, and worked in sales and sales management positions for BPC Oyez and Imprima before becoming Sales Director of Imprima in 2006. During this time he worked on the project management of the documentation involved in the Rights issues and merger of HBOS and Lloyds, and large transactions for many global entities including Santander, Morgan Stanley and Bank America Merrill Lynch. Mr Tinker also works with global corporations in providing virtual data room solutions for their bespoke needs. Mr Tinker was appointed as Marketing and Business Development Director in 2012 and is currently involved in the strategy, vision and marketing for Imprima and its products within Europe. He can be contacted on +44 (0) 20 7105 0321 or by email:

© Financier Worldwide


Justin Tinker

Imprima Group

©2001-2019 Financier Worldwide Ltd. All rights reserved.