Corporate finance covers a very wide range of activities, from a small business replacing an existing debt facility, to a large organisation preparing to list on the London Stock Exchange. It’s a major area of economic activity and driver of entrepreneurship, innovation and business expansion. UK-related deals were worth a total of £216.8bn last year and it’s the high value of the deals combined with the number of people involved in each deal that make them a potential target for cybercrime.
Cyber security – the process of protecting commercially sensitive information, data and intellectual property – is a vital issue for all companies, advisers, investors, regulators and other stakeholders, whatever their size. In cyber security, you’re only as strong as your weakest link. And that weakest link can be targeted by anyone from employees and contractors to ‘hactivists’ and organised crime networks.
Cybercrime is estimated to cost UK businesses several billion pounds per year. Supported in its work by the government through its National Cyber Security Programme, the ICAEW convened the taskforce and produced the Cyber-Security in Corporate Finance guide. One clear message from the guide is to only share information with those who need it. It’s very important to guard against over-confidence within circles of trust and to question whether all information should be shared with all parties during a corporate finance transaction.The guide sets out six phases of cyber security in corporate finance.
Preparation
Even before an organisation has decided to push the button on a corporate finance transaction, senior management will be starting to gather valuable information on how best to proceed. The very act of putting this information together may let slip that a transaction is imminent to individuals best left out of the loop.
Engaging, selecting and appointing external advisers
Once a decision has been reached to proceed with a transaction, external advisers may be appointed. One of the key issues to bear in mind here is that many of these parties may not at this stage have a formal contract with the company. Therefore, information sharing needs to be carefully and thoughtfully managed.
Initial approaches
The next phase will generally involve making initial approaches to target companies, investors, acquirers and angel investors. More parties will become involved including, in some cases, competitors. Sound information management, with proper regard for security of information, becomes ever more important at this and the following stages. The information is becoming more commercially sensitive too.
Preparing information about the business
It is at this point that increasingly large volumes of information start to be shared with the various participants, such as disclosure documents, prospectuses, vendor due-diligence packs and regulator information. The flurry of activity may well alert others inside and outside the organisations that a transaction is underway. There is also the heightened risk inherent in large quantities of valuable information being stored or circulated, which only becomes more dangerous if accessed by the wrong people.
Terms of transaction
Here the level of detail will increase and the nature of the information being shared is likely to be of a highly sensitive nature. For example, there are risks faced by participants such as bidders in a transaction. There are known incidents of bidders’ highly sensitive information, such as bid prices and financing terms, being intercepted by rival bidders in a transaction even before any bid has been submitted. This is clearly damaging to the bidder and could put the transaction in very serious jeopardy.
Completion
By now there will already have been large numbers of individuals involved in the transaction. However, it may be that only during or following completion will the transaction become public knowledge. There will be heightened risk as funds are transferred to complete the transaction. The act of moving funds presents a risk of interception.
Today, all company directors and advisers need to understand, anticipate and manage cyber security risks. They aren’t just the concern of IT and technical specialists but a strategic, enterprise-wide risk. 
