In a new report (32-page / 800KB PDF), the trade body said that businesses involved in such transactions need to treat cyber security as "a high priority". This is because the information shared between parties involved in finalising corporate finance deals, such as company executives, treasurers, advisers, financial institutions and investors, may be attractive to criminals, it said. The information being shared might include intellectual property, financial data or sensitive information about contracts, for example.
"The large volumes of information shared in the process of completing a transaction and the number of people involved in every stage of a transaction are greater than in the course of ‘normal’, business-as-usual operations," the ICAEW said. "These factors heighten the risk of cyberattack, the compromise of a firm’s networks, systems and data. At the same time, corporate finance transactions can involve types of information that are potentially very attractive to cyber criminals, competitors or counterparties in a transaction."
The ICAEW warned that a successful cyber attack could cause damage to businesses' reputation, a loss of customers, financial loss and a disruption to business operations, among other possible consequences.
"As custodians of large amounts of sensitive information about the activities, strategies and financial details of many companies, the corporate finance community is seen by those with malicious intent as a deep seam of information waiting to be mined," it said. "It is important to guard against over-confidence within circles of trust and question whether all information should be shared with all parties. In addition, a weak link in the security of any of the parties involved, whether internal or external, can easily be exploited by those with malicious intent."
ICAEW said that there had already been examples of information being compromised during corporate finance transactions. It suggested a number of measures companies should take to protect themselves from losing data.
Companies should be aware that the gathering of information to help inform decision making around potential corporate finance deals might alert others to the possibility of a transaction taking place in future, the ICAEW said. Controlling who is privy to this information gathering exercise and even separating the data from day-to-day IT systems are things businesses might want to consider doing to reduce the risk of attack, it said.
"The very act of putting this information together may alert others that a transaction is imminent if information regarding this transaction is not secured," the organisation said.
When the information is being shared outside the organisation, such as with advisers, businesses could check what information security standards those third parties conform to, the ICAEW said. It also said that the corporate finance community should seek to understand which data being shared is confidential or commercially sensitive and, where appropriate, an incident response plan should be created.
The parties involved in corporate finance deals should put in place confidentiality agreements, should ensure that only a limited number of people can access the data being shared, monitor the access, and further consider whether it is practical to share the information via "a secure data store that is separate from the organisation's usual IT systems or mobile devices".
Among the other measures suggested, businesses conducting a finance auction should consider requiring prospective investors to submit bids offline, the trade body said.
"No organisation is immune to the challenges posed by cybersecurity," the ICAEW said. "As with any risk, the key to effective management is identifying and understanding the threats, understanding the level of the risks involved and putting in place security measures that are appropriate and proportionate to those threats and risks."