CapLinked launches a new security feature ‘FileProtect’ to its virtual dataroom which can revoke access to documents shared with outside parties, even after they have been downloaded.
The goal of the new FileProtect security feature is to extend document controls (Document Rights Management or DRM) beyond the boundaries of the virtual dataroom.
Within the secure environment of the virtual data room, user access is already limited and user rights can be assigned on specific documents or folders. these rights can include preventing the usert to open, copy, print or download a file. And when users do have these rights, they can be revoked at any time for instance when their involvement in a transaction ends.
However when users can download a document, in principle there are no limits to what they can do with it (technically). And despite legal protection, probably in the form of a confidentiality agreement, technical assurances are sometimes desired to control access even after the document has been downloaded. FileProtect enables just this, it is a way to revoke access and block opening, copying, and printing of Microsoft Office and Adobe PDF files even after they have been downloaded. This can be when the transaction ends or when a pre-set deadline passes.
The best of all for us at Dataroom Review is that FileProtect works without plugins that have to be installed on the end-user computer. We’ve never been a fan of plugins as these are notoriously difficult to install in managed IT environments (such as those of law firms, accountants, banks and many consultancies). By adding post-download DRM to documents without requiring local plugins, CapLinked reaffirms its intention to innovate and offer plugin-free security, and earns our appreciation for doing so.
CapLinked’s FileProtect delivers powerful protection with ease-of-use. Security doesn’t have to come at the expense of the user experience.
Versions is a new feature to the Firmex VDR that allows users easy access to the most recent version of a document, while keeping older versions as well.
We’re seeing innovation in the VDR industry by integrating workflow and collaboration features into the base secure document sharing platform. Some of the other dataroom providers have been adding similar features for managing multiple versions of the same document, and Firmex certainly tries to stay ahead of the curve in terms of features and usability.
“We’re very excited about this new feature,” said Firmex CEO Joel Lessem. “It will bring a new level of ease and organization to the deal making process, and help our customers succeed.”
By offering a ‘private label’ or ‘white label’ version of their virtual dataroom, V-Rooms opens up its platform for investment banks, investors and other professionals to offer a secure file sharing platform in their own, branded style, name and logo. V-Rooms claims this will also make the platform more attractive as an investor platform, for instance for for private placements, or for clinical trials in the medical and pharmaceutical industries.
V-Rooms is a US-based virtual data room provider with competitive pricing. V-Rooms Virtual Deal Marketplace (VDM) integrated with WuFoo forms, and the company plans to add more integrations to automate workflow and processes.
In December 2014, a major incident involving theft of M&A data saw an increased concern for data security in M&A. Dataroom providers and especially users should increase their awareness about data security.
On the 1st of December 2014, security company FireEye reported that a highly sophisticated group of hackers dubbed ‘Fin4’ has been stealing confidential M&A data from nearly 100 publicly traded companies or their advisory firms.
See the full video report from Bloomberg below (full credits to Bloomberg’s article “Hackers With Wall Street Savvy Stealing M&A Data”).
The news comes as a shock to the industry. While information leaks and insider trading have been around for a long lime, the elements of this attack are as yet unseen. Read the specifics below.
Confidential information was stolen, specifically non-public information about merger and acquisition (M&A) deals and major market-moving announcements of publicly traded companies.
No details were released about the companies that were targeted. In the past however, attacks often targeted the healthcare and pharmaceutical industries where stock prices can make significant swings on news of mergers, clinical-trial results and regulatory decisions.
Why would hackers to want to access confidential M&A data?
Presumably the information was stolen for the purpose of insider trading, gaining an unfair advantage in the stock market by using non-public information.
This insider trading could have been done by the hacker group directly trading in the affected stocks, or perhaps by selling the information to others. It is unknown if professional investors or hedge funds might be involved.
However other motives are also possible, as this type of information can be valuable in various scenarios. A possibility is that the opposing sides of merger negotiations would want to gain insight in the other side’s strategy. Or similar, a bidder in an M&A auction wanting knowledge about competing bids. There is no way to tell at this stage.
Who is behind these attacks?
The unknown group of attackers dubbed ‘Fin4’ by researchers at FireEye are not your typical assailants. In the past, hacker attacks often originated in Asia or Eastern Europe, but not this time.
The hackers are native-English speaking, probably US-based or possibly Western European. The group has a clear background in the financial industry, probably from having worked (or still working??) on Wall Street. They show extensive industry knowledge and know the nuances of financial sector regulatory and compliance standards. In short, this is an attack by financial industry insiders.
Fin4 is believed to have started over a year ago, at least since mid-2013. So they would have had plenty of time to benefit from their illegal activities.
How did they steal the data?
Also different from previous hacking events, the attack was not so much technical but social in nature. Fin4 did not use malware to infect IT systems, but employed sophisticated social engineering tactics.
The group could send dangerous versions of legitimate corporate documents and used expert knowledge on product development, purchasing, M&A and legal issues to obtain user’s e-mail passwords. They focussed their attention specifically on the account details of individuals with insider knowledge on M&A deals, such as top executives, lawyers, consultants, bankers, advisors, etc.
What can you do to protect yourself?
Providers of virtual datarooms have made data security the core of their business model. But this attack shows that is pays to focus on the weakest link in the security chain: the end-user. We recommend end-users be especially mindful when handling confidential information and documents, as users are a key part in preventing both technical and social hacking. We therefore recommend to:
use strong passwords
use 2-factor authentication when available
beware of ‘phishing’ e-mails
never send confidential documents to (unknown) e-mail addresses
use a secure virtual data room to distribute confidential information
Meanwhile, the FBI and SEC are reviewing the FireEye report and will try to track down the hackers.