Podcasts  •  July 21, 2022

Private Equity's Increased Awareness of Cybersecurity with Darren Wray DFIN's Executive for Data Protect

Start the Conversation

Honeypot Field to Catch Bots
Honeypot Field to Catch Bots

"The Insider by DFIN" is a series of video interviews featuring the latest trends, topics and key perspectives on the global capital markets.

Join Executive for Data Protect Solutions, Darren Wray, as he shares key insights on the increased awareness and importance of data protection and how companies can protect their data against cyber-attacks with the right software in place in this special podcast edition of The Insider by DFIN.


Dana Barrett - Welcome to The Insider by DFIN. I'm Dana Barrett. And joining me today is Darren Wray. He runs Data Protect for DFIN, so, Darren, welcome.

Darren Wray - Thank you very much. Good to be here.

Dana Barrett - I'm very glad to have you here. Cybersecurity, obviously, data privacy, big subjects kind of worldwide.

Darren Wray - Yeah, absolutely.

Dana Barrett - In every industry right now, but we're obviously going to get into it as it relates to financial services and all the things that DFIN does. But before we do all that, can you just share a little bit about your background and how Data Protect came to be.

Darren Wray - Sure. I came to be with DFIN through an acquisition of my company, Guardum. And as Guardum, we created these fantastic applications that help organizations find the personal information that sometimes really deeply buried in documents and things like that. We help them find it automatically and quickly and then they can extract that information, but they can also protect that information so they can redact it, but they can also take it on into other processes and reuse it in different ways. But protection is really the key, and that’s mandated in many different countries. So that’s how it came about.

Dana Barrett - So we think of, when you say redacting, I feel like everybody has that picture of printing the thing out and taking a Sharpie and making a black square over the thing and then scanning it back in. You basically figured out how to automate all that?

Darren Wray - Yeah, automate it and make it electronic. And you’re not wrong. There’s still thousands of people out there, getting high every day off using Sharpies too much. And in one example, we have an example in the UK. In the UK’s big National Health Service, biggest organization in the country, we found one part of that, they were actually physically cutting out with scalpels.

Dana Barrett - What?

Darren Wray - They were cutting out the words and then they were photocopying out after that.

Dana Barrett - Wow.

Darren Wray - Some really bad examples of very manual processes that can’t scale, it’s not good for an organization and that’s where Data Protect and the systems comes in.

Dana Barrett - Well, not to dig too deep on the how’s and why of drawing boxes, but I feel like the other thing I’ve seen people try that isn’t actually effective is going and making a digital black box in Paint, or whatever, Canva or something. But that’s not actually safe, right?

Darren Wray - Sure, because what happens, and not to go into the too technical pieces, but all you’re doing is just covering it up.

Dana Barrett - With a layer.

Darren Wray - But the text is still there. That’s right. If the text is still there and you can copy and paste down. There’s been many bad examples and people can Google those, if you want some humor at lunch time.

Dana Barrett - Oh boy. You know I love a good sob story. We might come back to that. So essentially, and you mentioned not only redacting, but finding the data. So talk to me about that. I guess we don’t think about all the places where we’re exposing ourselves, if you will.

Darren Wray - Well, that’s right. I mean, information exists in databases, of course, but there’s so much information in unstructured, just Word documents and printed documents and PDFs. Lots and lots of personal information and confidential information exists in those form. And the ability to find that information automatically and then just take one simple step to redact it, it’s almost like one push button. It’s all you going to do.

Dana Barrett - So when you’re talking about it in terms of financial reporting and compliance and all of that, how does this type of product help in the compliance world?

Darren Wray - Well, it helps by automating the process or semi-automating the process.It means that, yes, of course, you have to provide certain information to regulators or government bodies, wherever they may be in different countries, but that information isn't necessarily information you need to make public or you want to make public. So if you're passing it to other third parties or passing it outside of the building, you want to make sure it's protected before it leaves those safer confines and that's the kind of thing that we do. But there's also data privacy regulation that comes into that, of course.

Dana Barrett - Oh, right, that's a very important point.

Darren Wray - Absolutely.

Dana Barrett - I want to get to that, because I know that's huge, and I know it's different across the globe.

Darren Wray - It is.

Dana Barrett - About how it's, what the rules are and all of that. But when you're talking about what you want to get to some people but not to others, if you think about it in terms of one little document, doesn't seem like big deal, you can do it automated, but I assume some of these deals have massive amounts of data, correct?

Darren Wray - Oh, Absolutely. Well, they have massive amounts of data. And what happens, especially in a data room, a VDR, what happens is you've got lots of different parties, some who understand data privacy, some who have just got a job to do and they've just got these 10,000 documents that they need to upload and some of those documents contain all the HR records, all the personnel information, the salaries, the social security numbers. All that kind of information that's just enough for someone, some bad actor to take and create a new identity and assume your role or your place in society for long enough to get a loan or whatever it may be. And that sounds a little bit scary, but that's not what it's about. It's about actually helping organizations understand and manage their risk.

Dana Barrett - And, of course, the risk is also to the company's reputation.

Darren Wray - That it is and that's a piece that organizations obviously grasp, but they don't understand that one Word document, one PDF or 10,000 of them, or one Excel spreadsheet, with all that information in can actually cause that much of an issue.

Dana Barrett - Right. So they say, "You have names and addresses, but you don't have social security numbers so what's the big deal?"

Darren Wray - But then you've got the problem of the last piece of the jigsaw problem, as I call it, or the treasure map problem where you may regard your information as not being that important. You've only got the last four digits of social security or the last four digits of a credit card, whatever it may be that the hacker or the bad actor or whoever is looking for, but that just completes their treasure map or it's the last piece of the jigsaw and they get more motivated, but your security's less because you've only got that information. We don't need to.

Dana Barrett - They're getting the four digits, social security thing from one place, but then the address from you.

Darren Wray - That's exactly it. Obviously, bad actors, they want a one-stop-shop, if they can.

Dana Barrett - Sure.

Darren Wray - But they're willing to shop around. They're willing to shop around.

Dana Barrett - They can go to the mall of data.

Darren Wray - That's right. Exactly. If they need to go to those little boutique shops and get that information, so to speak, then they're willing to do that. They're willing to put in the hard miles on them.

Dana Barrett - That makes a lot of sense. So let's talk about the data privacy rules. I know they're more stringent in Europe than they are here in the US. So talk to me about how that all relates to private equity deals and knowing which things you have to keep up with, which regulations you have to meet.

Darren Wray - Do you know, the US is the only country in the OECD seven countries that doesn't have a information security or data privacy regulation? So it's really interesting. We're sitting here in Florida today and I have conversations here and people say, "Oh, but this is all still evolving." 1984 was the year where information security and data privacy first became law in England where I'm from.

Dana Barrett - Wow.

Darren Wray - So you're talking.

Dana Barrett - And here we are. How many years? Let's not do the math because that makes us old.

Darren Wray - Nearly 30 years. So, we are sitting there. So this is evolving and it is changing, but it's becoming more important. And the really interesting thing now is that so many states in the United States are now adopting this on a state by state basis. Now, hopefully we're going to get something federal, but the rules are different. Whether you're in Europe, whether you're in Canada, whether you're in Latin America, whether you're even doing business in Australia or Asia, all of those countries all have different regulations, but they all come down to the basic things of personal information, but more important or as important, I guess, for PE companies is that confidential information and minimizing their risks, because what you don't want to be doing is picking up an organization that's got some underlying data privacy issues or breaches, perhaps cybersecurity breaches that are ongoing and we've seen those kinds of cases.

Dana Barrett - Give me an example, because I feel like most people have read about a data breach in the news at one point or other and I mean, talk about the implications when those happen.

Darren Wray - Look, the Starwood and Marriott one, it's a really good example because it happened as the process or during the process of M & A and it wasn't picked up by the due diligence. It actually happened before Starwood was bought by Marriott. It wasn't picked up during that process, but then it all came out once Marriott were holding the reins and it was like, I think it was 18 months or two years.

Dana Barrett - Wow.

Darren Wray - After the acquisition. And then suddenly they discover there's been a breach and it's been an ongoing breach. Then it impacts Marriott and Marriott then are left holding the reins for sure. They didn't spot the issue, but also, it didn't happen immediately on their watch. And this happens more often than we might like to think. I know a number of companies, organizations that I've helped in the past where they've had a purchase. Some, it's two weeks later they discover there's a breach and really frustrating for everyone, frustrating for the deals team. So it's really about understanding, doing your due diligence, extending that due diligence, but having that mindset, that control mindset, that risk mitigation mindset all the way through. So you're actually understanding it and leading it from the top. You can't do this stuff just by one enthusiastic person in the deal room, you're championing it. Sure, it may start that way but it's going to be led from the top.

Dana Barrett - I just want to go back to the Marriott example.

Darren Wray - Yeah, please.

Dana Barrett - Or examples like that for a minute, because the financial implications of not catching it, what they have to do to clean it up, the valuation of the company potentially going down, customer trust, right?

Darren Wray - All of those things. I mean, there's many studies where the echoes, the aftershocks of a data breach event, you're gone for years, four or five years. Now, that's something you think, "Oh, well, it's over and it's done. Once it's discovered, it's over and done. We plugged the gap and it's done." No, because customers, investors, other stakeholders all have long memories when it comes to this kind of stuff.

Dana Barrett - Absolutely. So I know we already talked about one of the reasons things are lagging behind in the US. It's because we don't have the regulation. But you did mention that some of the states are starting to have these regulations. So it would seem to me, and you going help me fill this in, but if there's rules in California or Colorado and I'm doing a deal in the US, don't I have to make sure I meet requirements in.

Darren Wray - Exactly, right. Exactly, right. Because the rules in California, and they're getting stricter in January and others are coming on to enforcement. Colorado, Virginia, and there's others that are going through the process right now. So moving feast in that respect, but yes, you have to comply and have to be able to comply because if you're a Californian resident, your data can't be resold, can't be misused in different ways so you've going to be cautious. You've going to be conscious. You've going to be aware of these things.

Dana Barrett - So for the private companies who are just not getting there yet, not quite getting it, they know they don't have to do it yet because the regulations aren't here. What do you think is the disconnect? Why are they lagging? Why are they not grasping that this is something they need to do now?

Darren Wray - Well regulation is an enforcer, but it's about doing the right thing. There's lots of things that we do in business, we do because it's the right thing, not because we are mandated to do so. But a lot of organizations just, I think, they don't know where to start. It's really that long journey and sometimes we can look at things like that and we can think, "Oh, it's a thousand miles I've got to travel," but as someone famous said many years ago, "It begins with one step." And that's exactly it. And it's knowing where to start and taking that first step and using the services, obviously from DFIN. That's a fantastic step in the right direction, whether it's your first step or whether it's your thousandth steps, then. It's a really good step.

Dana Barrett - Well, talk to me specifically about this product, Data Protect. Are there competitors in the market? What makes this one the one that people should be using?

Darren Wray - Sure. There's a few competitors. There's other data rooms that have got similar or some of the capabilities, not all of the capabilities, but what makes it different is our ability to deal with different languages and different scripts. Because much as we're native English speakers and much as we might think that the rest of the world does business in English, they do, but they don't. They all want to have contracts in their own languages, obviously, makes sense. So being able to process information in different languages, find personal information in different languages, find names in different languages or scripts, because languages are written right to left, as well. It is all too easy. When we're sitting here.

Dana Barrett - Very good point

Darren Wray - In Florida, again, to assume everything's written left to right and it's all written in the Latin language and it's not. So that's what makes us different. The ability to find information, find it automatically and bring it and expose it so it can be protected.

Dana Barrett - So it's really comprehensive.

Darren Wray - Exactly right.

Dana Barrett - You talked about sometimes the need for adoption from the top, that the executives have to be on board with this. And I think when you and I were talking prior to the interview, we were talking about the fact that when you look at phishing and some of those things, it's sometimes the executives that are the ones that are clicking in the email. I mean, is it education from the top down? Is it example? How do you get widespread understanding and adoption of the need for data privacy and data security?

Darren Wray - It's awareness and that awareness, there needs to be board awareness.

Dana Barrett - Really, all the way to the board level.

Darren Wray - All the way to the board level and then push the mandated down and no matter who it is. I sometimes compare it to this, the old story about the janitor in NASA, the interview, I can't remember the full story, but you'll get the gist of it, but he was asked what his job was. And rather than saying that he swept the floors and kept the place tidy, he said, "I help man go to the moon," because his job, he was part of the team that made people go to the moon, help people go to the moon. And that's exactly the same here. Doesn't matter whether you're an executive or whether you're the janitor, you have a role to play in information security, data privacy. Because if you don't lock the door as a janitor, someone could come in, they could physically steal something. But if you're an executive and you don't mandate good controls, good processes, you are as responsible, more responsible because you should know better.

Dana Barrett - And you did point out that somebody with all the best intentions might upload from HR a list of employees.

Darren Wray - Absolutely.

Dana Barrett - And not even realize they're doing anything that's questionable.

Darren Wray - Absolutely. Look, I've seen that, I've been involved, obviously through my current role, but through previous roles, in helping organizations going through mergers and acquisitions processes and the number of data rooms I've been in, and I've seen personal information, salary information, I know not just what the executives earn, which may be more available information, but what other individuals earn and that's not something that everyone's comfortable in sharing and it's not information that you necessarily want out there. Now, that's just that kind of personal information. But there's corporate secrets and other confidential information that needs to be in there and protected. And through these services, we help organizations find all that information.

Dana Barrett - We didn't even talk about it and you just brought it up, but we didn't even talk about the sensitive market information that could get out.

Darren Wray - That's right. Exactly. Organizations that are going through a sale process, those who are preparing for sale, they often go through many tiers of that, where they reveal some of the information and the information's more redacted in the first round as it is in the second or the third round. So as you get to trust and you build that relationship with the potential buyers, you're looking to reveal more information and redaction and automated redaction is absolutely key to that process. Otherwise, you're going to sit there with a Sharpie, drawing the rectangles day in, day out.

Dana Barrett - That does not seem fun.

Darren Wray - That's not good.

Dana Barrett - Not to mention the fact that nobody wants to do that job.

Darren Wray - That's one of the biggest drivers. I was at a conference last September. I was at a conference, a big legal conference in London. And I was speaking there and afterwards, I was speaking to some of the other speakers and they said, "One of the points you raised was efficiency, but it's also, redaction is a cruel and unusual punishment. You shouldn't subject people to this." And they actually said that they had lost people. This one particular large law firm, I won't name them. Large law firm had lost people, because they felt that they were too skilled. They studied law and they were sitting there.

Dana Barrett - To be redacting.

Darren Wray - Redacting, and they would have to come in weekends and do this work because the job had to be completed on Monday or Tuesday and they didn't have the time and people had left and they weren't able to recruit people as soon as they heard about doing manual redaction. No one wants to do it.

Dana Barrett - And then if you throw in all the other languages.

Darren Wray - That's right.

Dana Barrett - They can't even do it.

Darren Wray - That's right. You've got to have the skills. You've got to have the capability. You've got to be able to recognize a social security number in the US and a national insurance number in the UK and an ID number in Turkey. It's all those kinds of things. You might be able to find one or two of those, but can you do that reliably day in and day out when you're tired and high from Sharpie juice?

Dana Barrett - And Darren, before we close out, are there any customer stories that you can share where you just really thought, "These guys are never going to go for this." and then they did and they had a massive success and they really saved money, they saved time, they saved themselves from an emergency, whatever.

Darren Wray - Absolutely. There's a couple, there's one. This one that is a favorite of mine, I guess, because these guys came to us in real desperate need. They were getting a number of privacy requests through and it was like 30 or 40 a month. It may have even been higher than that actually right at the very beginning and they're mandated. They have to complete these in 30 days or in a calendar month. And they were getting so many of them and they had a team of, I think, it was like six people at the time and they just did not have the time to redact all these 9,000 pages. We took that process from over a hundred hours per request. We took that down to four hours.

Dana Barrett - Oh my God.

Darren Wray - So the efficiency saving,

Dana Barrett - Wow.

Darren Wray - and the quality of life these guys went through. I've done demos to people and when we describe how quick they can do this stuff, I swear, I see people well up, in how much for their life they've given over to drawing rectangles and now they can just press a button and it's almost done for them. They have to sanity check it.

Dana Barrett - Sure. Sure.

Darren Wray - Of course. But it's all there and it's done for them.

Dana Barrett - Wow. Well, an amazing product. Thank you so much, Darren, for.

Darren Wray - Thank you.

Dana Barrett - Sharing it and for bringing it to DFIN and for coming to the booth today to join me. I really, really appreciate it. This has been The Insider by DFIN. We'll see you next time.