What IT and cybersecurity risks are you inheriting with your acquisition?

 This is one of five articles included in our “Private equity due diligence guidebook.” Download the entire guidebook here.

There’s perhaps no segment of business operations that’s evolving and changing as rapidly as information technology and cybersecurity (IT&C).

As these critical areas impact nearly every business function, it’s imperative to conduct thorough due diligence of the target company’s technology systems, policies, and operations to understand what you stand to inherit with your acquisition. This due diligence can uncover what you may need to do to protect against cybersecurity threats, as well as address significant gaps and issues that may inhibit future growth.

Investors may overlook IT&C due diligence because it hasn’t been part of their historical process, or they believe the target is too small or unsophisticated. Our approach and capabilities support virtually all deal scenarios. However, certain deal criteria may elevate the importance of completing IT&C diligence, such as:

• Rapid growth & scale: If the target has demonstrated significant recent growth, there’s a chance that key business systems may have been outgrown. Additionally, if the acquisition is to be used as a platform, the scalability of existing systems may pose challenges that are worth understanding and planning for add-on acquisitions.
• Usage of proprietary tech: If the target’s core assets or service offerings are technology-based, conduct IT due diligence, irrespective of revenues. Custom-developed applications for the marketplace can introduce unique risks to an acquiring firm. Ensuring Software Development Lifecycle (SDLC) standards are in place and followed enhances the likelihood of quality solutions.
• Regulatory compliance: If the target company operates in an industry that’s subject to regulatory compliance (e.g., FDA, ITAR, DOT, HIPAA), there are elevated risks if technology solutions aren’t appropriately deployed. Evaluating current processes and tools will identify potential gaps in the existing transactions and outline potential costs to resolve existing gaps.
• Collection of consumer data: If the target organization facilitates business-to-consumer transactions, it’s important to conduct IT&C due diligence. A company that conducts online sales transactions and handles credit card data, for instance, faces significant compliance risk as well as future scalability concerns as the organization grows.

Another reason investors are adding IT&C to the scope of diligence is to address third-party requests. For example, many providers of rep & warranty deal insurance seek key details on cybersecurity risk.

Three principal considerations

There are three principal considerations associated with your target’s information technology: gaps, risks, and costs. The goal of any comprehensive IT&C due diligence process should be to identify and assess their impact.

1. Gaps: Assess the target for significant technology, staffing, or licensing gaps that you may need to address over the next three to five years, with a firm understanding of their underlying costs and potential impact on the business.
2. Risks: Understand the risks related to the IT&C environment. Are adequate safeguards in place related to employee training and access? What cybersecurity plans, policies, and procedures are missing? Do processes align with best practices, or at a minimum, do they comply with industry standards? Is there existence of custom-developed business applications or business solutions that are no longer supported by the vendor? Elevated risks could impact your purchasing decision.
3. Costs: What are the unplanned IT costs, both recurring and nonrecurring, that will require potential investment following acquisition? For instance, if the target employs 100 people who each use an old computer running outdated software, replacing the hardware and software will bear a substantial cost. These costs are typically attributed to findings documented while assessing gaps and risks and any associated recommendations that you’ll need to address.

While remediation of diligence gap and risk findings might seem daunting, the process starts with a clear understanding of the time and resources you’ll need to invest to conduct a thorough review. And, as with any large-scale business initiative, it’s critical to have the support and expertise necessary to achieve stated objectives — specifically, providing a comprehensive and accurate assessment of your target’s technology infrastructure.

Key diligence elements

We recommend reviewing six core elements during the IT&C due diligence process: IT personnel, enterprise applications, IT&C infrastructure, IT management and delivery processes, cybersecurity management, and digital strategy.

• IT personnel (support): IT&C staff and service providers work in a balanced effort to support the business. There’s great value in understanding the mix of resources required to support and grow the business in meeting strategic demands. Often this is a coordinated effort between actual staff and IT service providers. Agreements outlining scope of work, service levels, and allocated resources are often absent, increasing risk to the service recipient. Additionally, staff skill gaps and absent job descriptions result in blind spots that also create exposure.
• Enterprise applications: Business applications help “run” the business and include ERP solutions and business intelligence. Both must be current and fully supported by their software vendor. Beware of companies whose business applications are common (e.g., Excel); despite their ubiquity, they may not provide sufficient visibility into the company’s performance.

Determine whether the applications include the requisite licenses and contracts. Pirated software (copied applications that are in violation of copyright laws) is illegal and noncompliant with licensing requirements. As such, it presents a significant legal risk to you as well as a steep replacement cost.

Additionally, if there is a goal to assimilate the new target company to an existing portfolio, then special consideration will need to be placed in evaluating how redundant applications will be handled. Maintenance of multiple ERP solutions typically increases cost of support staff while reducing efficient reporting capabilities.

• IT&C infrastructure: Traditional IT applies to a company’s IT infrastructure and includes networks, servers, security, end-user devices, and IT-operating appliances. Assess these infrastructure components to determine if the performance, size, and capabilities are appropriate for the target’s business and its requirements.

Note whether there are elements that need a refresh or capital investment. For those items that require software maintenance patches, analyze their refresh schedule to make sure it’s dependable and that all updates are current.

Review documentation and logging of all hardware, too, including servers, switches/routers, and security devices. Finally, examine the basic IT hardware, especially computers; while a laptop may function for a decade or more, we recommend a refresh cycle of three to five years. Anything older and you should consider its replacement cost in your final valuation.

• IT management & delivery processes: IT governance concerns how the target makes and administers IT decisions. For some, this may include a forward-looking strategy for IT, with a project oversight office that’s in close contact with IT to approve its respective funding. Additionally, IT governance controls how the target supports its end-users. Some organizations maintain a help desk that manages hardware and software issues of the company’s employees. Review what, if anything, the target has in place, and consider what you may need to contribute to the post-integration entity.
• Cybersecurity management: Cybersecurity resources and activities are directly correlated to corporate IT and operations management. Understanding cybersecurity architecture and its configuration is an important “first line of defense” in mitigating threats. However, that’s only the start. Cybersecurity tools (e.g., multifactor authentication, access & identity management, and mobile device management) are important to further fortify the environment against bad actors. In addition, technology-use policies, end-user threat awareness management, and incident response/recovery plans are still instrumental in mitigating business and customer risk.
• Digital strategy: Discover the level of web, search, and social maturity within a prospective investment. An area that may be unexploited and ripe with low-hanging fruit is a target’s sales and marketing technology stack. Identifying the breadth of web assets included in the deal, as well as how refined the associated management practices are, may uncover opportunities for post-close return on investment.

With the amount of planning, consideration, and obstacles inherent in every stage of the acquisition life cycle, investors can easily overlook or underestimate the importance of thorough IT&C due diligence to the overall success of the deal. If you have any questions about the process, or you’re not sure where to start, give us a call. We’re here to help.