Our M&A Due Diligence Challenges blog series addresses the changing nature of IT, cybersecurity, and data privacy and how investors – both financial (e.g., private equity funds) and strategic (corporations) – can manage these risks and increase their chances of achieving a successful M&A transaction. We also discuss tales from the trenches and lessons learned from M&A due diligence we have performed for clients.
M&A is hard. But it’s an important part of the growth strategy for both large organizations and private investors. This is proven by the incredible value of global M&A deals: approximately $4 trillion U.S dollars every year from 2014 to 20181.
However, it’s not surprising that a large percentage of these deals fail or don’t achieve their objectives (70%-90% of M&A deals fail).2,3 Though not wise to generalize, it’s clear that changes to the technology landscape have added additional complexity, not only for tech companies but for all industries. In addition to new technology adoption, cybersecurity posture and compliance with a variety of regulations (GDPR, CCPA, HIPAA, etc.) make it imperative to navigate these challenges during a transaction. Investors need to be aware of how to assess the technology function of the target for reliability, scalability, pitfalls, etc.
While it's rare for a single technology issue to derail an entire M&A transaction, it's not uncommon for a deal to lose value due to significant technology remediation risks or inadequate integration/separation planning. A situation where an organization experiences a security breach or uncovers non-compliance with a privacy regulation after the transaction could result in severe financial penalties as well as irreparable operational and reputational damage to the organization as well as the investment firm. However, the probability of such issues can be reduced by taking a risk-based approach to evaluating technology during a transaction.
Why the Typical IT Due Diligence Playbook is Not Enough
Investors typically rely on IT due diligence (IT DD) to assess the technology function of acquisition targets. Historically, IT DD was treated as a mere formality. But now it has become increasingly important. With changes to the technology landscape such as cloud adoption, big data, analytics, artificial intelligence, etc., the need for IT diligence has only grown.
The diligence activity itself has had to keep up with changes in the technology landscape and regulations, especially the dependence on technology from the increased focus on cybersecurity and privacy. In any case, there is enough literature talking about the importance of IT diligence. Hence, this post will not indulge on that subject, but will look at key elements of an IT diligence and how to approach it.
Most firms that offer IT diligence services today follow a similar tried and tested playbook. It involves churning through available documentation from the target, interviewing management to assess IT maturity, and presenting an opinion.
The scope of the typical IT DD playbook typically involves the following key focus areas:
- Back-office IT infrastructure: Business systems such as ERP, CRM, HRIS, etc.
- Production infrastructure: Production systems and applications, backup, disaster recovery
- Hosting setup: Data centers, cloud usage
- Proprietary applications: Functionality, underlying technologies, technology debt
- Software development processes: Software development lifecycle, testing, product management, dev-ops
- Information security: IT security procedures and controls
- Technology organization: IT and development organization maturity
At first glance, the above list seems to cover the breadth of the target’s technology footprint. But in reality it’s inadequate, with cybersecurity and data privacy completely missing.
The Key Focus Areas for Comprehensive IT Due Diligence
In today’s digital ecosystem, the IT, cybersecurity, and privacy functions are deeply interconnected. An organization cannot achieve required privacy compliance without implementing adequate controls in cybersecurity, deploying the right IT infrastructure, and ensuring that proprietary products and applications follow security best practices.
Investors need to realize that these functions are not disparate and are deeply interconnected and need to be evaluated in conjunction with each other. Listed below are some of the focus areas that are crucial to IT diligence (but are often overlooked):
- Evaluation of business processes: The maturity of back-office business processes is often ignored. The use of well-regarded technologies does not necessarily equal less risk. However, in our experience we have seen time and again that the right technologies don’t necessarily equate to scalability and reduced risk. A reputed application does provide stability and good support; however, the efficiency of an IT organization is a combination of the technology, the processes, and the people managing it.
For example, we evaluated a mid-sized technology-enabled fleet rental business that had implemented Salesforce (CRM) and Microsoft Dynamics (ERP). However, their monthly financial close process took about 15 days. Their sales organization was supplementing Salesforce with Microsoft Excel-based report forecasts, and manually transferring data for billing purposes. The business processes would thus not scale with growth. Our report identified the gaps and quantified the investment needed to remediate. The investor was able to adjust their investment thesis accordingly.
- Detailed assessment of cybersecurity posture: Most IT DD assessments provide a cursory review of information security. However, the severity of impact of a security breach to business operation or reputation can be huge.
Yet, surprisingly, the approach to cybersecurity DD in the majority of firms we have assessed, irrespective of industry, is at best lethargic. For example, we assessed a mid-sized technology firm enhancing patient engagement to pharmacies. The target relied on popular cloud services and had established seemingly sound security and privacy procedures with well-regarded tools. From a cursory point of view, their cybersecurity posture painted a bright picture. However, on deeper review we discovered that their security controls/governance lacked maturity. The resiliency of their backup, recovery, and disaster recovery processes were sub-optimal. We highlighted the risks and were able to help the investors introduce the right contingencies for the transaction to proceed.
- Detailed review of data privacy compliance: This is an area often neglected due to either lack of awareness or lack of skillset on the diligence teams. But with regulatory bodies tightening the controls around data privacy and with new regulations such as GDPR and CCPA coming into effect, diligence must include a detailed review of compliance. Organizations frequently are not ready to meet the stringent requirements prescribed by these regulations.
We recently performed diligence on a large multi-billion leader in omni channel digital marketing. The target’s systems processed and housed first and third party personally identifiable information. They had established GDPR, CCPA and HIPAA controls. However, on deeper review, we identified numerous gaps in these controls. There were numerous chinks in their proprietary applications and their hosting infrastructure. There was much to be remedied to reduce the risk of sensitive data being exposed.
- Relevance to investment thesis: It is crucial to keep the broader investment thesis in mind when performing diligence, even though it may not have a specific IT focus. This is often neglected in IT DD, and the larger picture is therefore lacking. Areas particularly crucial to the deal thesis are too-often neglected.
Our approach to IT DD is materially different when the deal thesis calls for a merger as compared to a carve-out or a standalone company assessment. For instance, in a merger scenario, there must be importance given to possible synergies with the merging organization and diligence must consider potential impact and the feasibility of combining technology stacks and back-office applications.
The Path to Better Pre-Deal Diligence
It’s not enough to rely on the same old IT due diligence methods from the past. Focusing on infrastructure, applications, and technology organization leaves gaps that miss the larger picture.
In these times of increased reputation and operational risk stemming from cybersecurity issues, as well as increasing data privacy regulations across all industries, those elements must be key focal points in the IT DD equation. Leave out skilled cybersecurity and data privacy evaluation, and you’re missing major areas of concern.
Further, it’s essential to consistently keep the investment thesis in mind. Data being considered must be relevant to the aims of the merger or acquisition, for all parties involved.
We strongly recommend that investors take a risk-based approach to evaluating the technology function with a deliberate attempt to understand cybersecurity and compliance risks in addition to the traditional IT focus areas.
But how about the challenges encountered during the transaction and the first 100 days? Stay tuned for the next blog post in this series.
ACA Aponix M&A Diligence Resources
The following ACA resources are available to help you navigate the complexities of M&A diligence and portfolio oversight:
- Thought Leadership: M&A Due Diligence and Portfolio Oversight: Minimizing Cyber and Privacy Risks During the Deal Lifecycle
- On-Demand Webcast: M&A Diligence and Portfolio Oversight: Identifying Cyber and Data Privacy Risks
- Case Study: ACA's M&A Diligence and Advisory Services for a Large Cap PE Firm Interested in Acquiring a Healthcare SaaS Provider
- Case Study: ACA's M&A Diligence Services for a PE Firm Interested in Partnering with a Defense Services Contractor
- Thought Leadership: Cybersecurity Considerations for Private Equity Firms: Mitigating the Cyber Risks of Portfolio Companies
How ACA Aponix Can Help
ACA's mergers and acquisitions (M&A) due diligence service offers pre-deal IT, cybersecurity, and privacy regulatory diligence of prospective portfolio companies to help investors determine cybersecurity risks at the onset, negotiate better deals, and align risks with the investment thesis. Our team of experienced technology, compliance, and risk professionals uses a business-oriented methodology to determine how the portfolio company’s potential aligns with the investment thesis, and provide the strategic roadmap and cost savings estimates required to achieve the investor’s objective during the hold.
For more information, contact firstname.lastname@example.org or your ACA consultant.