There seems to exist a cognitive dissonance with folks who otherwise find technology compelling in every aspect of their personal and professional lives, yet when it comes to M&A due diligence, they don’t think to include it as part of their review. Not only when buying or selling an actual tech company is doing due diligence on the technology in the organization being acquired a necessary step. A recent poignant example: a couple of months ago, a friend who was looking to purchase a retail business with about a dozen locations asked the owners for seven basic metrics that all retail businesses should be capturing, analyzing and executing against; the management of this company could hardly come up with two of them. The reason being? Their only real data system was QuickBooks; no ERP, no real FP&A tool, you get the point.
It’s not all about capturing data, it’s also about protecting it once you have it. I know from experience working on IT teams, that whenever there are rumors of something big happening at the top, some IT folks get restless and squirmy. They may start covering up shadow IT systems, changing logins, ex-filtrating data (even something as seemingly benign as forwarding things to their personal email), taking IP (that’s intellectual property, not Internet Protocol address 🙂 in various other forms and other sordid actions; basically, breaking many security policies and controls, many of which they themselves put in place. Some sales people have been known for sometimes doing the same; downloading lists of contacts, contracts, sales and marketing templates, and anything else that may help them get ahead of the situation or help them in their next role.
Most people in business know that time kills all deals, and there is no better way to put the brakes on one, than to have a “cyber” incident of some sort at any time during the process. Here are some technical due diligence questions M&A folks on both sides of the deal table can ask to get ahead of any surprises and protect themselves and their clients:
- What is the master data produced by the organization? What is secondary data? How is this data being stored/protected?
- What other IP does the company generate or have in its possession?
- What is the workflow for master data production?
- Which IT systems are involved in data creation and capture? Are licenses valid and up to date and is the use case in compliance with regulations and any restrictions posed by the vendor?
- Does IT documentation exist?
- Do IT & Security policies exist? E.g. Acceptable Use Policies for Computing/Data/Social Media use, Cyber Liability Insurance, Electronic Privacy and Record Retention policies, etc.
- What technical, psychical and administrative controls exist? What controls exist on financial and other data?
- When was the last time an IT audit performed? e.g. Check for default passwords on network devices and other systems – a not an uncommon oversight.
- Who in the organization has elevated account privileges? Who has administrative access at the domain level? e.g. most IT administrators are only logging into a small number of systems at any given time, but often have 24/7 access to the whole domain. They often engage in over-provisioning of privileges and forget to turn off one-time access they once setup for some vendor (see last bullet re: vendors and supply chain). The goal is to eliminate possible leftover or purposeful backdoors. This is especially prevalent in organizations where there has been turn over in the IT function.
- When was the last time antivirus and malware scans were run?
- How would you detect unauthorized modifications of financial data, logs or access control files? How would you detect unauthorized application or system changes?
- Secure the newest and biggest threat vector – supply chain and vendors. How do they interact with your company’s systems? Who has access and to which systems/data/resources?
Business process, workflow and technology have blurred completely so this is by no means an exhaustive list, but it’s plenty enough to cover most of the technology blind spots and inherent risks you can expect to encounter in a standard IT environment. Engage an independent third party, e.g. a reputable IT consulting firm with an audit practice and leave the “how” to them as the IT professionals. Let them due their due diligence, while you do yours and — HAPPY DEAL MAKING!