Your IT Due Diligence Checklist

Multi-year contracts, vulnerability to ransomware or a GDPR data breach can be skeletons in the closet of a company in a merger or acquisition.

M&A actions are fraught with risk. Bayer pursued the idea of merging with Monsanto to become largest crop science company in the world. Now, it is ranked as one of the worst M&A deals in history.^[1] Within weeks of the acquisition, the share price dropped 30% following successful lawsuits against the Roundup product.

Due diligence is the act of confirming that the company being acquired or merged with is operating in the way it has been sold to be. It manages the risk of an M&A action – uncovering the skeletons in the closet that threaten to make it a less profitable investment than expected.

IT due diligence specifically targets the technological aspects of the company under investigation.

Cyber Security

Travelex, the foreign exchange company, paid $2.3m (£1.8m) to hackers following a ransomware attack. On top of this, it took from New Year’s Eve until mid-February for them to be operating fully again.

There’s a reason we’ve put cyber security first on this list.

Your considerations should be:

• Overall vulnerability
• The effect on operations and customers in the event of an attack
• Training of key employees
• Roll out of basic training to all employees
• Encryption of communication software
• Payment protection for any transactions
• Disaster recovery and operational resilience procedures
• Is the software updated to the latest versions

Cyber security has a deep impact on your ability to operate during an attack – read more on our roadmap to operational resilience.

Hardware

This will seem like a walk in the park compared to cyber security checks!

When performing IT due diligence on a company, you need to confirm the quantity and value of the hardware owned, just as you would check their vehicle fleet. For more information, you can read our guide to commercial due diligence.

You’ll need to build an inventory of:

• PCs, tablets and laptops
• Printers and MFDs
• Servers
• Mobile and landline phones
• Production plant control systems

This inventory needs to be built of the equipment models, the date of purchase and their value. Importantly, you want to ensure that you know what is leased and what is owned.

Best practice is to do a physical audit to confirm that their electronic records match the goods in situ.

Ideally, you’ll also want to investigate the lifecycle of the products and whether they need to be refreshed in the next 1-2 years. This could put an unexpected cost on the business that is being acquired or merged, or open security vulnerabilities if not undertaken.

Software

Here you’ll need to distinguish between software that is bought from third parties and software that is made by the company under investigation.

Here are some key questions to ask about third party software:

1. What software is critical to operations?
2. Is it still supported?
3. Is it up to date with the latest security patches?
4. What Service Level Agreements are in place for the critical applications?
5. Can the software be merged with that of the acquiring party?
6. Who owns the source code?

If the company has an in-house development team that builds software either for sale or internal use, there are a different set of considerations. For example, it’s important to understand the ongoing obligations to customers, including the duration of current contracts and the service levels that need to be provided.

Similarly, is the source code still all available? How scalable is the product?

If the software is for internal use, how critical is it, and can it be replaced with something off the shelf? Maintaining internal software applications can be useful but it’s also expensive and an ongoing cost to the bottom line.

Remote Working

Remote working is common in sectors like software development, but 2020 has seen a wave of new workers operating out of their homes (or holiday homes!).

Not everyone will be used to this way of working.

This trend brings more IT due diligence concerns, particularly related to information and cyber security. Do you know where these people are operating and the information they have access to? Are the communication channels encrypted if they need to be?

At the beginning of the global pandemic, companies from the Bank of America to Tesla prohibited the use of Zoom.^[2] This was down to its lack of end to end encryption and concerns over ‘Zoom bombing,’ where outsiders would enter meetings uninvited, sometimes displaying explicit images.

Security of the equipment used by remote workers also extends to disk encryption, privacy screens and the use of private internet connections.

Another is the value of the equipment they have taken out of company premises. Is the equipment suitably tracked? How much is it worth, and what is the likelihood of getting it all back?

Telecoms

Telecoms is a key aspect of any business continuity plan, which is why the contracts and set up need to be understood fully.

You should also consider the length of the current contracts, which could be up to 5 years for fixed assets. Lengthy contracts can disrupt the planned merger.

Understanding the telecoms set up can also give insight into the company’s preferred communication methods and their company culture. An over-reliance on fixed communications can display and overall culture that avoids technological advancement. Alternatively, a predominantly cloud-based company could be chasing after the latest technology without consideration for the total cost of ownership or long-term planning.

As well as a description of the internal communication methods, it would be good to obtain a network diagram to understand the infrastructure. As with hardware, a physical audit can assist in getting a full picture.

Storage & Backups

Adequate storage and backups can be an underinvested part of a company’s IT infrastructure.

You need to know:

1. What is backed up?
2. Where is it backed up to?
3. How often is it backed up?
4. What’s the lifecycle of the storage equipment and is it likely to be unsupported soon?
5. Is the storage futureproofed, with enough capacity for company growth?

This part of the due diligence process is confirming the value of the company you’re interested in. One skeleton in the closet can be an unexpected investment that’s required in the next 1-3 years.

Personal Data

The General Data Protection Regulation (GDPR) is an EU law protecting the data and privacy. It applies to any company operating in the area, regardless of the location of their ownership.

In the EU, under GDPR regulations the maximum fine for a data loss is €20m or 4% of global turnover, whichever is greater.

British Airways was fined £183m ($237m) for a data breach in 2018 that affected 500,000 people. This is outside of any costs occurred from rectifying the breach and any reputational damage.

If the company concerned handles or processes personal information, it’s imperative that they have a watertight GDPR policy.

The Team

Technology is an ever-changing world.

It’s a competitive market where every company is vying for the next breakthrough. Additionally, countries, economic blocs and law enforcement agencies are constantly trying to be one step ahead of criminals.

This means the team need to be well trained and stay up to date.

As with the rest of the due diligence process, current job vacancies could affect the valuation of the organisation.

The IT team is part of the security integrity of the whole infrastructure. They should be viewed with the same scrutiny for background checks and access to source codes.

Ethics

The UK market for ethical goods has risen fourfold in the last 20 years.^[3]

Breaching ethical issues can cause huge reputational damage, one headline-hitting example is the brands involved in the Rana Plaza disaster.

There are two main ethical concerns to be considered during the IT due diligence process.

One is modern slavery in the supply chain. Apple has had multiple instances of consumer backlash following forced labour and attempted suicides at Foxconn, one of its supply chain partners.

Further down the supply chain, all electronics use minerals that can be obtained through conflict zones. These include the so-called “3TG” materials: tungsten, tantalum, tin and gold.

The other concern is waste disposal. PCs and laptop fleets are often refreshed every 3-7 years. Is the company suitably clearing them of confidential data? Additionally, it needs to be disposed of in an environmentally friendly way, in line with local laws such as the Waste Electrical and Electronic Equipment (WEEE) regulations in the UK.

Conclusion | IT Due Diligence As A Separate Process

Due diligence is a mandated step in the M&A process with two purposes: to check for vulnerabilities and to confirm the value of the M&A action.

A lack of intelligence can cost the company greatly - HP’s takeover of UK software company Autonomy is estimated to have cost them £6.8bn ($8.8bn) after only 6 hours of due diligence checks.^[4]

Uncovering those skeletons in the closet can save a fortune.

^[1] https://www.wsj.com/articles/bayers-roundup-woes-send-investors-fleeing-11558266059

^[2] https://fortune.com/2020/04/23/zoom-backlash-daimler-bank-of-america-bans-curbs-security-concerns/#:~:text=Daimler AG%2C Ericsson AB%2C NXP,join corporations like Tesla Inc

^[3] https://www.theguardian.com/environment/2019/dec/30/uk-ethical-consumer-spending-hits-record-high-report-shows

^[4] https://contingent.ghost.io/p/d5d66964-562b-4b2f-b4db-076ea1389be8/(https://www.theguardian.com/business/2019/mar/28/hewlett-packard-six-hours-of-due-diligence-on-autonomy-court-told#:~:text=Hewlett-Packard carried out only,case%2C according to court documents