Digital Due Diligence: The Value for Private Equity Firms

Emerging and changing technologies introduce new risks and opportunities in the mergers and acquisition space. Capitalizing on these opportunities will give private equity firms additional value by uncovering synergies and infrastructure-based competitive advantages. Not addressing the risks can lead to catastrophic outcomes, including friction between acquisitions, network failures, downtime, loss of intellectual property, and data breaches. 

What is digital due diligence?  A comprehensive digital due diligence assessment includes an analysis of all components related to technology: applications, IT budget, data, hardware, software, user count, architecture, IT security, locations, corporate setup, current IT contracts, staff, leadership, training, change management, communications, and more.  While the scope of digital due diligence continues to evolve as technology continues to change, investors should initially be asking the following questions:

• What are the synergies between existing systems? Are applications that support critical business operations scalable with the company’s planning long-term growth?  Are there risks of major downtime leading to loss of revenue and customers?
• Does the target have a strategy in place to protect critical processes and intellectual property (IP)? Where is critical IP stored and does the data integrate with other systems? What is the target’s adherence to industry compliance standards and security frameworks?
• Do you have a detailed understanding of what critical exposures the company may have to cyberattacks and other threats?  Are there undisclosed data breaches or incidents that could result in heavy fines, brand damage or devaluation?  Are policies and procedures in place to respond to incidents or breaches?

What are the synergies between existing systems?

Let’s begin by looking at the synergies that may or may not exist between systems.  As the private equity firm begins to combine assets, look for new leadership, and focus on the customer base, they must also turn their attention to IT. Digital technology touches every part of the modern business process and provides a backbone for operational efficiencies.  If not managed properly, it can hinder sales and lower a company’s value. An analysis of the applications that support critical business processes should be completed to identify where synergies exist and where challenges might need to be addressed. 

For example, the Dental Service Organization (DSO) industry is rapidly growing.  These independent business support centers are noticing merger and acquisition activity intensify.  However, each dental office that is acquired has its own systems and processes and is siloed as the business never had to report out and consolidate its financials.  A private equity firm will need to identify how to pull the financial data that exists within the new acquisition’s applications, create a standard chart of accounts, and produce a consolidated report for the holding company’s financial statement.  A digital due diligence assessment can help an investor identify how quickly financials can be consolidated for executive management to have insight into financial results.

Another important factor when assessing technology is flexibility.  How easily will the current platform integrate with other technologies?  Can it adapt to developments in technology and easily upgrade?  Additionally, the target company may have similar technology, but not all technology is built the same.  Therefore, an investor should assess the target company’s ability to handle an increase in activity, including its ability to handle multi-fold increases in volume and the rapid growth that is expected from the investment.

Enterprise Resource Planning (ERP) systems are the center of the technology stack and can either drive operational efficiencies or be a major roadblock to growth.  From Intuit QuickBooks® to sophisticated ERP platforms, investors need to understand the health of the system and its ability to meet the workers’ needs to provide workflow efficiencies and drive data and information for decision making.

Finally, are there risks of major downtime leading to loss of revenue and customers?  The question is not ‘will it fail?’, but ‘when will it fail?’ and whether the organization suffers downtime or invests in proper back-up systems.  A digital due diligence assessment will not identify when technology will fail, but it can assess how systems and applications are backed-up and supported. This will allow the investing firm to identify areas of investment that are needed to reduce down-time risk and identify areas of exposure or vulnerabilities within the system and technology stack.

Digital technology touches every part of the modern business process and provides a backbone for operational efficiencies. 

Does the target have a strategy in place to protect critical processes and intellectual property (IP)?

Data is one of the most valuable assets a business can have and although IP, such as patents, trademarks, copyrights, and trade secrets are intangible, a company’s IP can be its most valuable asset.  A digital due diligence assessment will provide a company with the value of its IP assets both internally, such as work products, and externally, including customer lists/databases and personal identifiable information (PII). The assessment will also summarize how data is stored.  Is it in a public or private cloud? Is it in an air gap system and isolated from unsecured networks? This allows investors to evaluate how data is being managed within the target company and uncover risks and opportunities associated with the investment.

Additionally, based on the type of business, an analysis of an organization’s adherence to industry compliance standards and security frameworks can be significant.  A digital due diligence will provide an investor with a detailed understanding of the applicable regulatory requirements, such as the Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry (PCI) and California Consumer Privacy Act (CCPA), including efforts and costs associated to be compliant.  If the target creates, stores, receives, or transmits electronic protected health information (ePHI), a threat risk assessment for each asset should be completed.  The deliverable from the assessment includes an identification of gaps associated with compliance with HIPAA rules and a roadmap to meet requirements and reduce the threat risk of each asset.  If the target is a payments company, a PCI assessment is critical to validate compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards for merchants who accept, process, store or transmit credit card information. During the assessment, a PCI Qualified Security Assessor (QSA) determines whether the company has met the PCI DSS 12 requirements, either directly or through a control that provides a level of defense that is similar to the PCI DSS requirement.  Similarly, a CCPA assessment will identify gaps between CCPA requirements and the target’s operating environment. This will provide the investor with a roadmap to develop an appropriate data protection program.

Do you have a detailed understanding of what critical exposures the target may have to cyberattacks and other threats? 

Activity in mergers and acquisitions is growing, but bad actors and cyber-criminal activity is escalating.  Just in the last year, the security community has faced numerous challenges across all industries, including the SolarWinds supply chain breach, numerous public Microsoft Exchange exploits, an increase in business email compromise, and a rash of ransomware.  Effective IT security is obviously important for any business and it's important for purchasing entities to understand the investment necessary to get a target to an acceptable level of security.  Without proper due diligence, a private equity investor could be inheriting an organization’s poor security posture and – even worse – undisclosed data breaches or security incidents that could result in heavy fines, brand damage and devaluation. An example, although not a private equity transaction, is Marriott’s acquisition of Starwood in 2016. Unfortunately, the security due diligence during the acquisition did not identify a 2014 breach, where millions of customer records, including credit card and passport numbers, had been exfiltrated by the attackers. The breach will result in significant financial damage, including fines, penalties, and legal fees. Add the brand damage that has occurred, the price for not completing sufficient digital due diligence can be significant.

Private equity firms need to have a detailed understanding of what critical exposure the target company may have to cyberattacks and other threats.  A portion of the digital due diligence effort focuses on determining the target’s capabilities around detecting and responding to attacks.  This includes a comprehensive cybersecurity assessment based on a framework, such as the Center for Internet Security (CIS) Top 18 controls, to understand the overall cyber maturity, vulnerability scanning for misconfigurations and missing security updates, and penetration testing to identify where applications could be compromised by an attacker. The investor will receive recommended improvements to the overall cyber posture of the target and estimated remediation efforts/costs pre and post-close. 

Finally, evaluate policies and procedures the target has in place and if they have an incident response and breach notification plan. These plans are vital if a security incident is discovered and outlines how an organization should respond.  If policies and procedures are identified as not in place during due diligence, the private equity firm will then know that incidence response will need to be completed.

Because digital technology touches every part of the business and is critical to operational efficiency, it is imperative that private equity firms complete a digital due diligence assessment. An assessment can help the investor address potential risks and may also uncover additional value and opportunities to pursue. However, there are so many variables to consider during the assessment approach and scope. The complexity can be daunting; a checklist can help an investor identify key areas that may be significant based on the type of target business.  The checklist below lists some operational areas to consider.

Responsible PartyDigital AreaDue DiligenceChief Marketing Officer (CMO)Social MediaWhich platforms are being used
Size of following and engagement level
Frequency of content creationCMO/Chief Technology Officer (CTO)External WebsiteWeb Traffic Statistics (Click Through Rate, Bounce Rate, etc.)
Google Ranking
User Experience and User Interface surveyCTOInternal SiteAccess control policies
Security policies
Cloud vs On PremCTOPhysical IT InfrastructureManaged by third party or internal team
Leased equipment contracts
Cost and frequency of updates and patchesCTO/Chief Financial Officer (CFO)ERP/Business SoftwareOngoing subscription costs
Costs and frequency of updates and patches
Scalability analysis to align with strategic planChief Information Officer (CIO)Data Storage & CompliancePublic or Private Cloud
Air gapped systems
Ongoing costs of storage
Industry relevant compliance costsCTO/CIOCybersecurityUser’s policy, procedures, and training
Regular penetration testing
Disaster readiness and recovery plan

The first day removed from a transition-services agreement can be intimidating, but by completing digital due diligence and having thoroughly scoped out, tested, prepared, and transitioned IT, value of the investment will be realized faster and the new ‘day one’ will be much smoother for all employees, customers, and management.

The information provided in this communication is of a general nature and should not be considered professional advice. You should not act upon the information provided without obtaining specific professional advice. The information above is