Skip to Content
Image of telescope
Article

What IT and cybersecurity risks are you inheriting with your acquisition?

October 29, 2021 / 6 min read

If your target meets any of these four criteria, don’t skip due diligence.

 This is one of five articles included in our “Private equity due diligence guidebook.” Download the entire guidebook here.

There’s perhaps no segment of business operations that’s evolving and changing as rapidly as information technology and cybersecurity (IT&C).

As these critical areas impact nearly every business function, it’s imperative to conduct thorough due diligence of the target company’s technology systems, policies, and operations to understand what you stand to inherit with your acquisition. This due diligence can uncover what you may need to do to protect against cybersecurity threats, as well as address significant gaps and issues that may inhibit future growth.

Investors may overlook IT&C due diligence because it hasn’t been part of their historical process, or they believe the target is too small or unsophisticated. Our approach and capabilities support virtually all deal scenarios. However, certain deal criteria may elevate the importance of completing IT&C diligence, such as:

Another reason investors are adding IT&C to the scope of diligence is to address third-party requests. For example, many providers of rep & warranty deal insurance seek key details on cybersecurity risk.

Three principal considerations

There are three principal considerations associated with your target’s information technology: gaps, risks, and costs. The goal of any comprehensive IT&C due diligence process should be to identify and assess their impact.

  1. Gaps: Assess the target for significant technology, staffing, or licensing gaps that you may need to address over the next three to five years, with a firm understanding of their underlying costs and potential impact on the business.
  2. Risks: Understand the risks related to the IT&C environment. Are adequate safeguards in place related to employee training and access? What cybersecurity plans, policies, and procedures are missing? Do processes align with best practices, or at a minimum, do they comply with industry standards? Is there existence of custom-developed business applications or business solutions that are no longer supported by the vendor? Elevated risks could impact your purchasing decision.
  3. Costs: What are the unplanned IT costs, both recurring and nonrecurring, that will require potential investment following acquisition? For instance, if the target employs 100 people who each use an old computer running outdated software, replacing the hardware and software will bear a substantial cost. These costs are typically attributed to findings documented while assessing gaps and risks and any associated recommendations that you’ll need to address.

While remediation of diligence gap and risk findings might seem daunting, the process starts with a clear understanding of the time and resources you’ll need to invest to conduct a thorough review. And, as with any large-scale business initiative, it’s critical to have the support and expertise necessary to achieve stated objectives — specifically, providing a comprehensive and accurate assessment of your target’s technology infrastructure.

The process starts with a clear understanding of the time and resources you’ll need to invest to conduct a thorough review.

Key diligence elements

We recommend reviewing six core elements during the IT&C due diligence process: IT personnel, enterprise applications, IT&C infrastructure, IT management and delivery processes, cybersecurity management, and digital strategy.

With the amount of planning, consideration, and obstacles inherent in every stage of the acquisition life cycle, investors can easily overlook or underestimate the importance of thorough IT&C due diligence to the overall success of the deal. If you have any questions about the process, or you’re not sure where to start, give us a call. We’re here to help.

Related Thinking

Technology professional discussing strategic IT integration.
September 10, 2024

M&A and technology integration: Value creation starts during due diligence

Article 5 min read
Business professional in a modern office building looking at their laptop.
July 3, 2024

PE platform acquisitions: 7 essential considerations for due diligence

Article 5 min read
Happy medical professionals shake hands with a business professional at a medical facility
June 27, 2024

Medical practice acquisitions: Curb risk with data continuity

Article 3 min read