The COVID-19 pandemic has had many impacts on M&A activity and IT due diligence. The pace of deals has slowed, and some transactions that were in-process at the start of the outbreak have been canceled.
Two main issues are currently affecting the smaller deals that often involve companies with higher levels of technology and compliance risk.
The first is the current impracticality of business travel. The CEO of the travel website Kayak says a business travel recovery has “a long way to go” and believes business travel may never return to pre-pandemic levels. This means that the opportunity for a site visit, usually a vital component of the IT due diligence process, may not exist. Even if a site visit is possible, the employees at many companies are working remotely.
The second is the anecdotal evidence that many deals happening now involve companies in financial distress being acquired by competitors. Therefore, the deals are time-sensitive, and due diligence will need to be focused and abbreviated.
Though not ideal, there are ways to address both of these issues.
Without a site visit, you’ll have to accept the fact that you won’t get the benefits of developing rapport with the target company’s staff. You also won’t be able to easily adapt your IT due diligence based on what you see on-site by walking through the workspace, server rooms, etc.
The widespread availability of videoconferencing software can help. Instead of in-person discussions occurring at a relatively leisurely pace, you’ll need to have more in-depth conversations over Zoom, etc.
To replace walkthroughs, consider working with your contact at the target to use a technology like FaceTime to do a virtual inspection of the facilities. This is not the preferred approach, and you’ll be at the mercy of the person you’re working with to show you everything relevant, but it’s better than nothing.
Another ramification of this approach is that there will most likely need to be greater transparency about the process with the staff at the target. It’s typical to develop a cover story about the reason for a site visit (“considering a partnership” or “auditing our security”), but this may not be feasible with a remote approach that ends up being so probing in such a short amount of time.
When it comes to the potentially abbreviated timeline, you’ll be forced to focus on the high-risk areas of the company. You may only have only a day or two for IT due diligence. These items will be specific to each transaction, but here are some typical focus areas:
Products and Services
You’ll need to understand the goal of the acquisition. Is it to add new products or services to the acquirer’s offerings, or is it to acquire the target’s customers and move them to the purchaser’s service? Are the target’s products and services compatible with the acquirer’s? Are there features that would need to be added to the acquirer’s products to maintain customer satisfaction? Does the acquirer have in-house expertise in the technology, allowing for synergies and reducing the risk of departing employees at the target?
Has the company ever been the victim of a cyberattack or data breach? If so, what was done to address any associated vulnerabilities going forward? Is cyber insurance in place? If so, was the prior incident disclosed in the policy application? If not disclosed, the policy may not provide the desired level of protection. Does the target’s IT staff seem to have a good awareness of security best practices? If the target is a healthcare company in the US, have they performed a proper HIPAA risk analysis? If the target deals with customers from the European Union, how have they addressed requirements under the GDPR?
Source Code Review
A brief source code review may be the only option, so the person performing the IT due diligence will have to rely as much on how the code is explained by the developers as on any detailed review by themselves or a third-party expert. Do the developers seem to have a good handle on the organization of the code? Are you confident they are the ones who originally wrote it?
Intellectual Property Ownership / Non-competes
This is one of the most important things to investigate. Was any software represented as being owned by the target developed by contractors or consultants? If so, review copies of any associated agreements to be sure the target company properly structured the relationship to retain ownership of the developments. Have the employees signed non-compete agreements? A fast-paced acquisition may well create concern among the target’s employees, and some may leave. Are there any restrictions on employee competition?
Software licensing is a common high-risk area. Focus on any expensive tools being used, such as enterprise-class databases and server operating systems. If these are not correctly licensed, other licensing concerns are probably lurking at the target.
It will be impossible for such limited IT due diligence to identify every risk. The acquiring company should consider adding items not always part of the representations and warranties section of the purchase agreement to cover IP ownership, security best practices, absence of past cyberattacks, etc.
Although a remote, abbreviated IT due diligence process is not ideal, it may be unavoidable during the COVID-19 pandemic. A thoughtful, prioritized approach provides the best chance to quickly identify any areas that could threaten the long-term` success of the transaction.