I’m happy to report that the 2016 Edition of the IT Due Diligence Guide has been released.
The need to include an IT review during M&A due diligence is greater than ever. Identifying IT shortcomings that can put a company’s (and a deal’s) future at risk is critical. Other issues that are uncovered that may not rise to the level of cancelling a transaction can still carry a high price tag to address, and it’s important to find these problems prior to the deal closing.
2015 and early 2016 saw the trends of substantial data breaches and related public relations disasters continue. Examples included Costco, CVS and a giant breach (as in 78 million+ records) at the American health insurer Anthem. And who can forget the fallout from the Ashley Madison debacle? Smaller companies are by no means immune to the same types of attacks.
The year also saw the expansion of underground hacker markets, where one can purchase stolen credit card data, online banking credentials, passports and hacking software, complete with 24/7 customer service, free trials and money-back guarantees. Or perhaps you’re looking for a million stolen frequent flyer miles, a hacking tutorial or the login and password for a Gmail account? All are available.
This means the threats to all companies and the related risks in M&A transactions are increasing. A 2015 UBM Tech survey of 185 IT professionals at medium and large companies revealed that 76% of those surveyed were only “somewhat” or “not very” confident that they can prevent a cyberattack, and that’s probably an optimistic number. Three percent of the survey respondents felt that they were “almost certain to get breached.” A 2015 KPMG survey showed that only 53% of healthcare systems (i.e. hospital chains) in the US consider themselves ready to defend against a cyberattack.
In fact, many security experts now see hacking as something that can’t be prevented, accepting the fact that it’s almost inevitable when a skilled and determined criminal is involved, and more as something to be quickly detected and mitigated.
These developments have led to a new way of thinking during IT due diligence. Not that many years ago, a hacking incident would have probably been difficult to get past when evaluating a company. With so many large company data breaches demonstrating how hard it is for even organizations with supposedly sophisticated IT resources to protect against determined hackers, it seems unfair and unrealistic to look at past IT security shortcomings at a smaller target company as a deal killer. The focus now must be on lessons learned, process improvements and the current level of vigilance at the target.
For 2016, the IT Due Diligence Guide has been expanded and updated to address the latest IT security concerns and technology practices. Questions have been added, explanations have been revised and there is a new appendix listing helpful resources. Recognizing the need for specialized expertise in certain situations, a new section discusses additional audits and reviews to consider including during an IT due diligence project. Finally, a post-transaction IT integration plan template is now part of the book package.