I’m happy to report that the 2016 Edition of the IT Due Diligence Guide has been released.

The need to include an IT review during M&A due diligence is greater than ever. Identifying IT shortcomings that can put a company’s (and a deal’s) future at risk is critical. Other issues that are uncovered that may not rise to the level of cancelling a transaction can still carry a high price tag to address, and it’s important to find these problems prior to the deal closing.

2015 and early 2016 saw the trends of substantial data breaches and related public relations disasters continue. Examples included Costco, CVS and a giant breach (as in 78 million+ records) at the American health insurer Anthem. And who can forget the fallout from the Ashley Madison debacle? Smaller companies are by no means immune to the same types of attacks.

The year also saw the expansion of underground hacker markets, where one can purchase stolen credit card data, online banking credentials, passports and hacking software, complete with 24/7 customer service, free trials and money-back guarantees. Or perhaps you’re looking for a million stolen frequent flyer miles, a hacking tutorial or the login and password for a Gmail account? All are available.

This means the threats to all companies and the related risks in M&A transactions are increasing. A 2015 UBM Tech survey of 185 IT professionals at medium and large companies revealed that 76% of those surveyed were only “somewhat” or “not very” confident that they can prevent a cyberattack, and that’s probably an optimistic number. Three percent of the survey respondents felt that they were “almost certain to get breached.” A 2015 KPMG survey showed that only 53% of healthcare systems (i.e. hospital chains) in the US consider themselves ready to defend against a cyberattack.

In fact, many security experts now see hacking as something that can’t be prevented, accepting the fact that it’s almost inevitable when a skilled and determined criminal is involved, and more as something to be quickly detected and mitigated.

These developments have led to a new way of thinking during IT due diligence. Not that many years ago, a hacking incident would have probably been difficult to get past when evaluating a company. With so many large company data breaches demonstrating how hard it is for even organizations with supposedly sophisticated IT resources to protect against determined hackers, it seems unfair and unrealistic to look at past IT security shortcomings at a smaller target company as a deal killer. The focus now must be on lessons learned, process improvements and the current level of vigilance at the target.

For 2016, the IT Due Diligence Guide has been expanded and updated to address the latest IT security concerns and technology practices. Questions have been added, explanations have been revised and there is a new appendix listing helpful resources. Recognizing the need for specialized expertise in certain situations, a new section discusses additional audits and reviews to consider including during an IT due diligence project. Finally, a post-transaction IT integration plan template is now part of the book package.

We’ve just published a new white paper: How the HIPAA Security Rule Impacts IT Due Diligence in Healthcare.

A recent survey of US healthcare executives by Capital One found that more than 40% of the respondents see M&A as a significant growth driver in 2016. This is no surprise – healthcare has been one of the most active M&A sectors for the past several years.

In the United States, IT due diligence in healthcare involves special considerations related to the security and privacy of patient data. The HIPAA Security Rule, which establishes standards and requirements related to the storage and transmission of electronic protected health information, increases the risks and costs of working with this data.

Proper IT due diligence of healthcare providers and vendors requires a solid understanding of the HIPAA Security Rule, and must include a deeper dive into the technology issues related to the Rule.

Download the white paper today to learn more about the unique aspects of performing IT due diligence on a healthcare organization.

Only a few years ago, if a technology company had suffered a hack or data breach, my recommendation probably would have been to not touch it with the proverbial ten-foot pole. These days, given the recent well-publicized hacks of companies like Target, Home Depot and Anthem (companies which have huge IT security budgets), that advice seems too simplistic.

If even the largest companies are vulnerable, you probably shouldn’t automatically refuse to acquire a company that has been victimized. In this article, I’ll discuss a framework to determine how heavily to weigh a previous hack or a data breach during M&A IT due diligence.

There are four major areas of investigation that I believe can lead to a reasonable decision.

What happened?

First, you need to understand exactly what occurred. A standard IT due diligence request list should start the process by asking if the company has ever suffered a hack, data breach or other system intrusion. If the answer comes back in the affirmative, you’ll have many more questions to ask.

You’ll have to determine how critical the compromised IT function is to the operation of the business. While a hack is an important concern for all businesses, it’s even more so for others.

The unfortunate reality is that credit card data breaches are occurring on a regular basis. There’s so much mass media publicity around this issue that, in my opinion, the general public has become fairly immune to them. Yes, a hacked company’s customers must endure the inconvenience of changing credit cards and monitoring their credit reports for identity theft attempts, but they largely give the hacked company a pass. Over the long term, there may not be a significant impact on the business.

On the other hand, consider the recent Ashley Madison episode. Obviously, in that company’s line of business, privacy of customer information is the top priority, and it remains to be seen how well the company will be able to recover.

You’ll need to consider for your target company whether the fact that a hack occurred at all is a deal killer.

Why did it happen?

If you get past the first question and are still considering the acquisition, the next step is to determine why the hack occurred.

You’ll want to determine if IT best practices were in place. Did the target company have a proper multi-layer security infrastructure, including firewalls, antivirus software and intrusion detection systems? Were those components maintained properly, including prompt application of software patches and operating system updates? Were company systems being monitored for security vulnerabilities by a competent third party on a regular basis (ideally at least daily)? Had any other security audits examined the infrastructure?

Even if all of the right things were being done, there are still reasons a hack could occur.

A company could be the victim of a "zero day" vulnerability. Once a security-related software defect becomes widely known, there is still a window during which a hacker can exploit the defect before an operating system or other software can be patched by the manufacturer. This also applies to new computer viruses that don’t match an existing signature or a general profile of operation, and require a fix to be developed, tested and deployed by an antivirus company.

If the company was the victim of a social engineering attack, the fault may not lie with IT at all.

The target could also have been the victim of an "inside job." For example, if a system administrator simply provided login credentials to an accomplice, the company could be remotely compromised without it necessarily being detected, although monitoring should still be able to identify unusual volumes or patterns of activity.

If you’re comfortable that the company had a competent and comprehensive IT security plan in place, you can move on to the next question.

How was it addressed?

Recent security lapses demonstrate that hacks and data breaches will be an ongoing threat. This means that any well-prepared company should have a response plan in place.

How did the target company identify that a hack had occurred? Some hacks are obvious – the website is defaced or no longer operates. Others are more insidious. The Anthem hack earlier this year was only discovered when a system administrator noticed his account actively downloading data when he knew it shouldn’t be. A company with a good IT security plan in place shouldn’t be the victim of a long-term data breach.

A good data breach response plan should include the following features:

• A list of people on the response team
• A requirement to keep detailed records of every remediation step taken
• Immediately disconnecting / shutting down affected systems
• High level steps to identify causes of the attack, including contact information for related vendors and consultants
• Contingency plans for notifying customers and law enforcement, as appropriate

How did your target company react when the hack occurred? Did the response follow a plan or was it improvised?

The most important step is ensuring that the vulnerability that was exploited is eliminated. Some hackers leave themselves a back door that can be used even after the original security hole is patched. Sometimes the only way to be sure that all traces of an attack have been removed is to acquire new systems and rebuild everything from the ground up.

A good practice for the reaction plan is to include an outside expert. They may have seen the problem before, and in any case will be less emotionally involved – the people who allowed the hack to occur may not be the best ones to determine that it’s resolved.

Did the target have cybersecurity insurance in place? This can pay for the costs of addressing the hack, notifying customers of the breach, providing customers with credit monitoring, etc.

How will it be prevented in the future?

If after further investigation you’re comfortable that the company did everything reasonably possible to prevent a hack and responded to it appropriately, then the final area you’ll want to be comfortable with is how future hacks will be prevented.

Are there any additional procedures or security levels that can be put in place?

Is someone responsible for monitoring the cybersecurity industry for new developments and techniques?

If the company previously had an annual detailed security assessment, maybe quarterly would make sense going forward. "White hat" hackers can be hired to proactively probe the company’s IT security in a more thorough manner than automated monitoring can provide.

If the company doesn’t provide regular training to its employees on IT security issues and social engineering, it’s relatively inexpensive to implement and can be a wise investment.

Dedicated IT security personnel may be necessary. Many companies have recently introduced a role along the lines of "Director of IT Security." In any case, you’ll want to take an objective look at the competence of the IT staff and be sure you have the right team in place going forward. If the target company has already made the decision on their own to invest in more expertise, that’s a positive sign.

Conclusion

A previous hack or data breach at a target company is no longer an automatic deal breaker in IT due diligence. A thorough investigation of the incident, along with a review of the underlying causes and the company’s response, can help you make a reasoned determination as to whether the issue should prevent the deal from closing.

After several months of effort, I’m happy to report that the 2015 Edition of the IT Due Diligence Guide has been released. There are new chapters, including one focused on cyber security. There is also a new set of data collection spreadsheets to make it easier to gather and organize the information you need from the target company. The IT due diligence report template has been expanded and makes the job of writing the due diligence report even easier than it was before.

Employee issues are the fourth key area of IT due diligence.

You need to determine a number of things based on limited information and time. Who are the key people that you need to maintain after the deal? Are they flight risks? I’ve seen many times that people get nervous when a deal is announced. They assume it means they’ll be losing their job and they start looking for a new one. Or, they feel that their employment environment is going to be changing anyway, so they might as well explore all of their options.

If you’re able to identify key employees at TargetCo, AcquiringCo may want to consider offering employment agreements or retention bonuses to ensure that these individuals are going to stick around at least long enough for AcquiringCo to get its arms around the business.

Especially in technology companies, the staff can be very attached to their way of doing things, so it’s very important to understand a number of cultural issues that impact employees. Otherwise, you may find that you’ve just acquired a company where every key employee will be gone in six months.

Many small companies take on the personalities of their strongest employees.  If you’re buying a startup where the mentality is to come up with an idea for a cool new feature, work 24/7 to develop it and then roll it out to see what the customers think, it won’t take too many times for those employees to run into red tape or other roadblocks at AcquiringCo before they figure out that AcquiringCo isn’t for them.

In most startup IT companies, the overriding goal is to get the product to market ASAP.  To achieve this goal, things like well-commented code, backups and system documentation can go out the window.  Other formalities at AcquiringCo such as product management, system analysts and QA may also come as a shock to TargetCo’s employees.   If AcquiringCo is an established organization with strict processes in place for its operations, you can count on employees of TargetCo seeing these as nothing but needless bureaucracy.

Companies can have wildly divergent hiring strategies.  Some companies may prefer fewer, expert employees and others hire an army of lower level staff, hoping to find diamonds in the rough.  If you’re acquiring a company with the latter mentality, be aware that there can be a lot of turnover on the way to a stable workforce, so HR and recruiting resources need to be considered.

On the other hand, if you are that company with many less-experienced employees and you’re acquiring a company with a handful of industry visionaries, be aware that they may very well be unhappy in an environment where they aren’t challenged and inspired by their peers.

There are many established software development methodologies, and software developers can become quite attached to their chosen method, sometimes almost to the point of evangelism.  If this is the case at TargetCo, and AcquiringCo enforces a different approach, this can be a sure path to tension.

Tech employees can be very sensitive to their physical working environment.  Their jobs often require a lot of concentration, and certain companies provide individual offices to most or all of their tech staff.  If you’re buying such a company and plan to make room for more employees by moving everyone to new office space with cubicles, you need to understand that to some employees that could be as bad as telling them they can expect a 50% reduction in pay.

You need to be sure these issues are mentioned in the due diligence report.  In my opinion, the job of the person performing IT due diligence is to identify any issues that can impact the success of the transaction, not simply the quality of the source code and age of the servers.  In severe cases, the cultural differences may be significant enough to abandon the deal.

Also, when there are real cultural concerns that may cause you to lose key TargetCo employees after the deal closes, it’s even more advisable to lock up those individuals with employment contracts or other incentives as I mentioned earlier.  In addition to keeping the key members of the TargetCo staff around, if they’re happy they can become cheerleaders for AcquiringCo and this can help retain the rest of the staff.

I’ve developed a few strategies for dealing with employee interviews in technology companies. It’s best to ask open ended questions.

Some questions I like to use are:

• Who are the people who are critical to the operation? (ask more than one person)
• Are there any bottlenecks in the code or website?
• What would you change or improve if you could?
• What do you think of the technology used here at TargetCo?
• What would you want to know if you were me?

You might be shocked at what people are willing to tell you.

Also, I like to meet with employees in their office and at their desk, often sitting next to them as they demo products or explain what they do, I find that it’s a much less intimidating environment than sitting across from a conference room table in what probably feels like an interview. The more comfortable they are, the more likely they are to provide useful information.

Any one of the issues identified in this series of articles, if serious enough, can be a reason to walk away from a transaction. In many cases, though, they can be addressed before or after the deal closes. The key is making sure you identify the problems ahead of time so TargetCo pays, one way or another, and not AcquiringCo.