Why technology and cyber due diligence is key for M&A

12 January 2021 Consultancy.uk 8 min. read
More news on

With technology now an integral part of business models, taking a closer look on tech and security during merger & acquisition processes is becoming more important than ever. Thomas Lemon, a managing director at Protiviti, on the need for a technology due diligence and how security by design holds the key for mitigating tech-based risks upfront. 

Recessions provide opportunities for companies to evolve. They sell off divisions to raise money; sharpen up their operations; and some even raise money to expand. While the current dip in mergers and acquisitions (M&A) activity is cause for concern, because of the unprecedented nature of Covid-19, there will be plenty of corporate reorganisation ahead. Businesses that are performing still want to buy; and those that are suffering, might consider being acquired.

A recent survey from Harvard Business Review suggests these trends will play out. In June 2020, 50 business leaders from a range of sectors were asked about their intentions in the market. More than half (57 per cent) suggested they would continue looking for deals to help them grow; while 47 per cent revealed they were looking for ‘distressed’ companies. Interestingly, nearly a quarter wanted to buy companies in new sectors or divest, to raise money. Only a minority were considering ‘marriages of convenience’.

Tom Lemon, Technology Consulting practice lead, Protiviti

At the other end of the market, investors have been building up their cash piles, for the next wave of growing businesses. According to data from TechNation and Dealroom, the amount of money raised in 2020 was higher than the year previous, with billions of capital ready and waiting. 

Getting ready for the M&A wave

The Covid-19 pandemic has acted as a catalyst for the rapid adoption of technology and remote working. Before March 2020, many commentators believed this trend would take place over five years, not five months, and companies have scrambled to get their houses in order. Those that are ‘born digital’ have found it easier, but nearly all of them have carried on working in this way and will continue to do so in some form. Everyone is getting ready for what’s coming.

“As companies go through challenging times, others see that as an opportunity, which drives up M&A activity,” says Thomas Lemon, managing director at Protiviti and leader of the firm’s Technology Consulting practice in the UK. “A key part of that, whether it be an investment round, integration, or divestment, is due diligence. For companies selling themselves or seeking investment, they have an imperative to make themselves look as good as possible.”

The process of due diligence, which goes under the bonnet of a business to see what’s really happening, helps investors and acquirers get comfortable with what they are buying. It helps to determine financial and commercial facts, for example, and the contractual stability of a company. Increasingly, it offers a window into the digital backbone of a business, and the security of its systems. A light has certainly been shone on these areas in recent months.

Technology due diligence

“Technology can be a differentiator because it’s at the heart of most organisations,” says Thomas. “Cyber security, as part of the technology due diligence, is really key. It’s about getting a sense of the risks and the extent to which they are mitigating those through the controls in place. We also think about their plans and how realistic they are about future risk. That type of work is becoming more key to a transaction’s success or failure.” 

Businesses, from start-ups to scale-ups, are commonly focused on getting their products to market, developing a customer base, and starting to find returns. When they begin this journey, they are less interested in governance, control and compliance, Thomas believes, but as they grow it becomes more important. They know that their technology is a focus for investors keen to back their growth. 

“Often you are trying to retrofit security controls during periods when companies are seeking investment, going for a listing, or being acquired,” says Thomas. “That is quite challenging, culturally. These organisations are often highly entrepreneurial and focused on growing their business. But you have to get over that hump of applying controls where they are needed, and finding a good balance, without slowing them down.

“One of the reactions you commonly get is: ‘well, we need to be agile and flexible and go to market quickly. We don’t want to slow down.’ The way you advise companies and the types of controls you put in place, have to reflect that. The balance is often struck by using automation in the control process to minimise friction. That process of working with organisations can take a little bit of forward thinking.”

The same principles apply for companies looking to sell off part of their business. The technology and security elements of a division will have to be unpicked from the rest of the business. Buyers are keen to know what’s in place and the right mix of governance and control will be transferred over to the new company. It’s largely a change programme, but one that has to be done in a way that provides assurance and clarity.

Security by design

The best approach for businesses developing new products or preparing themselves for sale, is to adopt the principles of ‘security by design’, according to Thomas. He says that if security has a seat at the table in the early days of a company’s life, during product development, and during major change programmes, it will be easier to manage in the longer term. 

He is encouraging people to ask themselves these questions at the outset: “We are thinking about a new product; what are the security implications? What kind of data are we going to be obtaining? What are the threats? There is a phrase used quite a lot – ‘shifting left’ – which is about getting security integrated earlier in the development lifecycle, so delivered systems and products are more resilient and less vulnerable to compromise,” he says.

According to the National Cyber Security Centre, there are five principles to consider when designing secure systems. The first is to establish the context, which means working to understand the purpose of any system. Companies need to know which data, connections, people and other systems will be required to operate it. They should also work out what impacts they are willing to accept, and what they are not. This might include unauthorised access to view, modify, or destroy data, or the system being unavailable for a period of time, for example. 

The second step is about making compromise difficult, which means using tools and techniques that make it harder to for attackers to get in. The third step looks at minimising disruption. In a world where technology needs to be consistently available, it’s unlikely any business can afford for it to be down for any length of time.

The fourth step explores the importance of detection, which highlights the importance of security monitoring and strong communication. The fifth step asks companies to reduce the impact of any data breach. This can be done by dividing networks into different segments; avoiding unnecessary caches; and removing functionality that’s not needed. 

Thomas adds: “Applying security principles by design from day one, is going to be easier than having to retrofit governance and control later. If companies do that, it becomes easier to get the right balance of governance and control, agility and innovation. It’s all too easy to focus too much on one of those things and not on the others.”

Preparing for 2021

As the mergers and acquisitions market begins to come back to life, there will be a lot of companies taking a long, hard look themselves. Many will be technology businesses; many have become technology businesses; but all of them will have a keen eye on the value they carry in the market. Buyers will be doing the same thing: lifting the bonnet to check that what’s been implemented will stand the test of time. 

“I think working from home and working from anywhere has elevated the importance of cyber security more than ever in the past six months,” says Thomas. “A few years ago, the GDPR regulations were another inflection point when society became more conscious of their data. There is a similar consequence happening now, as people are more mindful of security. If it were me investing my money, the value of the company would be higher if I had confidence in its security and technology.”