Six Ways Technology Due Diligence Failure Can Kill Your Private Equity Investment
No matter what market you’re in, technology is a significant element of your business. Taxi companies learned this when Uber and Lyft employed sophisticated apps to topple their industry. Prior to the emergence of those two frame-breaking enterprises, few in the taxi industry would have considered themselves in the technology business.
Even a high-touch industry, like autism services, invests significant intellectual and monetary resources into computers, databases, practice management, and other critical technology.
These systems and the people who run them are often overlooked when investors conduct due diligence before acquiring autism businesses. But they do so at considerable risk.
A 2007 study at the University of Virginia found that two-thirds of mergers and acquisitions fail to deliver their expected returns. More recent research (2016, 2017) shows this number as ranging between 50 and 85 percent. Much of this is due to poor integration of cultures and business practices. A significant piece of this is systems and technology.
In my work with private equity firms, I frequently encounter this problem. Investors acquire platform companies comprising multiple businesses that have been acquired and consolidated in a relatively short period of time. Frequently, each of the businesses within this platform is using different software for data collection, analytics and practice management. Often, it’s chaos for the employees who are charged with integrating new acquisitions into the company. Combine that with the growing failure to conduct substantial technology due diligence and what we’re left with are investors putting their investments at needless risk.
After speaking extensively with Scott Klososky of TriCorps Technologies, there are six areas of technology that investors must examine before investing in an autism business. These principles are applicable to any business, actually, but they are particularly pertinent in our field because investors often overlook the IT side of the house and focus most of their diligence efforts on reimbursement, risk and compliance, the social impact of the business, and the scalability of the clinical model.
No investor wants to purchase a company whose data has already been stolen. Consequently, it is critical to investigate the security of a target company’s data before investing. Due diligence investigations of Yahoo’s data systems saved Verizon $350 million. After discovering all three billion Yahoo email accounts had been hacked, Verizon slashed its $4.48 billion offer to cover the cost of remediation. Absent due diligence, Verizon would have paid for the email accounts and then found itself liable for the problem. Conversely, Marriott purchased Starwood and discovered a massive data breach in the reservation system that resulted in the hacking of personal data, including passport numbers, for millions of customers. Marriott failed to conduct proper due diligence during the transaction and has since incurred many millions of dollars in expenses to remedy these issues.
When two enterprises merge, the major concern is the integration of two distinct organizations. Most merging entities recognize the challenge of combining physical, cultural and operational systems, but often neglect or miscalculate the complexity of the required integration of IT. In my experience, the reliance on synergies and applicability of existing systems is generally overestimated; as a consequence, the cost to merge IT systems is generally underestimated. Most organizations are struggling just to integrate and optimize their own systems and would be severely challenged to assimilate a new one or to migrate the entire company to the best option available.
IT Staff Considerations
Put yourself in the shoes of your employees. An imminent merger or acquisition threatens their continued employment. Destroying documentation; changing protocols, passwords, etc.; and installing obsolescence into IT systems are just three strategies to create a level of indispensability that would protect their job or cause damage to the business once they are let go.
It’s important to remember that the overwhelming majority of people would never consider such actions. But it only takes one bad actor to wreak havoc for a company. Those closest to and with the deepest knowledge of the technology, software, systems, and processes that keep the company running smoothly are the ones with the greatest potential to do major damage. There are numerous accounts of these events in mergers and acquisitions. Companies can protect themselves: there are defense mechanisms against this kind of behavior that are the purview of IT experts.
The Leakage of Intellectual Property
Bearing in mind the same caveats about human nature, employees have been known to steal information. Not just a priority when selling the business, protecting intellectual property must be a core due diligence practice at all times. In one of my own businesses, an employee downloaded critical business information and intellectual property and used it to establish their own company, now worth a significant amount of money. During acquisition discussions, determining who is most likely to feel their job is in jeopardy can lead to defensive measures that protect intellectual property prior to completion of the purchase as well as throughout the lifespan of the business.
Social Engineering Hacks
While these sorts of attacks are an ever-present threat to businesses, smart criminals know that companies are especially vulnerable at times of sales or acquisitions and can exploit the situation to steal money. In a growing wave of cyber theft, we are seeing increasing incidents of thieves hacking into company email and sending requests for payments that go directly to an offshore account. Staff, aware that a transaction is imminent, comply with the request and suddenly large sums of money are gone. A client of mine avoided this scam only because the accounting employee questioned the CEO in person about transferring funds by wire. This is the exception that proves the rule. Oftentimes, transactions like this, that get easily flagged in the normal course of business are processed without hesitation during a sale because atypical financial transactions are commonplace during these periods.
The final vulnerability to look for is relevant to publicly traded companies. Before a deal is ever announced, there will be rumors circulating about the sale. More dangerously, there will be ongoing chatter between business leaders that reveals sensitive information, most especially a possible sell date.
While rare, it’s not unheard of for opportunistic employees who know their way around the company’s systems to gain access to email communications and begin monitoring leadership’s emails throughout the ensuing weeks and months to parse them for valuable details that they then use to make personally advantageous stock trades with should-be confidential insider information. Many young IT professionals have been arrested for this kind of breach.
The positive thing to keep in mind here is that these attacks are avoidable. Managers that get caught in this trap are usually using an unsecured email server like Gmail, to which some employees have full admin access. Companies in the midst of a sale or acquisition cannot afford to be naive about access to information. An added emphasis on private communication and enhanced security provisions around sale preparations can easily remedy this kind of vulnerability.
Understanding these six elements of due diligence facilitates a process of digital risk mitigation that can save investors millions of dollars and secure the viability of entities, in our industry, that provide critical services to a population in serious need.