2. Does the company comply with security standards?
A key aspect that bidders need to examine when performing due diligence on a target’s technology is whether it complies with key industry standards, such as the Payment Card Industry Data Security Standard (PCI) and ISO 2000.
“The entrepreneur of a tech-enabled company is typically someone who has grown a company rapidly and developed the business organically. Sometimes that means these companies take a few shortcuts or self-certify and tick the boxes,” Walters says.
“If you are buying a company that is storing huge amounts for personal data or growing its e-commerce offering, asking a simple question about whether it is compliant with the relevant industry standard can tell you a lot.”
3. Does the company know how to respond to a breach?
A company’s contingency planning in the event of a cyber hack or data breach is another area that needs investigating. “It is vital to ask who in the C-suite is responsible for that, and what the process is to ameliorate the risk if there is a breach,” Genieser says.
EY’s Digital Deal Economy Study found that 44% of companies had a lack of clarity around accountability and leadership for digital transformation. The survey also revealed that the most significant cybersecurity risks in the transaction process are a lack of a recovery plan resulting from a breach during due diligence (26%) and understanding the target’s vulnerability to attacks (26%).
4. Is there an untapped potential in all that IP?
Digital due diligence shouldn’t focus exclusively on downside risk, but also identify areas where a company can do more to use customer information and data that it already holds.
Walters cites NorthEdge’s investment in health club chain Total Fitness as an example. The business was already collecting member information. By analyzing that data in a controlled way, the business could calculate which members were less likely to renew their membership by calculating the number of times they used the gym.
When we are in the due diligence phase, I am looking at the upside all the time and thinking about how a business can use its data and IP to create more opportunities.
It could then tailor specific marketing to these members to drive a higher membership renewal rate. Total Fitness was effectively transformed from a gym chain into a data business in the health and fitness sector.
“When we are in the due diligence phase, I am looking at the upside all the time and thinking about how a business can use its data and IP to create more opportunities,” Walters says. “It is about looking at how a company collects data and then turning that into analytics that drives angles.”
Summary
In a data-driven world, dealmakers must make digital due diligence a key part of how they assess deal risks and opportunities.