5 minute read 28 Mar 2018
jeweler uses loupe examine object authenticity

Four questions to ask before you trust a digital deal

5 minute read 28 Mar 2018
Related topics Digital Trust Risk Cybersecurity

Show resources

M&A can help businesses seize digital opportunities. But to avoid nasty IP and cybersecurity shocks, thorough due diligence is a must.

When it comes to enhancing digital capabilities, the majority of corporates (67%) see M&A as the most efficient way to get there, according to EY’s Digital Deal Economy Study, which surveyed more than 600 chief executives at non-technology companies from around the world.

However, cybersecurity and reputational risks are weighing down dealmakers seeking to buy into the digital revolution — indeed, 86% said they needed to be more prepared when it came to cybersecurity.

“Cybersecurity and the associated risks are some of the biggest problems facing businesses today,” says Rob Genieser, a managing partner at private equity (PE) firm ETF Partners, which focuses on investments in tech-enabled businesses and includes MWR InfoSecurity, a provider of cybersecurity for smart grids.

“When it comes to technology, there are now two parts to any deal,” he says. “First, you need to find the great entrepreneurs who have developed great technologies in their businesses. Then you need to make sure that the business is able to protect its technology and its data.”

David Walters, digital and data director at PE firm NorthEdge, says any investor buying into a technology or technology-enabled business needs to be aware of the potential risks, which range from the how data is sourced and secured to whether core technology is indeed proprietary and not copied or reverse engineered.

“For many companies the way that technology enables their businesses has become as important as the core business proposition. When you are buying into this tech enablement, you need to ensure that the IP you are backing is truly innovative and properly owned and that any data and customer information is secure,” Walters says.

First, you need to find the great entrepreneurs who have developed great technologies in their businesses. Then you need to make sure that the business is able to protect its technology and its data.
Rob Genieser
ETF Partners

Unfamiliar territory

The findings from the Digital Deal Economy Study indicate that executives in industries where technology has not traditionally been crucial to the core business are finding it challenging to assess technology-related risks — and this can be particularly acute when looking to perform due diligence on targets.

The survey revealed that specialized digital-related due diligence, which includes technology, intellectual property (IP) valuations, cybersecurity, social media and digital analytics, was a significant challenge for executives looking to execute a deal.

As complex as technology due diligence may seem, however, there are some basic questions executives can ask that should provide a clearer picture of a target’s digital capability and risk areas.

1. Are there appropriate patents in place?

“Any technology due diligence should look at a company’s patents and its freedom to operate and use its technology,” Genieser says.

“The pace of innovation is rapid and people can grab information and IP away from a company. Always assess whether there are patents in place, how defensible those patents are and whether there is a compelling business model around those patents.

2. Does the company comply with security standards?

A key aspect that bidders need to examine when performing due diligence on a target’s technology is whether it complies with key industry standards, such as the Payment Card Industry Data Security Standard (PCI) and ISO 2000.

“The entrepreneur of a tech-enabled company is typically someone who has grown a company rapidly and developed the business organically. Sometimes that means these companies take a few shortcuts or self-certify and tick the boxes,” Walters says.

“If you are buying a company that is storing huge amounts for personal data or growing its e-commerce offering, asking a simple question about whether it is compliant with the relevant industry standard can tell you a lot.”

3. Does the company know how to respond to a breach?

A company’s contingency planning in the event of a cyber hack or data breach is another area that needs investigating. “It is vital to ask who in the C-suite is responsible for that, and what the process is to ameliorate the risk if there is a breach,” Genieser says.

EY’s Digital Deal Economy Study found that 44% of companies had a lack of clarity around accountability and leadership for digital transformation. The survey also revealed that the most significant cybersecurity risks in the transaction process are a lack of a recovery plan resulting from a breach during due diligence (26%) and understanding the target’s vulnerability to attacks (26%).

4. Is there an untapped potential in all that IP?

Digital due diligence shouldn’t focus exclusively on downside risk, but also identify areas where a company can do more to use customer information and data that it already holds.

Walters cites NorthEdge’s investment in health club chain Total Fitness as an example. The business was already collecting member information. By analyzing that data in a controlled way, the business could calculate which members were less likely to renew their membership by calculating the number of times they used the gym.

When we are in the due diligence phase, I am looking at the upside all the time and thinking about how a business can use its data and IP to create more opportunities.
David Walters
NorthEdge

It could then tailor specific marketing to these members to drive a higher membership renewal rate. Total Fitness was effectively transformed from a gym chain into a data business in the health and fitness sector.

“When we are in the due diligence phase, I am looking at the upside all the time and thinking about how a business can use its data and IP to create more opportunities,” Walters says. “It is about looking at how a company collects data and then turning that into analytics that drives angles.”

Summary

In a data-driven world, dealmakers must make digital due diligence a key part of how they assess deal risks and opportunities.

About this article

Related topics Digital Trust Risk Cybersecurity