Due Diligence the Right Way During COVID-Era Acquisitions

Part One: Technology Questions and Considerations

OK we’ll admit, this mug made our team chuckle more than it should have. Maybe we’re just suckers for M&A-based humor? It’s a pretty accurate depiction of the new realities we’re all now facing in the world of business transactions.

COVID-19 has changed everything so drastically and so fast that almost all companies, even those with robust disaster plans in place, are learning as they go.

For private equity investors and potential buyers, it’s safe to say thorough due diligence on the technology side of the house has never been more important. At Sikich, we see too many transactions take place with very little IT due diligence. Simply checking off boxes without a deep dive these days could plunge buyers into a danger zone of costly breaches, liabilities and losses.

Our technology experts put their heads together to help you understand the breadth of considerations brought about by the pandemic and the questions you or your consultants need to ask across several key categories. Some are familiar old standards worthy of extra scrutiny, and others are uncharted territory.

If you take just one thing away from this article, make sure it’s this: Examine everything.

The Basics

Always start at the beginning. If that’s not on a coffee mug yet, it should be. In this case, potential buyers should start their IT due diligence with an audit to determine the target company’s network posture before doing anything else. This audit should include an inventory of all current equipment in use across the company, along with the following questions to help determine the need for any changes or additional investments:

  • How old is the hardware?
  • What security measures are in place?
  • Is the network infrastructure primarily on-premise or in the cloud?
  • Are software licenses current and appropriate for the number of users?
  • Does the business have a robust continuity plan covering a range of scenarios?

The Workforce

About 25% of Americans employed in August 2020 worked remotely because of COVID-19, according to the U.S. Bureau of Labor Statistics. Telework can keep a company humming along, even as pets or kids sneak their way into every Zoom call. But companies need to account for heavier network traffic and worse—potential exposure to viruses and phishing attacks.

Questions to ask regarding the workforce include:

  • Does the company have flexibility to allow remote work?
  • Are vetted remote work policies in place? Are employees capable of compliance?
  • Are remote workers using company-provided laptops and phones or their own devices?
  • Does the company have information security policies in place reviewed by all employees? Have these policies been updated to reflect a remote environment?

Compliance Agreements and Security Controls

The last thing you want from a transaction is to be stuck holding the bag for a company that didn’t follow through on its information security policies or third-party requirements. That’s because that bag usually contains substantial fees and fines, not to mention business losses from not following best practices.

Always ask these questions up front prior to any acquisition:

  • Is the company required to follow third-party compliance requirements, such as HIPAA? If so, is the company currently in compliance?
  • Does the company have contractual security obligations with key clients and are they currently being met?
  • Can the company still meet either compliance or contractual requirements with a predominately remote workforce?
  • How does remote work affect security controls? Is someone coming on-site regularly to ensure servers and other equipment remain in compliance with physical security controls and updates?
  • Does the company currently use mobile device management solutions for employees using their own devices?

Vulnerabilities, Inside and Out

The best way to see if bad guys can access a company’s systems? Let the good guys try first with penetration tests.

Penetration tests are like everything else: You get what you pay for. Running an automated “penetration tool” that spits out a report is not enough these days to qualify as adequate due diligence. Your penetration tests should involve trained people, not robots, who behave like attackers would.

You’ll also need to account for several types of tests:

  • External penetration tests challenge the strength of a company’s outer cyber perimeter. Can someone in the coffeeshop down the street or in China get behind your walls?
  • Internal penetration tests gauge just how far someone with limited access, such as a vendor or entry-level employee, can get into a company’s systems, intentionally or not.
  • Application penetration tests make sure apps and custom software don’t give malicious attackers access to sensitive data through the application itself, even when the company’s network is locked down tight.

Expect Roadblocks

We understand due diligence isn’t always fun or easy, unless you’re a true M&A nerd. Each engagement has its own set of unique issues and challenges. When scrutinizing IT, make sure you calibrate your expectations to account for when the going gets tough.

This isn’t exactly breaking news, but when you acquire a company and their IT department, the IT folk may not be especially eager to cooperate with buyers or consultants who come around inspecting their work and questioning their processes. Their lack of hospitality might make it difficult to get the answers you’re after, but that doesn’t mean you should leave with anything less than you came for.

Buyers can run into similar problems when pursuing a divestiture versus a whole enterprise. Divestitures may not come with the parent company’s systems or licensing assets. You might have to set up an in-depth consultation to plan and implement an all-new IT/cybersecurity strategy.

Let Sikich Lead the Way

Due diligence is kind of our thing. It gets us out of bed every morning. Our dream team of technology consultants knows the questions to ask, the systems to examine and which IT gaps invite the greatest risk.

Contact us to learn more about how we can help you make informed decisions during unparalleled times. And if we see more funny coffee mugs, we’ll send them your way.


This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

About the Author