When we talk about mergers and acquisitions, we tend to focus on financials and physical assets. But what about the company’s technology assets—and all that valuable data? What do sellers and buyers need to consider within this critical area? Host Joe Hellman dove into this important topic recently with guest Donald Raleigh, on The Transaction Abstract podcast.
Donald Raleigh is a self-described technologist. He is the President and Chief Technology Officer at Evolve Systems and has an extensive background in military intelligence, technology, and cybersecurity for public and private enterprises.
Has the company you are considering buying or selling been properly protected in terms of IT structure and risks? Is everything in place to ensure a smooth, successful transition once a deal is closed? A lot of founders, especially in the middle market, do not have someone that runs the technology part of their business on a day-to-day basis.
Over time, says Raleigh, founders make the best decisions they can about what technology, laptops, and specific SaaS (software as a service) services to buy. However, the main focus as they are preparing to buy or sell a company should be on performing an IT audit. Leaders should document their physical assets, their databases, and examine the embedded systems they may take for granted.
For example, antivirus is typically something inbound into your system, so how do you protect the edge points when data is outbound?
There is tension in the IT world, Raleigh notes, between opening things up as much as possible and locking them down so that your proprietary information does not get leaked. An organization’s risk tolerance is a key factor in determining whether on-premise or cloud-based systems are preferable.
If a company has proprietary documents and data and there has been a breach, lawyers, and others on the M&A team will ask what was done to prevent that event. Was the data encrypted, and if so, to what level?
Passwords are a typical weak point. Single sign-on, or signing on via Facebook, or Google increases risk. If you have a master password and it gets compromised, all of your passwords are then compromised. We use our phones to access critical data, another point of potential risk. It is better to use two-factor authentication and passphrases that are not easy to guess. That applies to every employee because you are only as secure as your weakest link.
In the area of compliance and regulations, buyers should pay as much attention to the quality of the data and data services within the organization as they do to the quality of the bottom line. One simple example—has the company purchased licenses for Microsoft? Are they all up to date? It is also important to consider the software each company is using for accounting, word processing, etc. What is being done to make sure they are going to be compatible as you assimilate that organization?
Raleigh says IT people need to make sure they are keeping up with the latest threats and mitigating them before ever considering selling or buying another company. Where is your data? In residence, in transport, in the cloud? And have you ever actually tried to restore backed-up data? If not, you are not protecting all of your end-point edge points.
Technology and data security should not be after-thoughts, and a successful transaction will depend on close communication and collaboration throughout. So Raleigh advises getting your CTO onboard with the M&A team right from the start. That way, they can work directly with their counterpart to ensure smooth integration that does not result in gaps or redundancies.