Special Report

Special thanks to Aaron Martinez for moderating this conversation.

When it comes to preparing for a merger or acquisition (M&A), the most complex transaction component in a deal is often IT.

Aaron Martinez sat down with three panelists for a candid discussion about common IT challenges to consider during a transaction. Whether it’s scalability, reliability, cybersecurity, or enabling business strategy, IT is an essential business function that can deliver significant value.

A bit about our panelists: Chuck Andrews specializes in IT systems selection and implementation. Devin Osterhout, meanwhile, helps companies align their enterprise IT environments and processes with their security requirements. And Jason Koski focuses on IT due diligence and merger integration.

To help you navigate the conversation, here are links to specific sections:

• People: The Biggest IT Risk
• Leveraging Third-Party Vendors
• The Challenge of Integrating New Technology
• Merging Different IT Methodologies
• IT Documentation Dash
• Multiplying Factor of Risk
• The Changing Insurance Landscape for Cybersecurity
• The Threat of Reputational Risk
• Tech Debt Will Catch Up to You
• Privacy in High-Compliance Environments Like Health Care
• Wrap Up: Top IT Due Diligence Tips for M&A

Let’s begin.

An Overview

Aaron Martinez:

Hey everyone, thanks for joining us today. We’re going to have a quick conversation about IT diligence. This is pretty hot topic right now in terms of the downturn, the deal cycle.

Since the beginning of 2022, things have been moving so fast that companies have done a cursory review on the IT side. And despite our findings and the issues that we come up with, they still sometimes decide to go forward with the deal.

And then they’ll come back to us six months later, saying, ‘Oh my gosh! We’ve got to repair some of these things. You were right. We really need to think about some of the scalability or cyber risks that were captured during diligence.’ IT due diligence is such a critical marker for the health of a deal.

Firms are looking more closely at deals to understand investments required to grow the business, the payback period, and how IT can accelerate this strategy. Multiples on deals are coming down—slightly, and higher interest rates carry more costs and thus more pressure to deliver greater topline growth. But from a technology perspective, Chuck—what have you seen when it comes to the success of M&A transactions?

Chuck Andrews:

The biggest challenge that I see when we do have the opportunity to engage on the IT diligence is that there’s the supposition that, ‘Hey! Just tell me what the red flags are out there. Just show me the red flags.’ And at the end of the day, you know, what you should really be looking at is, does this technology enable the investment hypothesis, right?

You’re making the investment. And so, beyond the fact of red flags—and this is not to say that by any stretch would you discount cybersecurity—but looking across your enterprise resource systems and looking at your collaboration systems and where you need to take the business based on the investment, does the tech stack help you meet the goals of your strategic plan? Does it enable that transformation process to meet the targets associated with the investment hypothesis?

To me, therein lie the gaps that are harder to fix. Again, no discredit to cyber. Definitely, if there’s been a breach in the past, you want to know about it. You can mandate security policies—much of this is non-negotiable; but you can’t mandate the strategic alignment of business systems, which is where the conversation should start. If I’m looking at business systems, there’s a lot more involved with negotiations and nuance.

Aaron:

I don’t know Devin, do you take some offense to that? (laughing)

Devin Osterhout:

I mean, there is truth to what Chuck said—from a cyber perspective, yeah sure, you want to know if there’s a breach.

But really, you want to know—how did you respond to that breach? And does the company actually have the governance in place to know how to react? And did it impact the throughput of the company? Did they have to cease operations for a period of time—because you may have a great system, but if you can’t access it anymore, it’s going to affect that acquisition.

So, I definitely think cyber is a big part of it. Not only cyber tools, but it’s really cyber process. And that’s harder to measure, for sure.

People: The Biggest IT Risk

Aaron:

Jason, you worked on a deal where there were a bunch of holes in the transaction. And despite the warnings to the company of, ‘Hey, get out of this deal, go somewhere else,’ they still went forward with it. One of the key issues we found there was around the people.

Jason Koski:

It’s common to see people risk. And sometimes the people risk is a little bit beyond a company’s capability to address. It’s more something they might try and solve by bringing in an outside service provider versus trying to develop the talent themselves.

And what Chuck was saying earlier makes a lot of sense as well. Companies often don’t know how to think about the infrastructure. They’re coming in and thinking about it from an insurance perspective and a risk perspective and maybe getting through reps (representations) and warranties. They’re checking all the boxes off without understanding what they’re buying and what the investment is going to entail.

Aaron:

IT still has this reputation: Just leave it to the IT professionals and they’ll take care of it, like throw it over the fence—it’s just an IT thing.

Anymore, IT is a business critical business capability and enablement function. You can’t just think about the investment or even running a business without understanding how technology is actually going to support that.

And it’s amazing to me—sticking to the cyber point—that a lot of these issues that we run across are with the people who are paying bills, collecting cash, taking orders—and getting phished.

They’ll click on this link or let somebody in through the front door, or whatever, and all of a sudden they get these issues on hand.

So despite all the rigors you put on the financial side, if you leave the back door wide open, then guess what happens? You’re talking about millions and millions of dollars in investments. You lost all the value in the deal because of these cybersecurity threats.

Chuck, what kind of things have you seen from an application standpoint? I know you work a lot with people putting new applications in the business. How well do they get on with those things?

Chuck:

We’ve all been kind of hinting around it. Generally, the biggest risk is with the people, it’s the adoption. It’s folks being willing to dive in.

Depending on the kind of deal we’re talking about, either the deal comes with a lot of folks or the deal doesn’t, particularly on carve outs. This is where, to Jason’s point, they’re going to bring in outside service providers on a lot of these situations because they used to have shared services and now they have nothing.

And to further complicate matters, it’s a carve out. Tick tock, tick tock. The transition service agreement is running out. You know, how can we stand up secure infrastructure that enables the business to get where it needs to get to, or at least to the next level, in the four or five months we need to make that happen. Tops; if I’ve got that much time at all.

Aaron:

I would say it’s 90% change management, 10% technology.

Chuck:

Right.

Aaron:

It’s so difficult. Despite how bad the systems are and how poorly they’re run, people get efficient with bad practices. And they like the idea of putting something brand new in, but hate the process of getting there.

Once they get to the point of implementing something new, they’re fine. But it often takes nine months to convince end users that they need to do something different. Change management is a big thing.

Chuck:

People are creatures of habit.

And again, depending on the deal—how many people you’re getting, how hard are they having to work, and how much change are they having to absorb very quickly. It’s particularly cantankerous when we’re dealing with the carve outs. And there’s more of them coming, you know.

Aaron:

I agree with that. There will be a lot more carve outs and strategic acquisitions, add-ons, and tuck ins, and so forth. And those come with their own issues, as you said.

The other element related to technology is the culture of the firm itself. How do they operate themselves? Are they very agile? Can they make quick decisions? Can they download things and do whatever they want?

The bigger you get, obviously, the bigger risks come about. The best run organizations, like IT organizations, are the ones that have common practices, common tools. Something they can manage efficiently.

It’s when they start getting Apple and Google and Microsoft, all these products in place, and they don’t have the technology team that can actually manage all that stuff. That’s when they run into these issues.

Chuck:

Definitely. And with the cloud being part of the problem, if you will, with people having to adapt to that, you now have much more of a business focus to IT than you had in the past.

I mean, at the end of the day, your provider is supposed to be taking a lot of that stuff off of your back. And what you should be doing is managing the application, managing the process, and adapting people to that process.

I’ve just come back from a leadership conference for private equity, and everybody was talking about people, people, people. That’s where the struggle is.

Devin:

Some of the challenges that we need to be considering are that a lot of states are starting to create laws that are imposing more data security and privacy governance—the regulatory aspects—even in the non-tech sector.

I know as I’ve worked with companies, particularly in the health care space where they have these great compliance departments, they have a lot of process in place; but a lot of that doesn’t always bleed over into the technology team.

So if you’re going through a merger, it’s even a larger challenge, right? You say, OK, we’ve actually got our regulatory compliance and governance in place, but now we’re going to buy this other company and how do we merge some of those challenges.

Leveraging Third-Party Vendors

Aaron:

Yeah. You started hitting on some of the third party challenges. We talk about that all the time.

Why are companies in the business of IT security when they’re not really that good at it? You’re really good at selling whatever you’re selling or you know how to go to market. You’ve got customer attraction, but the back end is not your thing.

Jason, you’ve worked a lot with these managed service providers, or MSPs. What are your thoughts on that?

Jason:

It brings a broader level of expertise that many companies can leverage—it’s expertise that grows and scales with the business. Too often we go in and see a single person operating the backend who’s been there for a long time. Everybody loves this person, but there are usually a lot of holes in security and modern practices for managing IT are lacking.

When you bring in a security provider in some capacity, they provide a specific type of insight. And people are hesitant, especially in IT, to give up that control.

They may feel that bringing in an outsider might threaten their position, which is unfortunate. So, it takes a little bit of leadership to figure out how to navigate that situation to produce the best outcome for everyone involved.

Aaron:

Right. Especially when it’s a founder-led business.

They created the thing, they love it, they have their own hand-picked people. They put all of it in place. Then we get in, take a look at it, and realize that who they have in IT can’t take them to the next level. It’s generally a very small team.

It’s a hard discussion around how do you convince somebody that you’re in another stage of growth? You’re getting a lot of private equity money behind you. You need to start professionalizing the group.

And some of those decisions can be really hard because it’s a personal relationship those folks have. They’ve probably worked with them for a number of years. It’s a hard pill to swallow sometimes, when they say that person isn’t the one.

Chuck:

Agreed.

Devin:

Sometimes it’s that they have a few flat spots that need to be rounded out. But that’s a different decision, right? Do you have to replace or can you supplement?

The Challenge of Integrating New Technology

Aaron:

The other area I see a lot too is just how do companies think about investments going forward.

Again, a lot of these lower middle-market businesses are coming out of the VC world and getting into private equity for the first time. They’re starting to mature into the middle of the middle market, but do they have real discipline around how they spend money for IT? IT needs to be a really well-run business.

But how do you make sure you’re putting proper investments in place to grow with the business? We talk a lot about analytics and digital and data, for example.

I don’t really see that happening in the middle market as much. They’re slow adapters, but there’s so much new technology that’s coming out that’s going to be much more user accessible. They’re almost going to be forced to have to deal with it—think ChatGPT. Anybody can go out there right now and start typing stuff in and creating stuff and there’s no control over it.

Chuck:

Definitely.

One of the things we see both on the assessment and the implementation side—and talking to some of our folks that are actually implementing enterprise resource planning software, or ERPs—is that most of these companies are really good at the revenue side, obviously, or they wouldn’t be growing.

But spend management? Forget it. Purchase decisioning? Forget it.

I mean, these are areas where they’re naturally weak, because to survive this long, they need to make money and they need to not spend as much—or however they look at it. And that results in either short-sighted decisions or lack of control on purchasing or a lack of diligence on purchasing. And like you were indicating, Aaron, lack of knowledge about what’s out there.

And to Jason’s point, dealing with MSPs—they’re going to have arrows in the quiver you don’t even know about, in terms of problems that can be solved. And leveraging that staff augmentation with experts can bring to bear the tools that companies aren’t aware of to solve problems like spend management.

Aaron:

It comes back to the IT brand, right? And not being just the IT professionals, but IT business strategy kind of folks too.

How do you think about investments? How do you think about the return on an investment? Like, what’s infrastructure? Critical must-have, ongoing, year-over-year spend related to projects and upgrades versus those that are going to be more transformative. And how do you start putting yourself in a position where you can start talking to your executive team in a way that has business impact and technology capability underneath that?

Often, IT professionals are held at the door until a decision is made and then we’re brought in to fix things. Why go through that pain and suffering? Talk a little about the business strategy up front.

Chuck:

But when you look at that in the mid-market, there’s what I would call the tier one market. You need to have transformation. Is the investment you’re making going to transform you?

And the locus of control on that? You’re in charge of your transformation. Your technology isn’t going to do it for you, so you have to deal with the people.

But also, when these companies are making decisions about technology, what key performance indicators are you going to tie to that technology that you’re transforming? Where is the transformation assurance that you’re getting from point A to point B?

Those decisions need to be made early on and the technology team needs to be involved in those decisions. They need to understand those decisions viscerally.

Merging Different IT Methodologies

Aaron:

I agree with that.

Jason, you worked on a deal where there were a couple of companies coming together and both were strong IT organizations. They were both very good independently, but they had different methodologies, completely different methodologies.

It can be a real conflict. And in fact, it was such a conflict that they didn’t bother integrating them. They’re going to let it run for a year or two and then decide if they want to merge their methodologies later.

That’s a very costly decision because you now have two IT groups that you’re running independently, so basically two CIOs and everybody else underneath them.

But there are a lot of best practices they should be picking up from each other and starting to move in one direction to start adopting one mindset. I think it’s a limiting factor sometimes. Jason?

Jason:

I agree with that. They should be picking up best practices from each other and evaluating consolidating services. Keeping things separate, if it makes sense from a business perspective, you know, go for it.

But when you’re just doing it because you don’t know how to integrate the business? That’s not the right approach because there are a lot of issues and holes around it.

Often, when we’re coming in, a lot of sellers know their IT is bad, and so they’re doing work to make it look good. And they have a good story about all the things that they’re working on and how it’s all going to look good when they’re done. But, sometimes, just going in and trying to fix all of your IT so it’s modern isn’t the right solution without getting some outside points of view.

Also, some of the comments you made on budgets earlier, Chuck, kind of stuck out of me because it’s rare that I see a company with a dedicated IT budget. Usually, if they have control over their capital spend, I consider them to be somewhat ahead of the pack.

But as you start to look under the surface a little bit, you see, in terms of spend, they haven’t really thought about budgets. They don’t have any kind of formal project plans in place. And all of these bad habits that they never solved are kind of bleeding up into all this transformative work that they’re doing.

IT Documentation Dash

Aaron:

It isn’t uncommon to go to the data room and find that all of the documents were created within the last three months. You get 500 new documents and, you know, they’re all three months old; they never had anything prior to that.

Chuck:

We find that interesting as well where we’ll go in for an assessment that maybe doesn’t even involve a transaction. I always tell them that we come at it very much the same way your team does, Aaron, as if there was a transaction.

There’s an information request list, document, request list, whatever you want to call it. And yeah, file creation dates are one of the things that we look at.

And often they’ll say, ‘Yeah, you know, I hammered out this process last night so you could know what we’re doing.’ And we always tell them to just wait for the interview session if you don’t have the documents. Don’t waste your time if you don’t have them. We’ll talk through the process.

But no 11th hour documents, please. We make that request specifically—because they’re not going to be accurate at all.

Aaron:

Yes! And when I think about specific industries like software and tech-enabled businesses—they’re always interesting.

So they’ve got IT for IT sake, but IT is a capability for the company and that’s what they’re actually selling, so it takes on a whole different meaning for IT diligence. They need to look at the CTO role, the CIO role, their investment, it’s all in one. And it’s pretty complex.

Devin, we worked on a couple of these as well. How are companies thinking about their investments in these platforms? Now we have to really extend the net. So it’s not only looking at those specific companies, but who else are they using?

Typically, there are a lot of outside developers involved, whether it’s third parties, onshore, offshore—where is data going? Devin, you’ve hit some of those things.

Devin:

For sure. That’s one of the things we’ll try and look at.

In terms of the development team, how current is that team? Do you have people that have been there for a long time, or is it a brand new team? Do they have a hard time with retention? What is the team culture? What is the team health? Because if you’re buying that company for their product and the development team has, you know, completely left and been replaced. You’ve got to worry a little bit about that product.

And I do want to bring up MSPs. I know we’ve talked about it a couple of times.

You know, one of the situations where I got called in for—it was a smaller company. They outsourced their IT and their security to an MSP, and they got breached. So they wanted to get a third party to come in and asked, ‘Hey, we trust our MSP, but we got breached. What should we do?’

And this kind of ties back to the comment we made earlier around, sure, if you’re talking to a company that’s going to get acquired and they’ve had a breach, it’s not just, ‘Hey, you’ve had that breach.’ But were you actually able to characterize those threats, the vulnerabilities, and could you then demonstrate what interventions you took to improve that cybersecurity?

In this example, they had multifactor authentication. So they felt pretty secure, but they still got breached. The attacker was very determined and so after the breach, they brought in a third party to do the forensics work.

When I reviewed the report from the forensics work, it was easy to see that they had some security in place, but they didn’t have a mobile device management solution in place.

So essentially, the attacker got in the middle of the MFA (multifactor authentication), installed their own authenticator, and was able to authenticate from an untrusted device into the client’s environment.

So, having an MSP without oversight can be problematic too. They didn’t really have a CTO or CIO in that company—it was pretty small—and so you can’t fault them for what they did, but it was an interesting scenario to be a part of and to see.

Having some review is a good thing, if possible.

Multiplying Factor of Risk

Aaron:

A lot of the businesses that we work with, they’re working with really large Fortune 500 companies as their customers. And so while there is a risk not only to the buying company, that risk also extends to their customers.

If a hacker gets in and makes their way in through a VPN into corporate, the Fortune 500 now has a huge problem. This could potentially take that company and put it out of business.

And we look at that all the time. It’s not only the risk of how you’re doing things and the exposure that you might have and the phishing and everything else, but you have to think about where that data and the reach can go. It doesn’t just stick within the four walls of that building and the people around it. It can go pretty far.

Devin:

Yeah. I mean, that makes me think of an example we dealt with where we were doing some due diligence on the security side. The company was an aggregator, so they had a lot of information from other customers. And they built their own tool internally, which has pros and cons; you don’t have a lot of known exploits for your internal tool.

But if you haven’t developed it securely, there still are some risks.

So essentially, they had the credentials needed to connect to a bunch of different other companies. It was all sitting in one place that was an internally developed application—and they’ve never had it tested. Sure, it’s inside their network, and that provides a layer of security. But we all know that’s not completely safe. People get in all the time, unfortunately.

So just having that extra layer of testing of that homegrown application was a pretty easy recommendation to make.

Aaron:

Just to put some real context around this. Devin, you’ve mentioned to me that it generally takes just a little over an hour to fully penetrate a business. About $4.5 million worth of risk to the company itself in that short amount of time—this was from an IBM study that benchmarked the average cost of a ransomware attack.

Devin:

That’s right.

Aaron:

Would you say a little over 80% of companies have been breached more than once? I mean, this is a real, real issue. They’re really exposed.

And so we come in and challenge the thinking of the management team. It’s for real. I mean, it’s because of these stats—they tell us that this is a real problem for you. And that’s just with the company you’re dealing with, not even the customers at that point.

Devin:

Yeah. And the visibility—not all companies have that level of visibility to even be able to tell you the answers to some of those questions. A lot of times there’s a third party coming in and doing the forensics work and kind of backtracking what the attacker did to come up with those numbers to contribute to those stats.

The Changing Insurance Landscape for Cybersecurity

Aaron:

Peel that back a little bit, Devin. What have you seen from an insurance standpoint?

Devin:

From an insurance standpoint, cybersecurity rates have gone up a lot. And what we’re seeing in the space is companies that have stronger controls—their rates, although higher than they used to be, are remaining fairly level. But companies that have weak controls or aren’t making the changes that the insurance companies are encouraging and recommending, their rates are going even higher.

So we’re definitely seeing rates going up, and we’re seeing increased expectations in terms of what the insurance companies expect companies to have in place.

Monitoring is one of them, and we were just talking about that—how do you even know who’s been in your network if you’re not monitoring. So they expect monitoring to be happening.

Depending on the industry and the type of business, the risks to the business, they expect multiple-factor authentication in multiple places throughout the company.

They’re monitoring closely the number of domain admins you have and who has authority to do what? And is that overly provisioned, or is it appropriately provisioned?

Insurance companies are starting to get more and more granular in terms of expectations. It’s not just, hey, we pay for this policy; the insurance company is actually going in and they’re expecting this. And if you end up getting breached and you can’t verify that you had the controls in place that you said you had, then they will not cover that.

Aaron:

I always love when you go into the diligence and Jason starts asking around for customer contracts and the cyber insurance policy and they’re like, what’s IT doing here? What do you do with that information, Jason?

Jason:

I’m pretty much always looking at what type of limits they have in place and the types of risk that they’re trying to protect against.

When we approach diligence from an insurance perspective, we’re looking at the controls. For example, password controls and MFA are important, but one of the other places we’re seeing attacks that people aren’t thinking about is just having your cloud services configured properly.

Having Microsoft 365 is one thing. But are you really following the recommended security protections by Microsoft to make sure your data is secure? Because Microsoft isn’t going to come in and do that for you.

And likewise with Amazon Web Services, everybody likes having their stuff in the cloud, but there’s a level of sophistication that goes into securing and maintaining that environment. And insurance companies are starting to be savvier about asking about that and making sure that they’re understanding the risk appropriately.

Devin, you also brought up some interesting comments with internally developed apps.

There’s a certain level of hygiene that needs to go into maintaining these that we’re just not seeing in a one or two-group shop. They have their hands in the day-to-day. They’re connecting IT with the business. They’re making sure all the applications and systems are accessible while they’re also tinkering around and developing applications.

But as we start looking around, it doesn’t look like they’re doing proper security or patching updates. And then almost always we’re going to recommend a pen (penetration) test. And that usually finds a number of critical risks.

Aaron:

Sometimes when we’re looking at these customer contracts, you know, it’ll spell it out exactly what the companies are required to do, what data they need to retain, how they protect that data. And again, this is a division of IT does their thing and business will take care of business, right?

This is the crossover. This is that gray area where IT definitely needs to have a seat at the table because if you’re customer’s spelled out that you need to either retain data, protect data, protect the failings around the network and so forth, and you’re not doing that—everybody could be exposed.

And IT didn’t know that was a requirement. If they did, they probably would go fix it right away as a priority. And the same thing on the cyber insurance. We look at that and say, OK, what are your limits?

Say you’re insured for $1 million, that’s great. But if the average is over $4 million on an attack, you’re a little short, right?

You might want to look at the whole policy and determine if you’re really covered; and some of these coverages are only for a business unit or a particular location, not the entire place. So there’s a lot of risk involved with not paying attention to the details and failing to get your IT team involved in the business side.

Now, if you don’t have the capability and the expertise there, that’s another issue. But that’s why we always talk about having a seat at the table.

Devin:

Exactly.

The Threat of Reputational Risk

Jason:

You know, I would just add to that: it kind of speaks about disaster recovery and incident response and how people think about it.

Oftentimes, companies are like, well, I don’t have a facility. So I don’t really have a disaster to recover from. But there are other types of disasters and you’re speaking to the intangible costs of a cyberbreach—the reputational risk area.

If someone hacks your credentials and uses that to get into a vendor or customer there’s reputational risk to you, you could be wiped out. And I mean, that’s very much a disaster. Companies should broaden their thinking about disaster recovery planning and incident response planning as well.

Devin:

Your point about, you know, coverage amounts is important.

But I wanted to go back to the exclusion because depending on your insurance company, they don’t always go in and verify that you’re doing what you say you’re doing.

They give you a survey that you have to fill it out and say, yes I have MFA. Yes, I have patching and all this stuff that they want.

But they’re not verifying that until you get breached and then they’re like, OK, now before we write the check, let’s see this evidence. Let’s see that you have all these things in place. And they have exclusions for failure to patch, so if you’re not patching your systems, you get breached.

Doesn’t matter if you have a $1 million or $10 million policy, they’ll see you didn’t hold up your end of the bargain, and you don’t get paid. This is something to consider as you’re thinking about insurance. They’re expecting more than just a premium. They’re expecting some actions to be taken on your side as well.

Aaron:

And we had a deal on that too long ago… we were getting a lot of pushback and resistance to what our findings were all about. And we did a pen test and basically pulled out the sheet and said I’ve got your password right here. You’re exposed. It took us about 10 minutes to get in there.

And I’ve got all your friends and family, too, because you have all your personal information on your computer. So, you know, pay attention. This can be a really harmful thing for your company and for you personally.

Devin:

To what Jason was saying, a lot of times it’s one, two, three people on the team and they’re building a great product, but they just don’t have the cycles and the time to really focus on security.

We’ve even had instances where they’re like, yeah, we do scans regularly and so they’re comfortable that they’re secure. But once you run a pen test against it, you kind of open their eyes and say, ‘Well, yes, you are secure in some areas. But these other areas, you’re not secure.’

They just don’t have the time to get into that. And so helping them see that it only took us this much time. If you have a bad actor who wants into your network, they’ll spend more time than we will. And they can get that same information quickly.

Tech Debt Will Catch Up with You

Aaron:

Yeah, for sure.

You know, going back to the tech-enabled businesses and the software businesses.

One of the things we’re trying to push hard on is looking at the code itself. It’s a real common thing to develop your own code base with a lot of developers involved with it, again onshore and offshore, and where data resides.

But eventually, you’re moving fast and you end up accumulating this tech debt. And at some point, you have to address that tech debt. When you go through diligence, that’s one of the things we harp on: Where is your tech debt?

We know it’s out there. We gotta go find it. And what’s the penalty for not doing it or correcting it sooner. Right? And Jason, you’ve come across a couple of times during tech debt discussions.

Jason:

Yeah, tech debt is almost always a natural thing that results from growth—we almost always see this with software development, for example. Growth is good. You know, as you start out, you’re building out this infrastructure to support the business and the size of where you are and where it makes sense.

And as you grow, the infrastructure has more demands to continue servicing your customers and your business. And so the whole growth and moving off of one system and onto another often isn’t thought about up front during planning and in the annual budget.

‘We’re going to go and develop this new thing, but, oh yeah, there might be some costs associated with sunsetting the other infrastructure.’ And over time, especially with, again, with small IT departments, that tech debt never gets resolved. A good example of this would be in reporting.

There could be, potentially, hundreds of reports. End users can just go in and create any report they want, and nobody’s really managing that or cleaning it up. And you go in and you see reports that haven’t been used in years. There’s a lot of stuff like that that goes into the system that just adds weight.

Eventually, it gets to the point where it’s a huge task to go in and clean that stuff up.

Aaron:

And it even relates back to the software code itself, right?

You’ve got something that you’ve been developing for 10 years and that logic from 10 years ago or the code base that you were using 10 years ago might have been state-of-the-art and perfect for that situation.

But because of the way the market changes, the customer demands change, you start writing it differently, you have new developers coming in, and all of a sudden you’ve got some code that’s just sitting out there that’s going to need to be maintained.

But at some point, it’s got to be rewritten.

And if you get too big, it’s a full rewrite on some of this stuff. And again, that’s a much bigger ticket. Reports are an excellent example—the simplicity around it; but when you magnify it, it doesn’t take very long before you realize there could be millions of dollars at stake if you’re not managing it correctly. There’s a lot of cybersecurity risk that translates to financial risk.

Devin:

Yes.

Jason:

Yeah, or ERP customizations is another place that often has technical debt.

Aaron:

Yeah.

Devin:

And your point is valid, Aaron.

Is the company that’s doing the buying considering tech debt as an adjustment in price or a change in terms within the deal? And that applies beyond tech debt to cybersecurity and digital transformation.

I was actually talking to a friend who works in the valuations space—he’s been doing it for years. I was asking him questions about cybersecurity and he said they don’t really use cybersecurity as part of the valuations formula.

We had this conversation earlier in 2023. He actually reached out to me and asked if I could give him the top 10 questions to ask from a cybersecurity perspective that he may want to drill into deeper because he thought in retrospect that they probably should have cybersecurity be part of that formula. That’s something to think about.

Aaron:

Maybe shifting topics a little bit here: Chuck, you have a client you’re working with now. Rapid, rapid growth to the point where they can’t even catch up with their IT strategy and they’re kind of putting it together with band aids and whatnot. What’s the conventional thinking around that?

Privacy in High-Compliance Environments Like Health Care

Chuck:

Well, it’s kind of like anything else: You’re focused on revenue, your focused on growth, and that aspect of things gets overlooked because you know it’s kind of overhead. Often, the sentiment is, oh, well, I’ll deal with that when I can deal with that.

I also think that there are some misconceptions. Oh, I’m a small target, it’s no big deal. But small targets are great. Small targets are easy. And the bad actors out there perpetrating these acts know that.

That’s a challenge.

And also, again, you typically don’t have shared services in smaller organizations. The person who owns security also has their day job and wears many hats. Most people are leaning into revenue and these companies are running lean. This can be a challenge from a capacity and focus standpoint.

But ultimately it comes down to executive ownership of it and just saying, I’m not asking this like a question. This has to be something that gets incorporated into our philosophy. You know, it’s not a one and done. It’s an organic process, and we have to engage in that and bring that aspect into everything that we’re doing in terms of technology and data.

Especially in high-compliance environments. You’re seeing press release after press release in health care where fines are coming in and information is being shared where it shouldn’t be shared. That can be problematic.

When you look at some of the guidance that’s being put forth by Medicare and certain state Medicaid, PHI can’t leave the United States. If I’m in health care, I certainly would like to maintain Medicare or Medicaid as a payer, right?

However, if I make one bad decision in the way I’m handling my data, all bets are off. And again, it’s not a mandate…yet. But how far down the road are you looking? So there are a lot of different considerations, especially on the health care side and especially on the privacy side, in general, where you’ve got a high volume of transactions, a high number of customers, and you’re operating in multiple states. All of this adds layers.

Aaron:

It’s a difficult thing. You mentioned health care, Chuck. We see a lot of transactions in that space and especially tech-enabled capabilities.

We’ve got a couple health care firms that are going after AI businesses, bringing that into health care. It’s really, really fascinating.

Another diligence item that we’re looking at is how do you start looking at different business models coming together? How do you take a really interesting asset like an AI engineering agency or firm and bring that into a well-established health care organization that doesn’t quite understand the technology, but they know they need it.

Now you’ve got change management at the executive level because there’s real strategic thinking about where they would like to go. And then how do you take an asset and take advantage of it without destroying the value of it by putting bureaucracy around it, you know, and putting process and, you know, overhead with it. It’s one of those changes that we find pretty fascinating. We hit it on it a lot.

And I’m talking simple things here that are cultural. You cannot take tools away from a developer group that just runs efficiently. If they run Slack and you run Teams, that’s a big issue. Everybody seems to think, just buy and put them on Teams. No big deal.

Well, guess what. You just slowed down all the productivity, all the innovation, all the things that make it special.

Chuck:

You mentioned the cultural thing, and that’s right.

Like I said, I just got back from this leadership conference where there were 130 technical advisory firms and private equity firms in a room talking about what’s going on. And the topic of Slack or even Google Apps versus Microsoft probably became one of the most contentious debates of the day.

When they’re a heavy development, high tech, disruptive kind of businesses, I do think that you’re going to see so much of that in health care because you’re moving from a fee for service model to an accountable health care model. How can you do population health and accountable health care without AI? You can’t. You can’t.

You’re taking a really stiff forward bet to begin with. And a lot of this we’re seeing in chronic disease—how am I supposed to treat and improve a population? Hypertension, diabetes, anything like that. You need to look at the data and look at it effectively, and figure out where improvements can be made.

But yeah, the cultural thing was a big, big discussion.

And some of the other things that were brought up were some of the things we’re talking about here—where you don’t want to invest, you know, where you’re lagging in certain areas because of your size and priorities. And the fact that you’re going to be facing discounts if the acquiring company has their wits about them at all in terms of the diligence. They’re going to go for it.

Aaron:

What do you think are some of the things that IT professionals can do for themselves to change the perception of being infrastructure focused--just make sure the network is running and my passwords are set and do the basics.

What we’re talking about here now is a lot more strategic and a lot more enabling of a business strategy. But yet there’s still this fence around IT not being part of the party. I’m curious on each of your perspectives on how that works.

Chuck:

I don’t think an organization can survive if the IT department is not in the business.

There can be no separation. It has to be there. Because if you’re not thinking about how you’re enabling the business or enabling the business plan, you can be counterproductive and not know it. And that’s very, very problematic.

Devin:

And the opposite of that’s true, too. If the business isn’t thinking about ways to utilize the technology to become more efficient, then it’s hampering itself as well. So that relationship is very critical.

Chuck:

It works both ways. Everybody’s gotta be in the room, and all angles have to be considered.

Jason:

Yeah, it goes back to what you were saying earlier about change management, Aaron. So much of what is involved there is working with the end user.

And from an IT perspective, that goes beyond just setting their expectations or telling people what to do. You really have to engage with them.

An example of this is security awareness training. It’s one thing to just have everyone do training once a year versus having an ongoing security training platform where you’re testing them, you’re doing simulated phishing, you’re getting them thinking about security. And you’re really tackling that biggest area of cyber risk.

And it requires a level of engagement. To your point, Aaron, that’s going to get them to be viewed less as the IT person huddled in the server room and more as someone who’s actually working with people on the front lines to think about IT and cybersecurity.

Aaron:

We’re in a period of like the industrial revolution back in the day, right? This is the digital industrial revolution. It is a mind shift.

There are so many new technologies that are coming into play. There’s just a bunch of tools landing in our lap right now. We have no idea how they’re going to be used, but we’re growing and all the technology adoption is accelerating. We thought the last 10 years was accelerated and 10 years before that was accelerated. The next 10 to 20 years is going to be mind boggling in terms of what we’re going to run into.

And if we don’t have real smart people up front thinking about the business, like you said Devin, how does technology work for the business? How does business work with technology?

It’s a symbiotic relationship. It’s no longer one or the other. It’s almost like one mindset. How do we start using tools, capabilities, and technology to run a business better—and not just the business processes. We’re talking about how do you actually engage with customers? How do you engage with your suppliers? How do you engage with all the people around your business in the ecosystem?

Because that’s where we’re living. It’s going be more ecosystem based. We’re going to have to find ways to collaborate better, more effectively. And these tools are out there. So there’s protection concerns, scalability concerns, investment concerns.

When you go through a transaction, all of these things have to come together with the right minds at the table talking about how to take advantage of these things.

Devin:

And those are both tied to business maturity. As the business matures, its IT had better be maturing too.

We kind of talked about this with application development, and if your application grows bigger and bigger and you’re still just supporting it with those two or three people that initially developed it, it’s probably not maturing as it needs to in terms of the business growth and the regulatory growth and all these things that are going to come as part of that application.

You’re not thinking about all of those things, let alone all the ways you can lock down and secure it so it doesn’t become a target for attackers.

Aaron:

That’s what we’re trying to push upon our clients too—to really think about the problems we’re uncovering, the diligence that we’re going through is forward thinking. How can you take advantage of this technology base that they have and really accelerate the growth of your company.

And we’ll be the first ones to tell you whether you can or cannot, and it’s simply because you don’t always have the right people in place, or you have legacy software that hasn’t been maintained, or you have other software that you should be using. Then there’s also how well you use digital and data.

So as diligence progresses into the next layer, the next stage of innovation, we have to look at the same elements—strategy and applications and infrastructure investments.

But a real critical eye is looking at how that becomes a more enabling, transformative kind of capability in the company to do something better. Without that, companies will still be a little bit of a laggard.

Well, we’ve covered a ton of ground today. Let’s wrap it up with what you think is the one main IT diligence step next step for companies to tackle if they have a deal on the horizon.

Wrap Up: Top IT Due Diligence Tips for M&A

Jason:

I’ll go.

We’re often brought in from a buy-side perspective, meaning that the buyer wants us to go and look at the seller’s systems and figure out where the holes are.

But there are a lot of advantages for a seller to bring somebody in to take a look at their IT and tell them what some of the potential risks and concerns buyers are going to have.

It can get you thinking about where to focus your time and money before you actually put your company up for sale and have buyers coming in and taking a hard look at it.

Aaron:

You just took my answer! Devin?

Devin:

I mean, all of what Jason said is perfect, but that ties to price in both directions, right?

So if I’m selling my company, let me think through these things and you know, if it’s IT, if it’s cyber specifically, is that actually going to decrease the amount of money I get paid?

Or for the buyer, what am I going to have to put into this after I actually close the deal because we’re going to have to fix this or that. So, yeah, the impact on price in both directions.

Aaron:

Chuck?

Chuck:

I come back to, yes, you need to be looking for the red flags. But also, you know, does the technology stack support the investment hypothesis?

Coming back to that question is important because it also incorporates the risk elements that we’ve been talking about here. If the tech stack is not, for lack of a better term, keeping you between the ditches from a compliance and a security standpoint, and the culture isn’t such that you’re moving in that direction, then regardless of quality of earnings, you may lose everything based on what’s going on with cyber and what’s going on with insurance.

So again, does the technology stack support the investment hypothesis? I think that’s the most important question to ask.

Aaron:

As an executive, owner, executive leadership team, you can’t be afraid of the technology.

You have to start learning it. You really have to be aggressive about understanding where markets are going, what technologies are out there, what developments are happening.

There’s going to be a lot of software that’s going to be sunsetted. There’s infrastructure that’s going away. There are things that if you’ve been around for a long time, you might still be anchored across, you know, technology from 10, 20, 30 years ago. Those things have all changed. They will continue to change. You can’t be afraid of the technology. I know it moves fast. There’s a lot of information out there, but you gotta get smarter about it and understand how to take advantage of the benefits.

Thanks Chuck, Devin, and Jason. It’s been a great chat today; I appreciate all of the expertise that each of you brings to the table.

We’re Here to Help

For more details on how you can establish cybersecurity practices in preparation for a merger or acquisition, whether a buyer or a seller, contact your Moss Adams professional.

Additional Resources

• Transactions Services
• Merger Management
• Cybersecurity Consulting: Penetration Testing, Security Assessments, and Disaster Recovery & Continuity