Key takeaways
- The increase in M&A activity makes technology due diligence increasingly important for assessing software assets, cybersecurity risks, and potential liabilities before an acquisition.
- Traditional due diligence often overlooks software and source code risks, despite technology becoming a core value driver for many businesses.
- Cybersecurity vulnerabilities inherited through acquisitions can lead to significant financial, legal, and reputational consequences, as illustrated by the Marriott–Starwood data breach case.
- Open-source software licensing obligations can create legal and commercial risks, including restrictions that may affect ownership rights, software commercialization, or deal valuation.
- Automated source code analysis can identify cybersecurity vulnerabilities, intellectual property issues, open-source license risks, and software maintainability concerns during the pre-acquisition phase.
- Vaultinum’s Tech Due Diligence combines self-assessment questionnaires, source code scanning, and expert analysis to help investors evaluate software assets, mitigate risks, and support informed M&A decisions.
Don’t forget the tech
Traditionally, organisations and investors have conducted due diligence covering financial, legal, operations, and human resources. However, when it comes to conducting due diligence of software, this is not always met with the same systematic approach. Often, this is due to the speed at which organisations are implementing new technology in their everyday operations and partly due to the rapid growth of tech-forward companies. With technology increasingly becoming a primary asset to businesses, new issues have arisen which are overlooked in traditional due diligence.
A crucial time for tech security
Recent statistics have highlighted that cyber-attacks are rising sharply in the UK. According to Sophos data, last year 51% of UK organisations were affected by ransomware attacks, with criminals successfully encrypting data in 73% of these attacks (4). Considering these figures, a comprehensive due diligence that assesses both software and source code during the pre-acquisition phase is integral to provide the acquirer with a full view of the potential data breach risks that could lead to serious financial and legal consequences. Furthermore, for those acquiring or merging with a pre-existing company, they run the risk of inheriting hidden data vulnerabilities which can significantly impact the primary company’s business operations, investor relations and reputation. (source: https://news.sophos.com/en-us/2020/05/12/the-state-of-ransomware-2020/)
One of the most renowned cases of insufficient software due diligence resulting in catastrophic consequences is that of Marriott International after their merger with Starwood Hotels & Resorts. Two years down the line, it was revealed that a huge data breach in Starwood’s reservation system had occurred pre-merger, in which 400 million guest records were exposed through a security flaw. This resulted in a $123 million GDPR fine by Britain’s Information Commissioner’s Office, as well as reputational damage for both Marriott and Starwood.
Understanding open-source software (OSS)
But if only the issues ended with hidden data vulnerabilities. For any M&A activity in which the target company’s software is a significant asset of the deal, investors must also consider the potential restrictions that open-source software (OSS) can bring. Today, software developers often rely on public code repositories available on websites like GitHub or Stack Exchange, as it appears to be free at the point of use. However, often these licences are offered subject to conditional restrictions. When using OSS to create derivative products or linking source code to OSS, the integrated product becomes subject to these conditional restrictions, which can include making all or part of the code public or paying a fee for its use. In other words, a company may not have full rights to their product or software.
If acquirers carry out a comprehensive due diligence during pre-acquistition, this can help to avoid liability for the target’s previous use of OSS, and any terms relating to its licencing. And bad news for the software supplier, if OSS is found embedded in their software, investors may walk away from the deal entirely, or at the very least adjust its value and/or terms.
Strengthening Tech Audits
But how to avoid these issues? The first step lies within ensuring that investors have carried out a comprehensive software due diligence during the pre-acquisition phase. Following the advances in AI technology, audits like these can be performed through automised tools which thoroughly analyse every line of code to identify any possible cyber vulnerabilities, intellectual property issues and maintainability risks.
Vaultinum’s Know Your Software Tech Due Diligence
Vaultinum’s Know Your Software Tech Due Diligence offers an online solution for software due diligence that helps businesses and tech investors mitigate risk, gain crucial knowledge of a firm’s technology and increase the value of the software assets.
Know Your Software Tech Due Diligence offers an online self-audit (Know Your Software Self-Assessment,) which analyses Intellectual Property, Cyber Security, Third-Party software management and Software development as well as an in-depth software source code scan (Know Your Software Code Audit) which provides a thorough risk analysis of the software asset, which is evaluated by IT experts.
Automated tools such as the Know Your Software Code Audit enrich the traditional tech due diligence by making audits more objective and less susceptible to human error, ensuring that the acquirer’s reputation, business and liability remains protected and in the best possible position to make bold business decisions.
(1) https://bloom.bg/3EwI5IJ
(2) www.ons.gov.uk/businessindustryandtrade
(3) www.ansarada.com/blog/UK-M-A-set-to-surge-in-2022
(4) www.sophos.com/en-us
