Responding to the Rise in M&A Activities
If 2021 was a big year for European dealmaking, 2022 looks set to be even better.
Currently the UK is western Europe’s M&A hotbed, accounting for more than 32% of deals in 2021 (1) and has seen a £1.1 billion increase in domestic M&As in quarter 1 alone, when compared with the same period in 2020 (2). This success looks set to continue well into 2022 with the Ansarada UK Dealmakers Survey showing that 90% of their respondents (senior executives from 50 UK-based firms across investment banking, private equity, and M&A) believe that the number of M&A deals in the UK will increase in the next 12 months, with 54% believing it will increase significantly. (3)
Taking this into consideration, M&As are clearly a focal point for accelerated organisational growth and development as we look to the year ahead. But how can investors take advantage of this promising landscape whilst ensuring that they don't fall victim to the ever-increasing threat to cyber security?
Don’t forget the tech
Traditionally, organisations and investors have conducted due diligence covering financial, legal, operations, and human resources. However, when it comes to conducting due diligence of software, this is not always met with the same systematic approach. Often, this is due to the speed at which organisations are implementing new technology in their everyday operations and partly due to the rapid growth of tech-forward companies. With technology increasingly becoming a primary asset to businesses, new issues have arisen which are overlooked in traditional due diligence.
A crucial time for tech security
Recent statistics have highlighted that cyber-attacks are rising sharply in the UK. According to Sophos data, last year 51% of UK organisations were affected by ransomware attacks, with criminals successfully encrypting data in 73% of these attacks (4). Considering these figures, a comprehensive due diligence that assesses both software and source code during the pre-acquisition phase is integral to provide the acquirer with a full view of the potential data breach risks that could lead to serious financial and legal consequences. Furthermore, for those acquiring or merging with a pre-existing company, they run the risk of inheriting hidden data vulnerabilities which can significantly impact the primary company’s business operations, investor relations and reputation. (source: https://news.sophos.com/en-us/2020/05/12/the-state-of-ransomware-2020/)
One of the most renowned cases of insufficient software due diligence resulting in catastrophic consequences is that of Marriott International after their merger with Starwood Hotels & Resorts. Two years down the line, it was revealed that a huge data breach in Starwood’s reservation system had occurred pre-merger, in which 400 million guest records were exposed through a security flaw. This resulted in a $123 million GDPR fine by Britain’s Information Commissioner’s Office, as well as reputational damage for both Marriott and Starwood.
Understanding open-source software (OSS)
But if only the issues ended with hidden data vulnerabilities. For any M&A activity in which the target company’s software is a significant asset of the deal, investors must also consider the potential restrictions that open-source software (OSS) can bring. Today, software developers often rely on public code repositories available on websites like GitHub or Stack Exchange, as it appears to be free at the point of use. However, often these licences are offered subject to conditional restrictions. When using OSS to create derivative products or linking source code to OSS, the integrated product becomes subject to these conditional restrictions, which can include making all or part of the code public or paying a fee for its use. In other words, a company may not have full rights to their product or software.
If acquirers carry out a comprehensive due diligence during pre-acquistition, this can help to avoid liability for the target’s previous use of OSS, and any terms relating to its licencing. And bad news for the software supplier, if OSS is found embedded in their software, investors may walk away from the deal entirely, or at the very least adjust its value and/or terms.
Strengthening Tech Audits
But how to avoid these issues? The first step lies within ensuring that investors have carried out a comprehensive software due diligence during the pre-acquisition phase. Following the advances in AI technology, audits like these can be performed through automised tools which thoroughly analyse every line of code to identify any possible cyber vulnerabilities, intellectual property issues and maintainability risks.
Vaultinum’s Know Your Software Tech Due Diligence
Vaultinum’s Know Your Software Tech Due Diligence offers an online solution for software due diligence that helps businesses and tech investors mitigate risk, gain crucial knowledge of a firm’s technology and increase the value of the software assets.
Know Your Software Tech Due Diligence offers an online self-audit (Know Your Software Self-Assessment,) which analyses Intellectual Property, Cyber Security, Third-Party software management and Software development as well as an in-depth software source code scan (Know Your Software Code Audit) which provides a thorough risk analysis of the software asset, which is evaluated by IT experts.
Automated tools such as the Know Your Software Code Audit enrich the traditional tech due diligence by making audits more objective and less susceptible to human error, ensuring that the acquirer’s reputation, business and liability remains protected and in the best possible position to make bold business decisions.