Tech Due Diligence checklist
As we continue to shift further from a traditional brick and mortar economy and closer to virtual realities, companies are faced with new and emerging threats such as software failure, data breaches, privacy disputes, open-source software intellectual property issues, cyber-threats, sustainability, among a myriad other. In this new digital landscape, security and the protection of digital assets takes on a new meaning. Thus, it is more important than ever, whether you are an investor or potential buyer, to know that the company that you are interested in is operating in accordance with best practices and has laid proper foundations for solid growth.
We have outlined in this article, the 4 main areas- Intellectual Property, Third-Party Software, Technology Performance and Cyber Security- and the key questions to ask when conducting technology due diligence.
The management of IP is a critical component to the growth and success of a company. Moreover, the importance of IP rights in the overall valuation of companies is gaining more global recognition. Intangible IP assets represented only some 17% of market value of S&P 500 companies in 1975, by 2015 had grown to 87% and in a 2019 analysis, industries that make intensive use of IP rights generate around 45% of GDP in the EU (€6,6T).
Key Questions to consider on Intellectual Property
- Has the target company acted to protect the IP rights of their software source code by depositing it with a trusted third party or copyright office?
Software, like works of art or literature, is protected by copyright law. In order to assert this right, a deposit of the source code and any updates must be made with a trusted third party or copyright office. A deposit creates proof of ownership of the source code at a point in time.
- Are IP transfer agreements in place with all consultants and employees that have worked or are working on developing the software?
In some countries, IP transfer may be automatic in employer-employee relationships, but it is not always the case and it is certainly not the case in relation to consultants. This creates potential litigation risk and may, in turn, have financial and reputational impacts on the company.
- Does the company own all rights necessary to make, use, sell, or offer for sale its actual and proposed products?
The use of high risk third-party licenses (copyleft, copyrighted or proprietary) and not having an effective IP management process in place that identifies and manages these licenses and other IP rights creates potential issues that may restrict the freedom to commercialize the end-product.
Third Party Software
Companies rely more and more on third-party software to help run their operations and/or develop their software product. Third-party software can be open-source or commercially licensed, and in both cases there are typically licenses that condition their use. The misuse of, or becoming too dependent on, third-party software can hinder a company’s growth and even threaten its survival.
Key Questions to consider on Thirty-Party Software
- Have they entered into escrow agreements that enable them to access the software source code that they rely on for their operations, for example in case of supplier failure or bankruptcy (or failure of servers if it runs in SaaS mode)?
Dependencies on third-party software means that the company is exposed to the risk of such software becoming obsolete, not maintained, not supported or even decommissioned. An escrow agreement is essential to continue operations and comply with client obligations.
- Is the company able to identify all the open-source software that is used within the end-product?
Integrating open-source software into the end-product may limit the company’s ability to commercialize and enjoy the full use of the product due to non-compliance with licensing terms or infringement of IP rights.
- Do they have a process in place to check for regular updates to open-source software that they use?
Updates may resolve vulnerabilities so that the software continues to function in accordance with expectations and limits the risk to end-users.Failing to update may also restrict a company’s use of their software product depending on the license.
While software is fast becoming the backbone to many businesses, a shockingly large number of software projects still fail to meet company expectations in terms of performance, scalability, maintainability, cost, or delivery schedule. There are several factors at play and each one has varying levels of impact on the successful delivery, performance and reputation of the software product.
Key Questions to consider on Technology Performance:
- Was there proper knowledge transfer carried out by developers who participated in the initial stages of the product development?
Knowledge transfer management needs to occur during the entire software development and use life-cycle. Not having access to the initial stages of development can have negative effects on the maintainability and scalability of the end-product.
- Is the technology infrastructure currently ready to scale without any further development in case of rapid growth of the client base?
Not having a technology infrastructure ready to scale in the event of rapid growth may generate critical system failures or functionality issues leading to financial loss and reputational damage.
- Are there any organizational aspects of the development team that may have a direct impact on its overall capability to deliver successfully?
A well-organized, smooth-functioning development team is critical to the success of the product. A few key elements to bear in mind are the location and distribution of the team (not being dispersed across too many times zones or offices) and regular reporting to management (to ensure strategies are aligned).
The global cost of cybercrime in 2020 reached $945 billion, and is expected to grow by 15% annually, reaching $10.5 trillion per year by 2025. Every day new technical and security breaches are discovered. Every business change can create unintended vulnerabilities. Every new employee, consultant or contractor is a new risk that needs to be managed. A hacker only needs to be successful once, while a company’s security measures must be successful 100% of the time - in an ever-changing threat landscape. Thus, the importance of having a solid cyber risk management program cannot be underestimated.
Key Questions to consider on Cyber Security:
- Is client data stored at, accessed by, or transmitted through, an offshore environment (in a country different to that in which they receive client data)?
Data privacy regulations and mandatory breach disclosure laws vary widely across the globe, making it of prime importance for businesses, articularly multinationals, to conduct the requisite legal due diligence across markets to ensure their compliance. Moreover, international communication isn't necessarily safe and poses greater risk.
- Does the company utilize encryption to protect data?
Encryption makes data unusable and illegible to any party who does not possess the decryption key. Encryption is a way to ensure that even if a data breach occurs and data is subsequently stolen or copied, the potential of it being usable is much lower. Breaking encryption is very difficult, which makes it one of the best security measures to protect data.
- Are there complete records, which are kept and maintained, regarding all company devices including computers, tablets, mobiles, laptops, etc.?
Proper documentation allows an organization to keep track of all company devices. It is an important risk mitigation measure as it helps to prevent loss and allows for a rapid response in the event of an incident, such as remotely disabling lost or stolen devices. A device that is unaccounted for presents a security risk as it can potentially be hacked, opening the door to an attack on the organization’s systems and networks.
Are you asking the right questions?
Tech due diligence is no doubt one of the essential aspects of any modern business transaction and knowing which elements to consider before taking the next step is crucial. However, it requires expertise, experience, and insights that are best obtained from an independent third-party.
Unlike traditional approaches to tech due diligence, Vaultinum offers an online software due diligence tool, Know Your Software. Through an in-depth source code scan, reviewed by an IT expert, the solution analyses Intellectual Property, Cyber Security, Scalability and Third-Party risks. The results are shared in a detailed report, which includes scoring, recommendations and fixes.
With 40 years’ experience in IT and Legal, each step of Vaultinum’s Know Your Software solution was designed in collaboration with leading experts in the fields of Cybersecurity, Intellectual Property, Software development and Compliance, to provide users with a comprehensive, trusted, risk analysis.
Enter your investments with confidence, with the assurance of Vaultinum’s technology due diligence solutions that have been custom-built for today’s digital world.