Top 3 risks to be aware of in High Tech M&A deals
According to the institute for Mergers, Acquisition and Alliances (IMAA), high technology M&A deals continue to rank second in total M&A transactions since 1985, with total deals valued at nearly 5 trillion USD.[i] The continual rise in investment and acquisition of high tech companies has put a spotlight on the risks inherent in these deals and the need to expand due diligence processes to include comprehensive, automated software audits.
This article will take a look at the 3 biggest risks potential investors and acquirers need to be aware of heading into these deals and what they can do to mitigate them.
Source: Thomson Financial, Institute for Mergers, Acquisitions and Alliances (IMAA) analysis.
1. Cyber Risks
M&A transactions are fertile ground for cyber criminals providing them with both short and long term opportunities.
In the short term, with business operations in transition, data is more vulnerable and at higher risk of being targeted. More than one in three executives surveyed by IBM reported having experienced data breaches that can be attributed to M&A activity during integration.[2]
In the long term, M&A transactions serve as a prime opportunity to infiltrate the merging or acquired company’s networks, often by the employ of Advanced Persistent Threats or APTs, in an effort to ultimately gain access to the targeted company’s environment and information over an extended period of time.
Shockingly, more than 50 percent of companies surveyed by IBM wait until due diligence is completed before they perform any tech assessment of M&A transactions.[3] The cyber threats facing these deals highlights the importance of conducting software due diligence at the pre-acquisition phase to reveal hidden vulnerabilities.
Further, in the past year, there has been a notable escalation in ransomware attacks targeting midsize companies that have been acquired by private equity firms. These companies present lucrative targets due to their substantial liquidity, and more importantly, their cybersecurity defenses tend to be less robust.
This scenario poses an even greater cyber risk considering the potential for a domino effect within the corporate structure. Cyber attackers often exploit the vulnerabilities of these newly acquired, less secure companies as a backdoor entry point. Once inside, they can extend their reach to the more secure parent entities within the portfolio. This interconnected vulnerability underscores the critical need for comprehensive and proactive cybersecurity measures at the pre-integration stage.
2. Legal Ramifications
While a company may have state of the art cyber security, if it acquires a company with weak security or existing vulnerabilities it could be liable for any damage from incidents that occurred prior to the merger, as seen in the data breach of the hotel group Marriott.
Although the data breach was discovered in 2018, it was traced to a cyber intrusion that occurred in 2014 at Starwood, a hotel group that it acquired in 2016.[4] Had Marriot conducted software due diligence during pre-acquisition, this vulnerability could have been discovered and/or measures could have been taken together with a revised valuation. Further, acquiring a company that may have vulnerabilities may amount to integrating a trojan horse.
From Europe, to the US, and to the world over, data privacy regulations and mandatory breach disclosure laws vary widely, making due diligence across markets essential for businesses, and in particular, multinationals. The hotel group Marriott was subject to numerous lawsuits and regulatory actions in multiple jurisdictions with Marriott facing a $130 million fine in the UK alone for the breach.[5]
The implementation of the GDPR in Europe has led to an increase in claims notifications. According to the law firm Pinsent Manson, between March 2019 and May 2020, a total of 190 GDPR fines were issued by European data protection authorities, with a value of almost $500 million.[6] Notable large fines for violations include $57 million for Google in France and $41 million for H&M Germany.[7]
In the US, data breach litigation is expanding with law firms and legal financing companies actively looking to bring class actions, encouraged by recent court decisions such as the Capital One data breach ruling where a cyber forensic report performed following a data breach was used to hold the company liable. While these reports are helpful, even necessary, for a victimised company to understand what went wrong, this ruling means that others, such as clients or users, can access such a report to hold companies liable for data breaches.
3. IP Ownership & Scalability
The importance of IP rights in the overall valuation of companies is gaining more global recognition. Intangible IP assets represented only some 17% of market value of S&P 500 companies in 1975, by 2015 had grown to 87% and in a 2019 analysis, industries that make intensive use of IP rights generate around 45% of GDP in the EU (€6,6T).[8]
If you are acquiring or investing in a company that commercialises software, it is crucial to verify that they in fact own the software. Software is being created at a rapid pace, but rarely is this software 100% original to the creator. It is more and more common for commercial software to integrate pieces of code from other programs.
While the use of third-party code, whether commercial or open source, saves time and reduces costs, it also creates potential issues that may restrict the freedom to commercialise the end-product. These limitations may prevent a software company from enjoying the full benefits of its own creations. Moreover, the misuse of, or becoming too dependent on, third-party software can hinder a company’s growth and even threaten its survival.
Similarly, even if the target company doesn’t commercialise software, if they use software that integrates third-party software there could be serious scalability and maintainability issues. Such software is provided as downloadable programs for machines or services or as a hosted service and is typically licensed to companies rather than being sold. In other words, companies rely on software that they do not own but that they rent.
This has several implications that may offset the benefits of using the software in the first place.
1) This means that restrictions apply to the use and deployment of the software.
2) It creates dependencies between the company and its software provider and begs the question of what would happen if the provider goes bankrupt or sunsets the software.
3) It creates security risks. Indeed, not having access to the source code or not having the ability to scan it for bugs or issues creates an inherent risk for the operations of the company using it.
Conclusion: Importance of Tech Due Diligence
A company’s technology or software, like financial records or legal contracts, is made up of various components which when viewed individually and as a whole will testify to its robustness in the face of a multitude of risks.
As more and more companies rely on software, whether to run their operations or as an end-product, it is not enough for a potential investor to analyse the legal, financial and strategic considerations. Technology due diligence is a systematic way to evaluate and mitigate tech risk from a business or investment perspective.
A comprehensive tech due diligence report should provide insights into an organisation’s strengths, actionable recommendations for improvements and guidance for addressing common risks.
Vaultinum’s Tech Due Diligence
Whether the aim is to prepare for the sale of a business, obtain investments, capture new clients, or improve operational structures, the goal of our Tech Due Diligence suite of solutions is to deliver to businesses and investors the tools to gain critical knowledge of a company’s technology, mitigate risk and facilitate growth.
Vaultinum’s solution is a multipronged approach to software audit. At one level, the online self-assessment surveys evaluate the management, operation and use of software, revealing potential issues related to intellectual property, cybersecurity, scalability and maintainability. At the next level, full audit scans the source code for common threats and vulnerabilities.
Taken together, our solution delivers a complete picture of the software and the organisation’s technology management processes.
[1] Institute for Mergers, Acquisitions and Alliances (IMAA)
[2] Benchmark Insights (2020) Assessing cyber risk in M&A. IBM Corporation.
[3] Idem.
[4] Brewster, T. “Revealed: Marriott's 500 Million Hack Came After A String Of Security Breaches”. Forbes, 3 Dec. 2018,
[5] Dobie, G., Whitehead, J. (2020). Managing the impact of increasing interconnectivity: Trends in Cyber Risk. Allianz Global Corporate & Specialty.
[6] Dobie, G., Whitehead, J. (2020). Managing the impact of increasing interconnectivity: Trends in Cyber Risk. Allianz Global Corporate & Specialty.
[7] Idem
[8] International Chamber of Commerce (ICC). “The ICC Intellectual Property Roadmap”, 14th edition, 2020.
Recommended for you