Top 3 risks to be aware of in High Tech M&A deals

min readpublished onupdated on
Top 3 risks to be aware of in High Tech M&A deals
Top 3 risks to be aware of in High Tech M&A deals
Table of contents

According to the institute for Mergers, Acquisition and Alliances (IMAA), high technology M&A deals rank second in total M&A transactions since 1985, with total deals valued at nearly 5 trillion USD.[i]  The continual rise in investment and acquisition of high tech companies has put a spotlight on the risks inherent in these deals and the need to expand due diligence processes to include comprehensive, automated software audits. 

This article will take a look at the 3 biggest risks potential investors and acquirers need to be aware of heading into these deals and what they can do to mitigate them.

M&A by Industries in Numbers (since 1985)

Source: Thomson Financial, Institute for Mergers, Acquisitions and Alliances (IMAA) analysis.

1. Cyber Threats

M&A transactions are fertile ground for cyber criminals providing them with both short and long term opportunities. 

In the short term, with business operations in transition, data is more vulnerable and at higher risk of being targeted.  More than one in three executives surveyed by IBM reported having experienced data breaches that can be attributed to M&A activity during integration.[2]

In the long term, M&A transactions serve as a prime opportunity to infiltrate the merging or acquired company’s networks, often by the employ of Advanced Persistent Threats or APTs, in an effort to ultimately gain access to the targeted company’s environment and information over an extended period of time.

Shockingly, more than 50 percent of companies surveyed by IBM wait until due diligence is completed before they perform any tech assessment of M&A transactions.[3]  The cyber threats facing these deals highlights the importance of conducting software due diligence at the pre-acquisition phase to reveal hidden vulnerabilities.

Man coding on his laptop


While a company may have state of the art cyber security, if it acquires a company with weak security or existing vulnerabilities it could be liable for any damage from incidents that occurred prior to the merger, as seen in the data breach of the hotel group Marriott. 

Although the data breach was discovered in 2018, it was traced to a cyber intrusion that occurred in 2014 at Starwood, a hotel group that it acquired in 2016.[4]  Had Marriot conducted software due diligence during pre-acquisition, this vulnerability could have been discovered and/or measures could have been taken together with a revised valuation.  Further, acquiring a company that may have vulnerabilities may amount to integrating a trojan horse.

From Europe, to the US, and to the world over, data privacy regulations and mandatory breach disclosure laws vary widely, making due diligence across markets essential for businesses, and in particular, multinationals.  The hotel group Marriott was subject to numerous lawsuits and regulatory actions in multiple jurisdictions with Marriott facing a $130 million fine in the UK alone for the breach.[5]  

The implementation of the GDPR in Europe has led to an increase in claims notifications. According to the law firm Pinsent Manson, between March 2019 and May 2020, a total of 190 GDPR fines were issued by European data protection authorities, with a value of almost $500 million.[6] Notable large fines for violations include $57 million for Google in France and $41 million for H&M Germany.[7]

In the US, data breach litigation is expanding with law firms and legal financing companies actively looking to bring class actions, encouraged by recent court decisions such as the Capital One data breach ruling where a cyber forensic report performed following a data breach was used to hold the company liable.  While these reports are helpful, even necessary, for a victimized company to understand what went wrong, this ruling means that others, such as clients or users, can access such a report to hold companies liable for data breaches.

3. IP Ownership & Scalability

The importance of IP rights in the overall valuation of companies is gaining more global recognition.  Intangible IP assets represented only some 17% of market value of S&P 500 companies in 1975, by 2015 had grown to 87% and in a 2019 analysis, industries that make intensive use of IP rights generate around 45% of GDP in the EU (€6,6T).[8]

If you are acquiring or investing in a company that commercializes software, it is crucial to verify that they in fact own the software.  Software is being created at a rapid pace, but rarely is this software %100 original to the creator. It is more and more common for commercial software to integrate pieces of code from other programs.

While the use of third-party code, whether commercial or open source, saves time and reduces costs, it also creates potential issues that may restrict the freedom to commercialize the end-product. These limitations may prevent a software company from enjoying the full benefits of its own creations.  Moreover, the misuse of, or becoming too dependent on, third-party software can hinder a company’s growth and even threaten its survival.

Similarly, even if the target company doesn’t commercialize software, if they use software that integrates third-party software there could be serious scalability and maintainability issues.   Such software is provided as downloadable programs for machines or services or as a hosted service and is typically licensed to companies rather than being sold. In other words, companies rely on software that they do not own but that they rent. 

This has several implications that may offset the benefits of using the software in the first place. 

1)  This means that restrictions apply to the use and deployment of the software. 

2)  It creates dependencies between the company and its software provider and begs the question of what would happen if the provider goes bankrupt or sunsets the software.

3)  It creates security risks.  Indeed, not having access to the source code or not having the ability to scan it for bugs or issues creates an inherent risk for the operations of the company using it.


4. Importance of Tech Due Diligence

A company’s technology or software, like financial records or legal contracts, is made up of various components which when viewed individually and as a whole will testify to its robustness in the face of a multitude of risks. 

As more and more companies rely on software, whether to run their operations or as an end-product, it is not enough for a potential investor to analyze the legal, financial and strategic considerations.  Technology due diligence is a systematic way to evaluate and mitigate tech risk from a business or investment perspective. 

A comprehensive tech due diligence report should provide insights into an organization’s strengths, actionable recommendations for improvements and guidance for addressing common risks.


Vaultinum’s Know Your Software solution

Whether the aim is to prepare for the sale of a business, obtain investments, capture new clients, or improve operational structures, the goal of the Know Your Software suite of solutions is to deliver  to businesses and investors the tools to gain critical knowledge of a company’s technology, mitigate risk and facilitate growth.

Vaultinum’s Know Your Software solution is a multipronged approach to software audit.  At one level, the Know Your Software online self-assessment surveys evaluate the management, operation and use of software, revealing potential issues related to intellectual property, cybersecurity, scalability and maintainability.  At the next level, Know Your Software full audit scans the source code for common threats and vulnerabilities. 

Taken together, Know Your Software delivers a complete picture of the software and the organization’s technology management processes.



[1] Institute for Mergers, Acquisitions and Alliances (IMAA)

[2] Benchmark Insights (2020) Assessing cyber risk in M&A. IBM Corporation.

[3] Idem.

[4] Brewster, T. “Revealed: Marriott's 500 Million Hack Came After A String Of Security Breaches”. Forbes, 3 Dec. 2018,

[5] Dobie, G., Whitehead, J. (2020). Managing the impact of increasing interconnectivity: Trends in Cyber Risk. Allianz Global Corporate & Specialty.

[6] Dobie, G., Whitehead, J. (2020). Managing the impact of increasing interconnectivity: Trends in Cyber Risk. Allianz Global Corporate & Specialty.

[7] Idem

[8] International Chamber of Commerce (ICC). “The ICC Intellectual Property Roadmap”, 14th edition, 2020.


Philippe ThomasPhilippe is the CEO of Vaultinum. An expert in new technologies and high finance, and after 20 years in the international fintech industry, Philippe now heads Vaultinum.

Recommended for you