Managing tech due diligence from a social distance

Due to the pandemic, numerous Merger and Acquisition (M&A) transactions were put on hold while the parties waited to see what would happen. Travel bans, quarantines, social distancing, closures of nonessential businesses, and shelter-in-place orders made it impossible to conduct due diligence in a normal fashion. It is still the case throughout most of the world that travel is limited. So how do you assess technology when no one can travel?

 

Some organisations may choose to put such activities on hold until borders are open again. However, this may not be practical for others. But the reality today is that M&A transactions have come back and are as active as ever. Savvy companies have worked out that adapting their strategy to meet the current limitations is crucial.

 

Here are some practical tips for the CIOs and IT teams charged with completing technical due diligence in a time of social distancing, when your teams cannot meet, go to the office, or travel.

Set expectations early

We understand that there is much value to meeting in person, getting to know the other party in a transaction, and gaining an intuitive feel for the business and the technology itself. However, with the limitations brought on by a global pandemic, it is important to set expectations as early as you reasonably can in the transaction.

 

On the sell-side, make it clear that you do not have access to certain physical files, computer systems, and individuals, and describe these files, systems, and people so the buyer knows what not to expect at the outset.

 

For example, if your business still uses paper files, or has legacy contracts on paper, you need to make it clear early in the process that access to these documents is going to be difficult. If there are employees in your company who have been laid off or furloughed, this can translate to having certain information or institutional knowledge missing.

 

On the buy-side, explain to the seller that since it will be impossible to complete typical due diligence, you will rely more on reps and warranties, indemnification, and holdbacks/escrows. Consequently, the seller should expect heavier-than-typical deal terms and that some diligence will be completed later in the transaction than usual.

 

Third parties on both sides can help clients understand the new normal in this regard. In addition, in areas where it is still possible to conduct diligence, it may be more thorough than what may be considered typical, and function as a proxy for the inability to conduct diligence in other areas.

Leverage trusted third-party technical due diligence providers

Since it’s hard for the parties to explore the technology together, a trusted third-party evaluator can help close the gap. An analysis of what is in the code and its face value can serve as a proxy for how well the target manages software development.

 

A code audit on various aspects of the code provides insights into the output of a development organisation. Scanning the codebases can occur remotely. Audit results identify code risks that an acquirer must consider, but they can also reveal a great deal about a company’s code development and management practices.

 

Thus, it can act as a barometer for the quality of the processes used to produce that code.

An audit to identify the open source and other third-party software components is even more important today. Few targets are able to identify all the third-party code in their codebases, and that becomes even harder when the engineers can’t easily collaborate.

 

Similarly, a third party with access to the code can quantitatively evaluate it for security vulnerabilities (in both open source and proprietary code), bugginess, and architectural quality. The qualitative information from the third-party evaluator will greatly complement the qualitative assessment during the video chats when both teams meet online.

 

The buyer will need to formulate integration plans, preclosing remediation, deal terms, or adjustments to valuation. From the seller’s perspective, a proactive audit can be useful as a roadmap to prepare for diligence in advance, avoid surprises, and resist a buyer’s demands for more onerous deal terms.

Utilise expert, tech-savvy counsel

In today’s environment, it is especially vital that tech counsel can craft reps, warranties, and other provisions that appropriately address all the heightened risks.

 

Use specialist attorneys to address issues identified in the reports from the technical due diligence provider with terms in the definitive agreement. The attorney can also assess the target’s legal practices, in comparison to peer companies.

 

A skilled practitioner can quickly learn a great deal about the target’s practices by reviewing its open-source/third-party software policy and any notice/attribution files and conducting remote interviews with the target’s team regarding their typical approval process and approved/denied licenses.

 

An assessment of the target’s outbound open-source contribution practices and a review of any public code repositories may help evaluate whether the target has procedures in place to ensure that valuable intellectual property isn’t inadvertently released as open-source and define whether it obtains sufficient rights in third-party contributions to its open-source projects. Again, this information can provide valuable insight into the company’s development practices. This will also allow the legal counsel to provide guidance on data compliance risks, requirements, and licensing.

Although the points noted above are buyer-focused, the sell-side can also follow the best practices in these areas to obtain more friendly deal terms and smooth the transaction process.

 

Overall, by leveraging trusted technical diligence providers and expert open-source counsel, even without onsite face-to-face meetings, group dinners, and handshakes, it should be possible to complete diligence, get a feel for the target’s overall practices as a proxy for diligence in certain other areas, and include suitable protections in the acquisition documents.

Don't forget to share this post!

Share on facebook
Share on twitter
Share on linkedin

Related Articles

Disclosed earlier this week the zero-day flaw that exists in iOS and macOS platforms – being actively exploited in the wild – can allow attackers to take over an affected device.

Hello, and welcome to this episode of Glass Class. Today, I'll be talking about Cloud Security Posture Management, also known as CSPM. CSPM is the continuous compliance checking of cloud platform accounts.

A Cloud Access Security Broker (CASB) is a policy enforcement point that delivers data and threat protection in the cloud, on any device, anywhere.