Part 1: Protecting your asset
IT diligence is commonly thought of as a confirmatory exercise prior to closing a deal in order to assuage concerns of the lenders. In today’s world however, the increased importance of technology to enable healthy business performance makes IT diligence all the more significant. Raise your hand if you’ve ever engaged a provider who missed the mark on IT diligence which resulted in unplanned investment. We are here to help put a stop to that!
Welcome to ‘The Good, the Bad, and the Ugly’, a blog series on IT due diligence that will consist of four segments published over the next month. Each segment will focus on a particular topic within technology (i.e., security, proprietary systems, IT personnel) including real-life scenarios in order to explain the potential impact on a deal and what to look for before signing on the proverbial dotted line.
The goal of this blog series is to help equip you, the reader, with the knowledge of common pitfalls that can sour the economics of a deal; and to provide you with sample stories of organizations that demonstrate the good, the bad, and the ugly characteristics from a technology perspective.
How safe are your assets?
Every day, highly organized and malicious parties, in one form or another, are looking to profit from unsecured or unprotected intellectual property, payment card data, and confidential information. In 2014 alone, the total number of data breaches in the United States was 783, a 27% increase in reported breaches from the prior year, according to the Identity Theft Resource Center (ITRC).
While very few companies are adequately prepared from an IT security perspective, companies involved in mergers and acquisitions can be particularly vulnerable due to the magnitude of change, potential for distraction, and increased presence in the media.
What can happen when things go wrong
A small e-commerce company (<$50 million) accepts customer credit card payments via its website. The company has relaxed security policies and doesn’t encrypt customer credit card information. In the event of a breach, the company could be liable for punitive damages of $3 million to $8 million (estimation based on prior experience and proprietary knowledge) under payment card industry compliance requirements for this level of merchant. Additionally, the company could incur other costs related to a breach, such as:
- Fines from card brands (American Express, Visa, MasterCard)
- Litigation (issuing banks and consumers) and legal assistance
- Consumer reporting
- Annual consumer credit monitoring
- Breach investigation and remediation
This estimated range of $3 million to $8 million in damages may sound high, but when you compare the breach at P.F. Chang’s in 2014 (estimated cost of $40 million) or at Target in 2013 (current costs have exceeded $150 million and after litigation, are likely to be up to $300 million), you get a sense of how a security breach might impact your investment.
The real investment question you should be asking yourself during diligence is “how much will it cost to close the exposure going forward and how long will that take?” Often, there is a discrepancy between what the seller believes is exposure (“boogie man”) versus the buyer’s view of exposure (“real possibility and kills the investment economics if it happens”). The FIRST thing to do is determine how wide that gap is. Does the seller recognize or admit that there is indeed a liability and exposure, or not? Are there cyber security insurance policies in place?
By conducting robust security diligence and providing hard evidence, you will be in a better position to negotiate for a bucket of potential liability funds that the seller can set aside for 6-12 months post close to pay for any data/security breach that occurred pre-close and during the post-close time to remediate.
So, what should be done during security diligence and what does the spectrum of good, bad, and ugly look like? Tune in to the second installment of the series for the answers.
The Good, the Bad, and the Ugly blog series is based on a chapter Matt Sondag, Keith Campbell, and I co-authored for The Operating Partner in Private Equity Volume 2 – providing valuable insight to private equity firms on how best to acquire value from an IT operating partner.