The 8 Signs You Really Need IT Due Diligence

Download the article here

For private equity firms, assessing the vulnerability of a prospective portfolio company’s information technology infrastructure is essential, no matter how small the target. The 2016 NetDiligence Cyber Claims Study found that nearly 90 percent of claims submitted were from companies with less than $2 billion in revenue.

Yet some businesses require more scrutiny than others. Here, Daimon Geopfert and Dan MacAndrew of RSM share the biggest red flags for any potential acquisition.

1. The team can’t answer basic questions

It seems obvious, but even companies that appear  extremely sophisticated often fall short. If you start asking simple questions—what type of sensitive data does your company possess, and how does it handle it?—and answers aren’t forthcoming, dig deeper.

2. It’s young and high-growth

New high-growth companies don’t just outgrow office space—they often strain existing infrastructure, controls, and processes.

3. It’s in a highly regulated industry

Is the business in healthcare, consumer and retail, or financial services? Don’t think twice—investigate deeply. At some point, a regulator is going to pay a visit.

4. It works with government agencies

Privatization has been a boon for private equity investors, but doing business with government also means grappling with legacy or specialty government systems and rigid government standards and contracts.

5. It’s dependent on cloud infrastructure

As cloud infrastructure has grown in popularity, so have the risks. The company should have a clear understanding of not just its own data management practices, but those of third-party providers as well.

6. It’s grown through aggressive acquisition

The more a company is the sum of multiple acquisitions, the greater the risk of a “rat’s nest” of systems, policies, and procedures. Make sure the integrations were performed well, or you risk unpleasant surprises.

7. Its main product is based on valuable intellectual property

If the company’s core product is based on a “secret sauce,” you’d better make sure it’s behind impenetrable lock and key.

8. It has service-level agreements (SLAs) with its clients

Commodity businesses may not handle sensitive data, but their ability to stay online and make good on their agreements is critical.