IT crucial to successful mergers and acquisitions

If a merger or acquisition is to prove a success, IT and information management systems are a crucial part of the due-diligence process. Unfortunately, they very often are not.

"A lot of the time the finance and the HR teams are all involved but not enough analysis is done of target company's IT systems," says John Bolger, senior manager in the risk and advisory department at BDO.

“Even if both companies have systems that look and sound the same, they may not be run or used in the same manner and the security culture in the acquisition target can be very different,” he says. All this needs to be assessed at an early stage of the negotiations.

“You need to know exactly what you are buying into. You have to establish what the target company’s security set-up looks like and whether it runs good systems administration. Has it got a good disaster-recovery policy in place if things go wrong? If it outsources functions to third-party vendors, what does that look like and what are you actually buying?”

Too often, what the buyer looks for is a simple inventory of kit – hardware and software. That’s not enough. “It’s about finding out how they run their systems, what kind of upgrades have they, are they up to date with their patches.”

One way to gain comfort about an acquisition target’s IT and security practices is if it has ISO27001 accreditation. “It means an independent third party has gone in and assessed it for certification.” A good IT and information security culture can be a good indicator of a well-run company with good governance generally, reducing risk for the buyer.

IT must be assessed in the same way a candidate company’s finances, customers base and operations are assessed. And information systems are now just as important as IT systems, Bolger points out. “A company’s approach to information security is hugely important, and not just because of GDPR.”

The advent of the General Data Protection Regulations codifies practices that are already required by law but adds teeth in the form of fines.

As such, data-protection systems are likely to have an increased bearing on purchasing decisions. “If the company you are considering buying processes an awful lot of customer data, it’s really important that you look at their data-protection approach. Look for evidence of data privacy, look for data-protection policies, make sure it has incident-management procedures in place,” says Bolger.

If the business doesn’t have them, the acquirer opens itself up to both fines and reputational damage in the event of their loss or leak. “By examining the target company’s approach and the controls they have in place, what you’re really doing is protecting yourself from buying a liability.”

Culture is hugely important. Look for evidence that staff at the target company treats customer data respectfully and legally, he says. With GDPR due to come into force in May, companies should, by now, be well on their way to completing an inventory of all the data they hold, how much of it there is, what sensitive personal data they hold, why and for how long.

Sensitive personal information

Collecting data to make up customer profiles is part of most customer-relationship management apps, for example. But there are now rules that dictate how this must be done, particularly in relation to sensitive personal information. “The company might feel it has good reason to collect such info, but it’s about how it would look if that info were to be found on the street,” he says.

Conversely, if you are selling a business, a now-vital part of grooming the business for sale is putting good IT and information security systems in place. “You’ve got to be able to show prospective buyers that your data is secure, protected and safe and having ISO security certification would be a really good selling point.”

Awareness of this is growing. "The whole area of tech systems and regulatory diligence has moved up the agenda, particularly in sectors such as financial services and healthcare, where the handling of critical, sensitive customer information and the integrity of systems is mission-critical," says Liam Booth, managing director of Investec Corporate Finance.

Businesses in all sectors would do well, however, to push it up the priority list, not least as part of an exit strategy. “If you are selling, it makes sense to prepare on this front well in advance because it is now an important element of the sales process.” Leave it too late, or neglect it altogether, and, says Booth, “it could trip a business up.”

Eamonn Hayes, managing director of Capnua, agrees. “IT systems and all that goes around them in terms of cyber security have become an increasingly large diligence stream. Cyber crime is an ever-changing problem but it’s an even bigger challenge for companies if they are trying to sell but have under-invested on that front. Finding a buyer could prove very problematic. Multinationals in particular prefer to pay more for what they want now. They are not prepared to buy now and fix later. Being under-invested on the IT side could derail the sale.”