While a company’s financials are arguably a top concern in the merger and acquisitions (M&A) process, equally as important is the state of an organization’s information technology environment – now more than ever, given the vulnerabilities businesses face and the increases in cybersecurity attacks during these turbulent times.
Of the many disruptions taking place this year – and likely into 2021 and possibly beyond – technological challenges are proving significant, both in cost and how they’re impacting businesses of all sizes. While information technology concerns often are viewed as simply that – IT issues – they’re in fact much more and are affecting small- and mid-size businesses as well as larger companies.
IT security, as well as IT continuity, are not “an IT thing,” but rather an essential business risk discussion – a discussion that needs to be explored prior to the purchase of a new entity. IT due diligence is indeed critical and highly recommended. An assessment may reveal things like whether the company has ever suffered a cybersecurity breach or other significant IT issue, as well as potential problems like an insufficient password policy, antiquated software and/or machinery, poor IT practices, and missing patches.
Here are three essential IT questions that are important to explore as part of the due diligence process.
What are the cybersecurity practices followed?
At a minimum, a company should: create an acceptable use policy for the organization and team members; follow password best practices; establish user awareness training; and keep up with IT best practices, especially the practices of backing up IT and having backup off-site as well (in case a disaster strikes on-site).
How is the company investing in its IT infrastructure?
And does the company have a true disaster recovery plan in place? Often overlooked is how well an organization is prepared for ransomware attacks, natural disasters, and other significant disruptions that could negatively impact their operations. If a solid plan isn’t in place, and disaster strikes after the purchase, as the new owner you could face significant costs down the line. A sobering statistic to consider: 40% – 60% of businesses disrupted by a disaster, that don’t have a plan, never re-open.
Beyond disaster recovery, is there a business continuity plan in place?
During these turbulent times, many organizations are only focused on disaster recovery, which we talked about above and is the process of rebuilding an operation or infrastructure after a disaster passes. The ideal situation, given we know disasters can happen at any time, is to focus on business continuity planning, which is the process of ensuring your critical business functions are prepared to react and recover from a business disruption with minimal impact to your business.
Recognizing the vital role of technology, your Rehmann advisory team can include IT analysis in our M&A due diligence. Identifying vulnerabilities in networks, systems, or cybersecurity is highly valuable information and would almost certainly impact any deal.