Cascade Conversations: IT Due Diligence for Mergers and Acquisitions

In this episode of Cascade Conversations, Managing Director Ron Reed and attorney Claudia Rast from Butzel Long, discuss the basics of IT due diligence and its role in mergers and acquisitions.



Ron Reed (00:06):

Welcome to our Cascade Conversations series, where we have professionals in the industry sit down and talk with us about key topics that impact M&A.

Ron Reed (00:15):

Today I’m here with Claudia Rast, who I’ve had the great fortune of knowing for over a decade. And Claudia, I understand that most of your career has been in IT, cybersecurity and informatics for over a decade. Is that right?

Claudia Rast (00:30):

At least, yes. But it’s science the whole time, so it’s transitioned.

Ron Reed (00:35):

That’s great. Well, today we’re going to talk a little bit about IT and its impact on IT due diligence and its impact on the value of buying or selling a company.

Ron Reed (00:45):

And when we talked about this in advance we had a couple of topics we were going to discuss. Three of them were data retention, vendor agreements, and security costs. So let’s talk a little bit about data retention, I know that’s a topic important to you.

Claudia Rast (01:01):

Right. So there are certain legal implications when you hold data. You have a requirement to a statute of limitations or the required period to hold something for a certain amount of time. And that’s to protect the parties to a transaction typically. A contract, the statute of limitations in Michigan is six years. You have statutes of limitation that goes through for OSHA, occupational safety, those kinds of things.

Claudia Rast (01:31):

It can be a tough task and no one likes to do it, Ron, to identify what data you have, how long you need to store it, and when you can delete it safely or legally. But those are important things because you don’t want the data that you store that you don’t need cost you money.

Ron Reed (01:52):

And I’ll say that impacts the value of a business two ways. One, if to your point, you’re not doing it right and it’s going to impact the cost of running your business after you sell it, then the buyer is going to layer that cost in as a cost you’re not spending and they’re going to reduce your earnings by that amount. And they’re going to lower the value that they’re going to pay if this isn’t addressed in advance.

Claudia Rast (02:17):

Right. And the buyer presumably will know that, because that data that is not necessary presents a liability to any buyer.

Ron Reed (02:26):


Claudia Rast (02:26):

It’s a liability, not only for the storage costs, but it’s also a liability if there is a lawsuit and all of a sudden you’re paying attorneys to look at data they don’t have to look at.

Ron Reed (02:37):

And there you go again, that’s another impact on the value. Because if there’s an unknown cost out there, then that’s going to be yet another issue addressed in the reps and warranties of a merger agreement.

Claudia Rast (02:49):

Right. Yeah.

Ron Reed (02:50):

So these are all important things. And I’d say this is one thing that we like to do at Cascade, is really think through these topics because many, most of these topics can be addressed in advance. They can be insured. These insurance products are changing all the time. They’re getting both more expensive, but also more expansive as they address all these topics. And getting ahead of this can actually maintain or increase the value of your business if you do it right.

Claudia Rast (03:16):

Right. And that’s where your real value comes in, because you’re looking at places that a company might not have looked at in years with new and fresh eyes. And that’s a perspective that has a real value in a transaction.

Ron Reed (03:28):

Let’s go to the next one, vendor agreements. This is one that has impacted me in several transactions, but I know you’ve got some experience in it as well.

Claudia Rast (03:35):

Right. Well, vendor agreements, they present certain gotchas in some of the language. And you have the traditional kinds of things that folks in transactions and in acquisitions look at.

Claudia Rast (03:47):

But you also have newer language in there that deals with technology, with security. Certain kinds of reps and warranties that an acquiring company may not realize they’re buying into with [inaudible 00:04:01], “Oh, this is how I have to maintain this.” Or, “This is how I have to secure this.” Or they may not have the structure or the capability or the bandwidth to do that, and so that’s a necessary look in those agreements.

Ron Reed (04:15):

Well, and [inaudible 00:04:15] come up with a fairly interesting situation recently. One of our clients was selling a significant amount of their product through Amazon. And it was not clear in the agreement that the change of control would allow them to continue using the same Amazon account, where they had 40,000 reviews of their products, all favorable reviews, which made a very good asset for the buyer. However, it put at risk the buyer’s value on the business because they were at risk of potentially losing those 40,000 reviews.

Ron Reed (04:51):

Just looking at those agreements in advance, making sure they’re structured. We had another topic where a industrial user or an industrial company was using Oracle for some of their systems. What they didn’t realize was that their pricing, although they had multi-year pricing that was secured, that pricing was no longer valid and it changed their control.

Ron Reed (05:12):

So these are the kind of IT vendor issues you have to start thinking about it in advance. It’s not just having your contracts available to the buyer, it’s also looking at these contracts. And seeing what you can do to shore them up to not impact the value of your company favorably or unfavorably.

Claudia Rast (05:29):

Right. And there’s some questions that should be asked of that company that is going to be acquired with regard to its vendor environment. Listing of those vendors, an analysis of what is the security relationship with those vendors. Have they asked the questions they need to ask of those vendors? And that’s the real value added in terms of what we would basically call a vendors cyber security questionnaire.

Ron Reed (05:58):

So give me an example of a question that would be valuable or might impact the price of a company selling their company, with respect to a vendor holding certain information.

Claudia Rast (06:10):

In those kinds of things, for example, a vendor … Well, now I’ll use the example of the great HVAC breach for Target. Do your vendors have access to your IT networks when they’re on premises? Is there someone that is with them when they access those HVAC systems? I mean, simple kinds of things like that.

Claudia Rast (06:38):

And then you go into other sorts of relationships with vendors. Do those vendors encrypt the data they’re processing for you? Is it encrypted at rest in storage in the cloud? Is it encrypted in transit on the way back and forth? Does your vendor access your data through a virtual private network or a VPN? Is that configured properly? One of the sources of a lot of data breaches recently are misconfigured VPNs. And so those vendor access portals need to be secured, so you have to ask those questions.

Ron Reed (07:17):


Claudia Rast (07:17):

I mean, that’s an important part of that pre-vetting due diligence. And any company in business really needs to be asking those questions of its vendors and have those answers at the ready.

Ron Reed (07:32):

No, I think that’s a great point. There nearly is, there is no week that goes by where we’re not reading in the major newspaper about some kind of security breach, for instance. And these security breaches are not just at the big tech companies, they’re showing up in small and medium companies. And I think that the liability now of holding data, whether it’s your customer or your employees, for instance, is increasingly a security issue.

Ron Reed (08:01):

So maybe let’s talk a little bit about security costs. From an M&A standpoint, increasingly the cost of security data really, no matter what kind of business you are, is a business cost.

Claudia Rast (08:15):


Ron Reed (08:15):

Very few businesses are able to operate without some kind of third-party cloud system, whether that’s for payable accounting systems.

Ron Reed (08:27):

So the real question is, if you’re not spending the money on security a buyer of your company is going to probably bake that cost into the buying and probably reduce your price. And if you’re buying a company that doesn’t spend that money, then you need to think about that as part of their operating costs.

Claudia Rast (08:48):

Right. The money, you’re going to have to spend that money one way or the other. Either you pay for it or you’ll lose it in the sale of your company.

Ron Reed (08:53):

Right. Or you have to spend on the insurance so you have to address this. And so I think increasingly we see from a due diligence standpoint, these very famous examples are showing up in due diligence because buyers are much more weary about their potential liability for data breaches.

Ron Reed (09:12):

And I think you and I talked earlier about data breaches are around data you might not think is a big deal. I remember sitting with a large property manager of apartments and he actually said, “Well, we’re now really at risk because we don’t hold any information that a hacker would want.” Which really was surprising when you realize that a property management company has all the information about a consumer that you could possibly ask for.

Claudia Rast (09:43):

Yeah. And the common thing … I do a lot of work with companies with data breaches, from small nonprofits to multi-billion dollar companies. They typically say, “We don’t have any information anybody would want.” Of course they do. And it comes in surprising ways.

Claudia Rast (10:04):

If someone said, “I want everything in your mailbox. Your inbox, your file folders, everything in your inbox.” And you say, “I don’t store sensitive information there.” Who might’ve copied you on something you don’t know about? We had a situation where the president of the company received, in error, was copied on a spreadsheet that had 3,000 names, addresses, social security numbers. That added exponentially to the cost of the notification because of that. I mean, it’s just, you don’t realize it.

Claudia Rast (10:37):

So having that control of your data, understanding your vendor agreements and understanding the costs of protecting that data, those are real important points.

Ron Reed (10:50):

And I think the big takeaway here is that companies who historically wouldn’t have thought their value impacted by IT considerations, are increasingly seeing their due diligence dig into those IT costs. And as we said, nearly every single company in America now has some form of cloud or third-party software service.

Claudia Rast (11:13):

Yeah. And here’s an important point, and they come across this a lot in the cybersecurity that I do in the data breaches, IT people are typically not security people.

Claudia Rast (11:23):

A situation I had last week with an Office 365. Most people are using Office 365 lately. The nonprofit president called and said, “We had what we called a business email compromise.” An email came in, clicked on it, asked for the change of credentials. All that happened, that’s a common scenario. Called their IT person, their IT person went in, fixed everything. The president said, “We’re fine.” I said, “No, you’re not.” And we’ve discovered, no, they’re not. Mailboxes were exfiltrated without them knowing it. The IT people thought they fixed it, but they really don’t go to the depths that they need to in these kinds of situations.

Claudia Rast (12:08):

And so that’s another area when you’re looking at these acquisitions where you can add value, is to say, “Look, we know that you understand. Your IT people, they’ve been there for years. They’re trusted employees. But we need to bring in third-party forensic experts to make sure that you’re safe.”

Ron Reed (12:26):

And you bring up a great point. There’s nearly always in an M&A transactions, knowledge of management. And you don’t want to wait until the final week of close to sit there and think about, “Have I disclosed every data breach that I’ve had in the last three years?” These are the things you really want to think about upfront when you’re doing due diligence as you’re going to market.

Claudia Rast (12:50):

Yeah. And that’s what you really bring as a trusted partner in the transaction.

Ron Reed (12:53):

Well, I’m really grateful that we had the chance to talk today. And I look forward to the next time we get a chance to do this.

Claudia Rast (12:57):

Wonderful. Thank you, Ron. I enjoyed it.

Ron Reed (12:57):

Thank you.