Philippe Thomas, CEO at Vaultinum, explains why the current due diligence measures carried out by many investors are insufficient, given that software is increasingly a primary asset. Philippe discusses the main risks that threaten investors who do not implement comprehensive software due diligence and gives advice on how to change this.
In the Department for Business, Energy & Industrial Industry’s 2021 UK Innovation Strategy, the UK government marks technology as a priority sector, owing to its fundamental contributions to pressing national and global challenges. The sector’s importance has also been demonstrated by its growth, with investment in the UK’s tech startups and scaleups reaching a record £13.5bn in the first half of this year. This widespread belief that the tech industry has a crucial role to play in our economy and society makes getting tech investment right more important than ever; the stakes have never been higher.
Due diligence is an essential step in the pre-acquisition and investment rounds phase of any deal, regardless of its contents. These efforts have historically focused on financial, legal, human resources, and operations, which are evidently of the utmost importance for investors. Whilst software due diligence is now implemented by some investors, it is generally not comprehensive, not carried out by experts, and done manually, meaning that many issues are not identified. Due diligence processes simply haven’t caught up to the growing collective understanding that software is significant, or some would even say a primary, asset in most deals taking place today. This urgently needs to change.
Making the move to comprehensive software due diligence
As leaders will already be aware, due diligence is an investigative process undertaken before entering into an investment with another party. The importance of due diligence as a concept is widely understood but including software within its remit is not so well-known. Software due diligence is a process of identifying vulnerabilities associated with a software and its source code, covering areas such as maintainability, scalability, data security risks, and licensing. Acquiring an awareness of these risks helps investors and buyers mitigate catastrophic legal, financial, and reputational consequences in the future.
As with any form of due diligence, it is important that investors choose a reliable and specialized third party to provide this service. In order to run software due diligence, the third-party provider will need to gain access to the software’s source code, usually kept under lock and key. To ensure that the software remains protected throughout the due diligence process, investors must opt for a provider that is ISO27001 certified, has experience in securely archiving data, and uses siloed servers located in a place where regulation provides strong data protection. Once a provider has been chosen, the process can begin with an assessment of the organization’s existing understanding of security issues and protection measures. Then follows an in-depth analysis of every line of the source code, with a report being produced that offers a comprehensive picture of any risk areas and precise resolution recommendations. At the end of this process, investors will be much more knowledgeable about the software they are investing in and make a well-informed decision about whether to invest. If they do choose to invest, they will enter the investment equipped with a detailed understanding of the exact measures urgently required to secure their investment.
Identifying potential risk points in a software
There are a number of potential issues that can be identified through software due diligence, which truly highlight the importance of its execution. Data vulnerabilities are perhaps some of the most visible software risks within the business community, owing to a sharp rise in publicity for data breaches that have occurred during mergers and acquisitions in recent years. An infamous example that took place in 2016 is that of Marriot International, a hotel chain that acquired Starwood Hotels & Resorts in a deal to the tune of US$13.3bn. Marriot were ultimately fined $123mn by Britain’s Information Commissioner’s Office when it was revealed that a 2014 data breach in Starwood’s reservation system exposed 400 million guests’ personal data. Even though the breach itself occurred prior to the merger, Marriot remained financially and legally liable for Starwood’s mistake, and the two businesses suffered lasting reputational injuries. If Marriot had carried out more comprehensive software due diligence prior to the merger, this may have been identified, and its catastrophic consequences avoided.
A less publicized but nevertheless extremely important potential vulnerability is that of maintainability, which in turn affects a software’s scalability. Given that comprehensive software due diligence is able to analyze every line of a software’s code, it is able to flag any areas within the code that may currently or in the near future no longer be maintainable. In doing so, the analysis highlights any use of code that no longer functions as it was originally intended, or usage of open source software that has become out of date and cannot easily be maintained by another developer. Any such evidence signifies that the software lacks maintainability and suggests that it is unlikely to be scalable. As a result, investors can easily understand whether software is worth investing in or not; even if you pour capital into ‘dinosaur’ software, it may not return significant profits in the long run.
Finally, comprehensive software due diligence analyses the usage of open source software within a wider code base. Drawing on open-source software is not a red flag in itself; it speeds up development and provides a constant stream of new and innovative solutions generated by developers working together worldwide. However, pressure to develop fast can mean that developers lose sight of the licensing restrictions attached to open source software. If a license is particularly contaminating, businesses may be liable to pay a fee for the usage of open source code, or even be required to make the entire in-house developed code base public. Investors must be aware of any such licenses before they make an investment because they can vastly change the value and terms of the asset.
- How to find and maximize digital value in any M&A deal post-pandemic
- 10 IT cost management tips organizations must follow to ensure growth
- A new breed of enterprise emerges post-pandemic
- You’ve had a breach – how do you successfully roll out an emergency patch?
Entering an investment with an awareness of any potential vulnerabilities is essential for those investing in software, to avoid dramatic reputational, financial, and legal damage. Investors must begin to include comprehensive software due diligence, carried out by a trusted third party, into their pre-acquisition routine, before it’s too late.