At a glance:
- For both buyers and sellers, IT due diligence during M&A is more important than ever amid a competitive exit environment, rapid adoption of AI tools, and mounting cybersecurity risks.
- From outdated systems and cybersecurity gaps to compliance risks, numerous red flags can significantly impact deal value and post-close operations.
- To conduct successful IT due diligence, be sure to start the process early, assess AI readiness, and review third-party contracts.
When Marriott acquired Starwood Hotels, the deal came with an unpleasant surprise: two data breaches that occurred before the deal closed, which, along with a third post-sale breach, ultimately exposed the personal information of more than 344 million customers around the world. Nearly a decade later, Marriott was still paying for it. Last October, the company agreed to a $52 million settlement with a coalition of 50 attorneys general over the breaches, which the Federal Trade Commission said were due to poor security practices.
The multimillion-dollar mistake underscores the importance of IT due diligence during M&A—a process that has become increasingly imperative amid mounting cybersecurity threats and the rapid adoption of artificial intelligence tools. In fact, new research found that 20% of the organizations studied suffered a data breach due to the use of AI tools without proper oversight.
The consequences are severe in today’s increasingly competitive exit environment, where emerging technologies like AI can make or break businesses across industries. Cracks in a seller’s IT infrastructure can significantly reduce their purchase price. Buyers, on the other hand, risk being saddled with costly compliance, reputational, and operational impacts should they ink a deal without first doing their IT homework.
Here’s what prospective dealmakers should know.
Common IT Due Diligence Red Flags
IT due diligence aims to identify the financial, operational, and regulatory/compliance risks that could jeopardize the target business’s ability to operate successfully, either pre- or post-deal. Most buyers will want all of these issues addressed by the seller before the deal is finalized, meaning both parties should be aware of common red flags.
A few important ones to keep an eye out for during the IT due diligence process include:
Lax cybersecurity. Beware of companies with no recent or regular cybersecurity penetration or vulnerability testing. A lack of cyber insurance and limited to no multi-factor authentication may also be red flags.
Outdated systems. Watch out for organizations with older applications that are not regularly maintained or updated, and/or server-based applications that are outdated and challenging to maintain. Two core systems warrant especially close attention: enterprise resource management (ERP) and customer relationship management (CRM) platforms. If these have not been kept up to date, the buyer won’t be able to leverage data analytics to optimize efficiency, reporting and profitability.
Problematic infrastructure. Targets with outdated or highly customized technology infrastructure can make it challenging for buyers to build additional infrastructure, potentially devaluing a deal—a key consideration for private equity players looking to acquire a platform business. Similarly, decades-old infrastructure can create costly obstacles for the buyer post-acquisition, especially if there are no viable backups or if outside vendors have too much control. Outdated or missing business continuity/disaster recovery plans can also indicate a lack of preparedness for rises in all forms of business risk.
Compliance gaps. The absence of recent checks for compliance with regulations surrounding personally identifiable information (PII), payment card information (PCI), and sensitive health information (SHI) is another red flag. Prominent requirements include the General Data Protection Regulation (GDPR), the European Union’s new AI Act (EU-AI Act), U.S. state and local data privacy laws, California’s Consumer Protection Act (CCPA), and the Health Insurance Portability and Accountability Act (HIPAA).
Leadership. No strategic IT leadership setting the tone for effective modernization can be problematic post-close. This often occurs with aging owners who don’t want to further invest in the business before exiting.
Best Practices: 5 Tips for Successful IT Due Diligence
IT due diligence isn’t easy. There is a lot to assess, and more often than not, limited information is readily available, since dealmakers don’t want to panic the target company’s employees or partners by asking them questions ahead of a potential sale. That means practitioners must be selective and strategic about the questions they ask and the steps they take to conduct effective due diligence.
Though every organization is different, there are a few high-level best practices to keep top-of-mind for parties on both sides of the deal table:
- Start early. For the buyer, IT due diligence typically begins when the Letter of Intent is signed. For the seller, it can start as soon as they decide to sell. Since many of the issues uncovered during IT due diligence could take months to remediate—and because buyers expect the seller to address them—starting early will give the seller time to get out ahead of initial discussions with the buyer.
- Be comprehensive. Good IT due diligence involves a comprehensive review of IT operations—not just in the IT organization itself but across all IT capabilities, from business operations to customer service to those housed with third parties. Given this scope, it can be helpful to quantify risks and impacts on a high, medium, and low scale to prioritize any next steps.
- Review third-party contracts. Although it can be challenging to directly access third-party vendors, it is crucial to be aware of change of control clauses prior to an M&A deal and to reestablish license structures during the transaction process. For instance, one buyer received a significant invoice not long after closing due to a change of control clause in the target’s software licensing agreement.
- Evaluate AI readiness. AI readiness defines winners and losers in the business world right now. To ensure a company has effectively adopted—or is prepared to adopt—AI tools, stakeholders should consider four key factors:
- Has the company picked AI tools that are secure and protect confidential information?
- Are employees trained up on the risks associated with these tools?
- Are there acceptable use policies in place?
- Does the organization have a cross-functional governance structure and/or clear AI leadership?
- Find advisors who understand industry-specific risks. No single industry is alike: construction businesses face different IT risks than retailers, and so on. The best IT advisors don’t just understand how technology can add value or detract from a given M&A deal; they also bring a deep understanding of the key drivers and goals of the individual business.
Why IT Due Diligence is a Strategic Imperative
Last year, a ransomware attack hit Change Healthcare. The cost to its parent company UnitedHealth Group, which had purchased Change in 2022? Over $2 billion.
In an M&A environment where emerging technologies like AI are reshaping risk profiles and value drivers, IT due diligence is foundational to a deal’s success—and afterlife. A thoughtful, early, and comprehensive IT assessment not only protects against downside risks but also uncovers opportunities to enhance operational resilience and long-term value creation.
Whether you’re a seller aiming to maximize valuation or a buyer seeking to avoid post-close surprises, aligning IT readiness with overall business goals is key. With the right framework and advisors in place, dealmakers can move forward with clarity and confidence in an increasingly competitive (and complex) M&A landscape.
Connect with a CBIZ professional today to ensure your next deal is backed by the IT due diligence and insight needed to protect value and uncover opportunity.
This is the first of a two-part series on IT due diligence. In our next article, we’ll discuss post-close IT risks and best practices.
© Copyright CBIZ, Inc. All rights reserved. Use of the material contained herein without the express written consent of the firms is prohibited by law. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein. Material contained in this publication is informational and promotional in nature and not intended to be specific financial, tax or consulting advice. Readers are advised to seek professional consultation regarding circumstances affecting their organization.
“CBIZ” is the brand name under which CBIZ CPAs P.C. and CBIZ, Inc. and its subsidiaries, including CBIZ Advisors, LLC, provide professional services. CBIZ CPAs P.C. and CBIZ, Inc. (and its subsidiaries) practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations, and professional standards. CBIZ CPAs P.C. is a licensed independent CPA firm that provides attest services to its clients. CBIZ, Inc. and its subsidiary entities provide tax, advisory, and consulting services to their clients. CBIZ, Inc. and its subsidiary entities are not licensed CPA firms and, therefore, cannot provide attest services.