Key Takeaways of the Article
Technical due diligence clarifies IT costs post-deal.
Technical debt, integration issues, and cyber risks often cause costly surprises hidden from financial reports.
Cyber incidents can affect deals via discounts, responsibility allocation, and MAE exclusions.
Data quality, logging (recording activity and errors), MFA (Multi-Factor Authentication, which requires users to verify their identity with more than one method), and access controls (rules for who can access what) are critical failure points; gaps here can turn into regulatory and operational costs.
Software assessment should include verifying software licenses and listing all open-source components (code and libraries that are publicly available), as not knowing what is in the software can lead to legal and data security risks.
The most valuable outcome of the assessment is a prioritized investment and integration/separation plan, with cost estimates for fixes.
Technology due diligence in mergers and acquisitions transactions is the infrastructure evaluation and cybersecurity to uncover hidden risks, potential costs, and integration limitations before the deal is signed and closed. Unlike financial due diligence, it focuses on the actual functionality of technologies, technical debt, security, and investment needs that impact the price and terms of the transaction.
What is Technical Due Diligence and What Does it Address?
Technical due diligence in M&A typically refers to a structured review of IT as a business support function (systems, infrastructure, costs, security, hosting, roadmaps) and/or technology as a commercial product (product software, R&D organization, engineering practices, product cybersecurity, and compliance with security/privacy regulations).
The practical role of this review is to identify measurable risks and investment needs: Will the platform support growth? Are there critical failure points? Can integration or carve-out occur without business interruptions, and what hidden costs will the buyer face after closing?
Why This is Important in M&A Deals
Technologies are increasingly either at the core of the deal or a key leverage point in interactions: even when digital assets are not the central reason for the acquisition, they can be a source of significant added value — provided there is proper due diligence and integration planning.
The main risk for the buyer is technical debt, which makes integrating new capabilities too expensive and consumes the development budget. In a McKinsey & Company study, CIOs estimated technical debt at 20–40% of the technological estate's value, with 10–20% of the budget for new products diverted to maintaining it. In M&A, this means that if technical debt is not accounted for before signing, it will become post-deal CapEx/OpEx, altering the deal’s economics.
Cyber risks are another mechanism that directly impacts the price. Data from a Reuters report confirms that cyberattacks and leaks can rewrite a deal: Verizon Communications lowered the purchase price of Yahoo!’s operating business by $350 million after revealing significant incidents, and the parties agreed on mechanisms to allocate part of the legal and regulatory liabilities related to the leaks.
The issue can arise immediately after closing, even if the data was not fully visible during the transaction process: Telstra reported a breach of Pacnet’s corporate IT network, which occurred a few weeks before the completion of the acquisition; potentially, sensitive customer data was at risk, and the incident itself highlighted the risk of insufficient due diligence and disclosure during the transaction. Legal advisors also pointed out that such incidents increase regulators' scrutiny and create risks of non-disclosure-related lawsuits.
Key Areas of Assessment
In most M&A, the technical due diligence process is broken down into 4–6 stages, each of which impacts the valuation through projected investments, downtime risks, and legal/regulatory consequences.
IT Infrastructure and Hosting Assessment
The assessment covers data centers, networks, servers, cloud services, backup systems, provider dependencies, and maintenance and scalability costs. For the buyer, this answers questions such as: Are there hidden modernization costs (e.g., due to deferred updates)? Is the business tied to contractors or a parent company’s infrastructure? Will unforeseen conversion costs arise after closing?
Cybersecurity and Data Protection Assessment
In due diligence, it's crucial to separate two layers: the existence of policies/controls and their actual effectiveness in detecting and mitigating incidents. As a guideline for structuring, the National Institute of Standards and Technology (NIST) CSF 2.0 is often used, with functions including Govern, Identify, Protect, Detect, Respond, and Recover — this is convenient for mapping evidence and gaps (risk management, asset inventory, protection, detection, response, recovery).
Software and Licensing Assessment
The software assessment addresses architecture, code quality, testing, release management, dependencies, and rights to use components. Analyzing code for scalability, modularity, security, and integration risks gives a clear risk overview.
A key open-source consideration is maintaining an accurate component inventory. The lack of this signal indicates low visibility and poor risk management.
Documentation Assessment
TechTechnical documentation is crucial as an indicator of manageability: architecture diagrams, asset inventories (lists of all IT resources), security policies, DR/BCP (Disaster Recovery/Business Continuity Plans—plans for handling disruptions), system and data catalogs, incident logs, and reports from external evaluators (for example, in the Marriott case, a PCI DSS ROC, which is a compliance report on payment data security, was used as evidence of controls, but investigations revealed it did not guarantee the absence of gaps in how controls were applied).
For service companies or SaaS providers, SOC 2 reports can be a valuable source of evidence: AICPA explains that SOC 2 is a report on controls relevant to security, availability, processing integrity, confidentiality, or privacy. For assessing security management system requirements, ISO/IEC 27001 is often cited as a standard, described by the International Organization for Standardization as the most well-known standard for ISMS (Information Security Management Systems).
How to Conduct Technical Due Diligence: A Step-by-Step Approach
The process should be risk-oriented: Cisco, in its white paper on cyber risks in M&A, explains that the IT systems audit/assessment in M&A should focus on policies, practices, and procedures that could create liability or vulnerabilities for the buyer. It suggests considering cyber risk across the deal cycle. In practice, this can be translated into a 5-step due diligence checklist.
Step 1: Preparation and Planning
The preparation step begins by aligning the investment thesis and defining exactly what is being acquired: IT as a function (IT due diligence), technology as a product (Technology Due Diligence), or both. At this stage, the scope, materiality criteria, deliverables format, and access/time restrictions are determined.
Step 2: Information Gathering
The information-gathering step is typically implemented through a data room and questionnaires. It requires inventorying applications and assets, network/cloud diagrams, IT expense data, project roadmaps, IT security policies, incident history, and materials related to carve-out/stand-up/integration.
Step 3: Infrastructure and Security Assessment
This step includes assessing operational resilience (BCP/DR, logging/monitoring, access management, cloud risks, third-party dependencies, and incident readiness).
Step 4: Software Assessment
The software assessment includes evaluating architecture, technical debt, engineering practices quality, and licensing risks (including open-source). If full access to the code is not possible, real-world transactions use methods such as perimeter scanning or artifact analysis to obtain actual metrics without extracting the code.
Step 5: Synthesizing Findings and Risk Analysis
This step concludes with technical issues being translated into financial and contractual consequences: additional investments, timelines, integration/separation risks, and how the findings should be reflected in the price, warranties/indemnities, or TSA (Transition Services Agreement) conditions. This is why consultants often produce deliverables like a Red Flag Report and a full IT Due Diligence Report, listing key risks and investment areas.
Common Mistakes and How to Avoid Them
1. Focusing on Paper Compliance
The most common mistake is reducing the assessment to paper compliance without verifying the controls' actual effectiveness. Even the presence of audit/compliance artifacts does not guarantee that the control has been fully implemented and is functioning as intended.
2. Underestimating Technical Debt
Underestimating technical debt and integration costs. A diminished focus on IT during the pre-deal phase leads to an incomplete understanding of the risks and the necessary investments for separation/integration.
3. Ignoring Dependencies
Ignoring the supply chain and dependencies (providers, contractors, parent systems in a carve-out). These dependencies create invisible transitional costs and, in the legal realm, require a TSA (Transition Services Agreement) and additional obligations or warranties.
4. Overlooking Software Licensing
Failing to include software licensing and open-source as part of the standard package. Legal advisors have emphasized that as the role of software increases, due diligence has evolved to include software escrow and open-source considerations. Black Duck highlights the risk of invisible open-source code and stresses the need for inventorying and automated auditing. The consequences for M&A include the need for warranties regarding rights or remediation requirements before integration if the product is critical to the business model.
5. Ignoring Technical Risks in Deal Terms
Not attaching technical risks to the terms of the deal. This hinders a clear distribution of post-closing legal/regulatory expenses.
Conclusion
Information technology due diligence plays an important role in M&A deals by revealing potential hidden merger risks and costs related to IT systems, technical debt, cybersecurity, and integration challenges. By focusing on key areas such as IT infrastructure, cybersecurity policies, software licensing, and technical documentation, due diligence helps assess the target company's true value and identify potential future liabilities. Understanding these risks and addressing them early in the process can significantly impact the final deal terms, price, and the overall success of the business acquisition. Properly assessing these technical aspects enables informed decision-making and reduces the likelihood of unexpected post-deal costs.
FAQ
Is Cyber Due Diligence Sufficient to Cover All Technical Risks of the Deal?
No, cyber due diligence is only part of the technical perimeter and does not replace the analysis of architecture, technical debt, IT costs, and integration. The cyber focus addresses controls, incidents, vulnerabilities, and compliance with privacy requirements, while IT due diligence additionally assesses applications, infrastructure/hosting, IT organization, costs, roadmaps, and the "price tag" for necessary investments. Practical recommendation: create a risk register listing cyber risks alongside availability, operational resilience, and integration/separation risks.
What Security and Compliance Evidence is Most Often Requested in the Data Room?
The most commonly requested items are descriptions of controls and their verification, including security and incident response policies, architecture, and data flow diagrams, incident history, testing/audit results, third-party materials, and compliance artifacts (e.g., SOC 2 or PCI DSS, as relevant).
How Are Open-Source and Licensing Risks Assessed in Due Diligence?
Through component inventory (SBOM/dependency lists), checks on open-source usage policies, and, if necessary, automated code composition audits. For M&A, this is important because licensing obligations and known vulnerabilities can create future legal or security expenses.
Why Can Data Breaches Before Deal Closing Lead to Fines and Costs?
Upon completion, the buyer becomes the controller/processor of the systems or data under succession and assumes responsibility for implementing appropriate technical and organizational security measures. In the Marriott-Starwood case, regulatory documents describe violations of personal data security requirements and fines, as well as the fact that the breach began before the acquisition, but gaps in controls and detection led to prolonged data impact after the merger.
How Are Deals Typically Adjusted Based on Technical Findings?
The most common mechanisms are price adjustments (purchase price discussions), requirements for corrections before closing, warranties and indemnities, and special provisions for integration/separation (TSA).
What Minimum Structure Should the Report for Management and the Investment Committee Have?
At a minimum, the report should include: a list of key risks with materiality; an assessment of investments/remediation and timelines; integration/separation consequences; and priorities for the first months after closing (a risk-based roadmap).
