Similarly, a company acquiring another starts with a fairly good idea about the target’s value and strategic fit before they agree on a price and a timeline for the deal. But when they sign a Letter of Intent, they reserve the right to dig deeper via a process called due diligence. The acquirer then has several weeks to request information, ask questions, and perform analyses to allow them to:
- Confirm their current understanding of the target’s business
- Plan for integration
- Uncover any surprises that could impact the deal or their desire to go ahead
(It’s a nice-looking house, but the foundation is crumbling and it’s about to collapse)
This kind of analysis covers all aspects of a business. Acquirers will dig into financials, HR records, legal documents, customer complaints, marketing plans—everything, including the software technology. This is particularly relevant for deals in which software is a substantial part of the value. Inquiries about the technology will range from a high-level look at product strategy and roadmap to the people and processes, and extend down to the code itself. The breadth of inquiry spans quality, security, and legal issues.
As with any aspect of due diligence, much information is gleaned through Q&As and documents as well as discussions. A meeting between respective CISOs might start with walk through of the target’s AppSec program at a high level. A disclosure request might include documented processes on open source use, handling vulnerabilities, building in security, and software architecture.