Philippe Thomas, CEO atVaultinum, explains why the current due diligence measures carried out by many investors are insufficient, given that software is increasingly a primary asset. Philippe discusses the main risks that threaten investors who do not implement comprehensive software due diligence and gives advice on how to change this.
In the Department for Business, Energy & Industrial Industry’s2021 UK Innovation Strategy, the UK government marks technology as a priority sector, owing to its fundamental contributions to pressing national and global challenges. The sector’s importance has also been demonstrated by its growth, with investment in the UK’s tech startups and scaleupsreaching a record £13.5bnin the first half of this year. This widespread belief that the tech industry has a crucial role to play in our economy and society makes getting tech investment right more important than ever; the stakes have never been higher.
Due diligence is an essential step in the pre-acquisition and investment rounds phase of any deal, regardless of its contents. These efforts have historically focused on financial, legal, human resources, and operations, which are evidently of the utmost importance for investors. Whilst software due diligence is now implemented by some investors, it is generally not comprehensive, not carried out by experts, and done manually, meaning that many issues are not identified. Due diligence processes simply haven’t caught up to the growing collective understanding that software is significant, or some would even say a primary, asset in most deals taking place today. This urgently needs to change.
Trending
Veeam’s Gil Vega awarded 2021 CISO of the Year
Making the move to comprehensive software due diligence
As leaders will already be aware, due diligence is an investigative process undertaken before entering into an investment with another party. The importance of due diligence as a concept is widely understood but including software within its remit is not so well-known. Software due diligence is a process of identifying vulnerabilities associated with a software and its source code, covering areas such as maintainability, scalability, data security risks, and licensing. Acquiring an awareness of these risks helps investors and buyers mitigate catastrophic legal, financial, and reputational consequences in the future.
As with any form of due diligence, it is important that investors choose a reliable and specialized third party to provide this service. In order to runsoftware due diligence, the third-party provider will need to gain access to the software’s source code, usually kept under lock and key. To ensure that the software remains protected throughout the due diligence process, investors must opt for a provider that is ISO27001 certified, has experience in securely archiving data, and uses siloed servers located in a place where regulation provides strong data protection. Once a provider has been chosen, the process can begin with an assessment of the organization’s existing understanding of security issues and protection measures. Then follows an in-depth analysis of every line of the source code, with a report being produced that offers a comprehensive picture of any risk areas and precise resolution recommendations. At the end of this process, investors will be much more knowledgeable about the software they are investing in and make a well-informed decision about whether to invest. If they do choose to invest, they will enter the investment equipped with a detailed understanding of the exact measures urgently required to secure their investment.
Identifying potential risk points in a software
There are a number of potential issues that can be identified through software due diligence, which truly highlight the importance of its execution. Data vulnerabilities are perhaps some of the most visible software risks within the business community, owing to a sharp rise in publicity for data breaches that have occurred during mergers and acquisitions in recent years. An infamous example that took place in 2016 is that ofMarriot International, a hotel chain that acquiredStarwood Hotels & Resortsin a deal to the tune of US$13.3bn.Marriotwere ultimately fined $123mn by Britain’s Information Commissioner’s Office when it was revealed that a 2014 data breach inStarwood’s reservation system exposed 400 million guests’ personal data. Even though the breach itself occurred prior to the merger,Marriotremained financially and legally liable forStarwood’s mistake, and the two businesses suffered lasting reputational injuries. If Marriot had carried out more comprehensive software due diligence prior to the merger, this may have been identified, and its catastrophic consequences avoided.
A less publicized but nevertheless extremely important potential vulnerability is that of maintainability, which in turn affects a software’s scalability. Given that comprehensive software due diligence is able to analyze every line of a software’s code, it is able to flag any areas within the code that may currently or in the near future no longer be maintainable. In doing so, the analysis highlights any use of code that no longer functions as it was originally intended, or usage of open source software that has become out of date and cannot easily be maintained by another developer. Any such evidence signifies that the software lacks maintainability and suggests that it is unlikely to be scalable. As a result, investors can easily understand whether software is worth investing in or not; even if you pour capital into ‘dinosaur’ software, it may not return significant profits in the long run.
Finally, comprehensive software due diligence analyses the usage of open source software within a wider code base. Drawing on open-source software is not a red flag in itself; it speeds up development and provides a constant stream of new and innovative solutions generated by developers working together worldwide. However, pressure to develop fast can mean that developers lose sight of the licensing restrictions attached to open source software. If a license is particularly contaminating, businesses may be liable to pay a fee for the usage of open source code, or even be required to make the entire in-house developed code base public. Investors must be aware of any such licenses before they make an investment because they can vastly change the value and terms of the asset.
READ MORE:
- How to find and maximize digital value in any M&A deal post-pandemic
- 10 IT cost management tips organizations must follow to ensure growth
- A new breed of enterprise emerges post-pandemic
- You’ve had a breach – how do you successfully roll out an emergency patch?
Entering an investment with an awareness of any potential vulnerabilities is essential for those investing in software, to avoid dramatic reputational, financial, and legal damage. Investors must begin to include comprehensive software due diligence, carried out by a trusted third party, into their pre-acquisition routine, before it’s too late.
For more news from Top Business Tech, don’t forget to subscribe to our daily bulletin!
Follow us onLinkedInandTwitter
We think you'll like:
- Successfully Accelerating ERP-Cloud Adoption in the Public Sector
- Importance of a Zero Trust Approach to GenAI
- Successful digital marketing for home services means embracing change
- What are Multi-core Safety-Critical Avionics?
Philippe Thomas
Philippe Thomas is the CEO of Vaultinum, a trusted independent third-party specialized in the protection and audit of digital assets. He has 20+ years of experience in the fintech industry, having started his career in open outcry market surveillance, extending into business development and becoming a COO, before starting his journey with Vaultinum in 2019. Vaultinum provide software escrow contracts, copyright deposit solutions, and software due diligence tools to top tier firms, private equities, and VCs worldwide.
