In this episode of CyberSound, Vancord’s Cybersecurity Podcast hosted by Jason and Michael, the focus is on the intricacies of mergers and acquisitions (M&A) within the cybersecurity realm, featuring guest Fred Purdue, Managing Director of Mergers and Acquisitions at West Monroe. Fred discusses his role in assisting private equity firms through the M&A process, emphasizing the importance of IT and cybersecurity due diligence. He shares insights into the different stages of the M&A process, from initial assessments to integration strategies, and highlights common red flags and risks, such as outdated technology and cybersecurity vulnerabilities.
The conversation also covers the increasing necessity of cybersecurity assessments in transactions, the potential impacts of cyber risks on deal valuations, and the importance of having well-defined security and technology strategies, offering valuable insights for both buyers and sellers in the market.
Episode
105
CyberSoundâ„¢ Vancord’s Cybersecurity Podcast 2024 / Information Security Due Diligence 101 / Ep. 105
Listen to this episode on
Episode Transcript
00:01
This is CyberSound, your simplified and fundamentals-focused source for all things cybersecurity.
Jason Pufahl 00:11
Welcome to CyberSound. I’m your host, Jason Pufahl, joined as always by our CEO, Michael Grande.
Michael Grande 00:15
Great to be here.
Jason Pufahl 00:16
And we’ve got a special guest, Fred Purdue, who’s the Managing Director of Mergers and Acquisitions at West Monroe. Welcome, Fred.
Fred Purdue 00:25
Thank you for having me.
Michael Grande 00:26
So, you know, I’ve had the pleasure to know Fred for several years now, we’ve worked together through the Renaissance at the Executive Forum, ref group, in Connecticut. It’s, which is a great peer group. And Fred came to that group originally as a principal owner of Axiom Technology Group. And I’ve really relied on his his guidance and advice through the last couple of years. He’s sort of a man for all seasons, he really brings a lot to the table with technology and security and a lot of different, his business acumen. So it’s really great to have you join us. And I’m pleased that that you’re here and, and you’ve got your your new, your new gig, which is fantastic. And maybe introduce yourself a little bit. Share a little bit about West Monroe and your role.
Fred Purdue 01:13
Yeah, so West Monroe is a global business technology consulting company. We’re headquartered in Chicago, but I’m actually out of our New York office, we’ve been around for 22 years. And we sort of combine a traditional management consulting approach with a foundation in digital technology, work with a wide variety of upper mid-market and lower enterprise companies across a great number of different industries, practices, etc. It’s a heck of an organization. And I’m really excited to join it. That’s great, and your focus there? So I’m on our Mergers and Acquisitions team. So my primary responsibility is helping to support private equity firms through the ownership lifecycle, whether it’s, you know, they’re looking at an organization and they want to understand, what are the technology applications if we purchased this, through, we bought the company now, what do we do with it? We’re positioning it for exit, etcetera, as well as sometimes just what’s the state of industry x, right? So recently done a bunch of talks on what’s the state of the MSP industry? What’s it look like? What are the people out there? What are the platforms? What do great companies look like? What do bad companies look like? Just try to help them understand this space as they start to identify opportunities for acquisition.
Jason Pufahl 02:28
So in that acquisition space, so we’re more in that mid-market space involved in the IT aspect, specifically, typically, of the of the m&a process. What are some of the key things from an integration standpoint that that you see, right, that due diligence that needs to occur up front? You know, any any technologies, you’d say, hey, if the if we see these immediate red flag or anything like that?
Fred Purdue 02:56
Well, the question really becomes very industry specific, very quick. So we’re actually focused around what we call value creation teams, which are industry focused teams, because how I might answer that question for a healthcare company is very different from how we might answer it for our financial services or manufacturing company, right? Likewise, how we might answer that question for a $50 million company is very differently from how we answer it for a billion dollar company. But generally speaking, you’re looking for organizations that can articulate a strategy around what they have, why they’re making those choices, you’re looking for people that are running on current in supported platforms, and you’re looking for people that are at least asking themselves questions around what can I do with my data? What does my strategy look like? What does my life cycle look like? In a modern landscape, for example, I’m gonna be asking a lot of people like, what’s your data and analytics strategy look like? What’s your artificial intelligence strategy look like? And sometimes the having a well answer to those questions is more important than what the answer necessarily is. I mean, it’s like when you’re when you’re when you guys are doing a cybersecurity assessment on somebody, you’re gonna go through like a cybersecurity framework, maybe NIST, CMMC, something like that. And you’re going to ask them a series of questions and you want to like, are they gonna give you an articulate answer? Can they justify why they’ve got this old platform in place? Or are they just gonna be like, oh, that’s old, we didn’t even realize it. We need to understand this more.
Michael Grande 04:24
And, you know, this is the integration costs, you know, you’re looking at sort of diversity of different types of companies. Obviously, from private equity perspective, but even if it’s, you know, sort of one to one transaction, is that generally, is that become part of the financial model, when they’re sort of looking at, you know, potential risk or and or expense integrating systems, you know, what exactly has to be considered? You know, obviously, on the smaller end, you go for efficiencies and you look for sort of the low hanging fruit but when you’re when you’re combining large entities, and you’ve got a lot of considerations, I’m sure that that’s definitely got to calculate in.
Fred Purdue 05:07
Well, it really needs to calculate in whether you’re large or small. One of the common mistakes is smaller organizations do, especially when they’re doing on private transaction is they don’t ask some of those questions around what are our cost synergies gonna look like? What are our costs dissynergies gonna look like, what our integration costs gonna look like? And they merge or they acquired another company, and then they go to integrate it, and they turn it over to their, their execution or operations teams. And they say, great, we bought a company go integrate it, these people haven’t done it before, they’ve got day jobs, you haven’t accounted for the time and energy it’s going to take to do that. So suddenly, you’ve got teams that are already running at full sprint that now have a second job. So we really encourage people, whether you’re going through a formal process, or it’s a private transaction, a merger of equals or something like that, you absolutely want to look at those things as part of the purchase and diligence process. Because if nothing else, think about it this way, right? If you’re buying a house, and you have a homeowner’s inspection that says the roofs got to be replaced, you can either replace that roof as part of the purchase role or the mortgage, you can tell the seller, hey, this thing needs a new roof. Or you could buy the house close on it, realize it needs a new roof then, and now you get to pay for new roof. And you don’t want to get stuck that way. And neither does the company.
Michael Grande 06:25
You know, in, your experience, I feel like the logical answer is going to be yes. But I’m interested if there’s any sort of, you know, interesting situations that you’ve seen on, you know, diligence, exposing some substantial risk during an acquisition and sort of what are the consequences of that outside of financial, you know, it feels like there could be so many different variations of, you know, either scuttling a deal, or really changing the mechanics of what’s going to happen.
Fred Purdue 06:55
Yeah, I mean, we’ve seen the entire gambit and everything in the middle, I’ve gone into companies that have cybersecurity, or I’m like, this is really neat, I can’t believe you figured out how to do this. What I mean, you gotta you mind, some of the companies we will get might be cybersecurity companies themselves, as well. So we’ve gone in and on diligence on large mssps, cybersecurity providers, etc. On the other end of the spectrum, we’ve been in organizations where we’re looking at we’re like, we’re not sure how the buildings on fire, and honestly, it could be, and we’re not sure you’d notice. I mean, we went into one large organization that had large amounts of data on minors. And when we looked at their landscape, tons of ancient technology that hasn’t been properly segmented, hasn’t been properly secured. And they have very little intelligence in terms of what’s going on in the environment. So yeah, we had to have a conversation with the buyer of, hey, guys, this, you got some real risk in here. And this isn’t the kind of risks that it’s like, hey, it’s gonna cost us some money or downtime, it’s not even the kind of risks that you’re going to show up and find out the company shut down for a couple days. This is the kind of risk where your names can be on the front page of the Wall Street Journal, if you don’t pay attention. Yeah, it basically just leaked data on 7 million children, that’s gonna end up in the news, you don’t want that. And they had to go back to the seller and say, Hey, guys, we need to adjust the purchase price for this, because we’re gonna fix all this stuff. And by the way, we’re gonna make special insurance on this, and you’ve got to pay for it. Because if something if we find something out in six months or a year, we’re not gonna be on the hook for that, you guys are. So they put tail insurance on it, too, to make sure that they’re covered. So there were a number of financial implications to that, because there were a whole bunch of risks and security implications to that.
Jason Pufahl 08:44
How often out of curiosity, do you see insurance brought to bear in a discussion like that? Is that an edge case? Is that fairly common?
Fred Purdue 08:53
Well, cybersecurity insurance and general liability insurance is something we we kind of always look for, not necessarily purely from the insurance and risk perspective, because there’s folks that are doing that as well. But we want to understand what does it look like? What are your policies look like, do you have reasonably appropriate policies in place from a technology and security perspective? But there’s also a process at least in a lot of larger transactions called reps and warranties, where they’re underwriting the debt. And that absolutely has cybersecurity and technology elements to it. It’s one of the reasons why once upon a time, cybersecurity was something that only some p firms looked at, and only in some circumstances, now you can’t close on a company if you have not done a cybersecurity assessment. It’d be like trying to buy a house you’ve never done a home inspection on, the mortgage company’s gonna look at that and go like, yeah, we’re not we’re not giving you a mortgage on this thing, because you can’t prove that the house isn’t going to fall down. Well. companies require that now as well when you’re buying companies.
Jason Pufahl 09:48
So how much of a benefit is it maybe to you as you’re evaluating or maybe to the business and sale, if they’ve got a certain security compliance right like SOC or CMMC? Or they’ve gone through a process, they can demonstrate that they’ve got certain controls in place? Clearly, that makes your job easier? Is there an appreciable benefit for a company at the time of sale?
Fred Purdue 10:13
Yeah. So first off, you know, if you’re gonna sell your house, you’re gonna try and make sure your house looks good, right, you’re going to do some curb work, you’re going to try to make sure everything’s painted, it’s clean, the house has picked up, you missed anything, that company, right. So there is something that our team is actually doing more and more of this these days is called the sell side advisory. And it’s sort of the management presentation for your technology stack. So it lets you say, here’s the technology we have, here’s the security and risk posture we have, here’s why we have it, it lets you tell the story. And it lets you control what that story looks like. And that makes it a lot easier to position the company for sale because it’s it’s lower risk and lower risk means that they can pay more for it. Likewise, on the buyer side, having a really good picture of what that cybersecurity risk matters. Because if you go in and you look at it, and you say, hey, guys, we’re missing all this stuff from a cybersecurity perspective. And that has an impact on like the run rate that has an impact on the budget for the company. Well, you know, if you move the budget of a company by a million dollars, when you buy companies you buy based on a multiple, if that multiple was 10, for example, and you just moved the budget by a million dollars, you just took $10 million off the purchase price. So that can have really big impacts, right. So if you’re selling the company, you don’t want to see that happen. And if you’re buying the company, you want to understand that because you don’t want to be the guy who pays for that miss, you want to make sure that you understood that going in and came into account in your in your financial model, if you were,
Jason Pufahl 11:38
The sell side advising is interesting. I hadn’t actually considered that as such an element of this, but you’re doing your due diligence, getting yourself, make yourself look more attractive ahead of time, right, it smart business.
Michael Grande 11:50
Yeah. It. It seems, though, that in I don’t know, I don’t have any data behind this, you actually may or may know more about this for sure. Is is there, has there been a radical increase in transactions, just quantity of transactions over the last, you know, five years versus the prior five? Does it ebb and flow? Obviously low income, low interest rates contributed to a lot of a lot of activity over over a set period of time. But you know, I think we’ve had this conversation, there’s still a very active market in MSPs. For, for instance, Technology Services is still a very hot area. But you know, does it? Are there any other factors that sort of that feed into it that you can shed any light on?
Fred Purdue 12:36
So I mean, that that’s a pretty big question, right? I mean, if you look at the overall trend, especially in private equity, it’s been growing pretty substantially over the last, call it 10 to 15 years. The private markets are a really great way for banks, pension funds, organizations, large amounts of capital, they’re finding, it’s a lot more effective to deploy it in private equity than it is to start to deploy it in the stock market or something like that. During COVID, you saw actually a big spike in purchases, because also you had lots of companies that were distressed, distressed companies sell for a lot less. So it’s a great opportunity for anybody that has cash to go out and buy it. Or to go out and buy other organizations. And 2023, you saw a bit of a dip. Interest rates are spiking up a lot of questions about what the economy looks like, fourth quarter of last year, we started to see a pickup, we’re actually seeing a fair amount of activity in first and second quarter of 2024. And it does look like it’s ramping up a fair amount.
Jason Pufahl 13:35
But I’m sure it’s company specific, certainly by the size. But how long does your due diligence actually take typically, is that a three month activity? Is that a 12 month activity?
Fred Purdue 13:47
Oh, well, I mean, so due diligence has lots of different steps in it. Right in the very beginning, there’s some basic information, you’re gonna do financial diligence, gonna do quality of earnings checks, you’re gonna do some legal due diligence, that process can take a while, then you typically get to like, hey, we’ve got a pretty good picture, we’re collecting initial bids, you pick a smaller group of bidders that you want to look at. If you’re selling the organization, you might go under a letter of intent. That’s when you start doing some of your deeper levels of diligence. And it diligence is typically in there. It is not a long process, we typically get a couple of weeks to do it if we’re lucky. Because you’re not doing the deep dive diligence until you’re pretty confident that you’re gonna buy this thing, right because you don’t want to spend a ton of money on something you may not buy. It’s like when you’re doing the inspection on a house. It’s either a house you’ve put an offer in on or house you’re about to put an offer. Now you don’t like walk into a house be like this looks kind of nice. Let’s do an inspection. You don’t wanna spend the money. Right? So same thing is true when you’re doing due diligence. All in the process from the time you start talking to somebody to the time you close a deal, could be six to nine months. But it goes in these sort of cycles and there is a mad sprint in the last 30 to 45 days. Okay, I have 100 different people trying to talk with, with the business owners or business leadership to try to compile and complete various forms of due diligence.
Michael Grande 15:09
You know, we’ve talked a little bit about process there, we, we’ve talked earlier about sort of integration, some of the some of the signs that you’re looking at, or the areas that you’re keying in on, let’s maybe spend a minute on red flags and things that sort of really jumped out and potentially could could cause, you know, major concerns in different deals. So if, if you have anything specific that you’d like to point out, I think, you know, in doing some of our research, obviously, there’s there’s disclosures that that could have been made at some point, due to a breach you’ve got for public companies, there’s there’s different filings to the SEC requirements. You know, I’m sure there’s a variety of others.
Fred Purdue 15:52
Yeah. So there are, like I said, we’ve seen a really big gambit. The, I think, what’s what’s critical to keep in mind is that when you’re going through a deal or a transaction, there’s lots of stuff in motion. So there’s a lot of attention that can get pulled on a company when it’s going through a process like that. Right? So what you’re looking for and red flags means something specific to us, by the way, so. But what you’re looking for is things that could become a material risk very quickly. Right? So there’s a difference between this organization has a bunch of old technology, they really need to replace it, they really need to look at it, they’ve got some unpatched vulnerabilities, what you’re looking for is things that create imminent harm, you know, do they have an effective EDR strategy in place? Do they have an effective MFA strategy in place? Those are two things you really want to see. Because a lot of attention is going to show up on an organization. Now, you’re also like, have you experienced a breach? You know, you’re gonna ask a lot of questions like that. And when we’d like, I want to be a little careful how I answer this, because there might be things we look at where we say, this is an issue, you need to address this. But this is like a first 100 days issue or one issue. Red flags are like a flag on the play, everybody’s got to stop, we need to talk about this, they’re actually pretty darn rare. And they usually come off of there’s something significantly wrong with a financial one, someone was missing lots of stuff. Someone has an accounted for something significant. We think about carve outs and things like that, where there’s lots of shared services, we might come back and be like, by the way, when y’all built the IT budget, all this stuff was coming from parent, nobody ever actually accounted for this, we just moved your operating model by 4 million $5 million a year, that has a huge impact on purchase price, everynody’s gonna stop. But there will be times when cybersecurity can pop up in there. And it can pop up from sort of two different perspectives. One is the obvious, hey is there’s something that’s so blatant in here that it’s going to come up in the reps and warranties call, and we need to have a really good answer for it, or we’re not going to get our underwriting done. The second is, is a bit of a less obvious side. And that’s the the in this kind of a deal cycle, especially as you start getting towards closing. There’s lots of moving pieces. There’s legal pieces that are moving, there’s regulatory, there’s financial, there’s HR, there’s technology, there’s lots of change, lots of of fast movement, and not everybody knows what’s going on. There’s also a lot of money in play, that’s a great time for an attacker to attack you. So we have absolutely seen attackers, target companies where there is an announcement, because you’ll frequently see in the news like so and so’s announced an intention to buy so and so. And they’re planning on closing the transaction in that sense, because some companies have what’s called a sign to close period. And it’s sort of like, between you’ve got an accepted offer and a house and you close on the house where you’ve got to do that process. And attacker sees and goes, lots of uncertainty. Lots of questions. Lots of people that are overwhelmed. Lots of money.
Jason Pufahl 19:00
Yeah, yeah, so people are talking and you don’t know who anybody is.
Michael Grande 19:03
Exactly, requests are coming from a lot of different areas.
Fred Purdue 19:05
You don’t necessarily know who everybody And kind of like when you’re buying a house, right? You get that piece of paper. That’s the it’s like, well, here’s what the, here’s what the attorneys get. Here’s what the agent gets, here’s what the seller gets, here’s what the bank gets, here’s what property, the same thing happens when you buy a company. It’s called flow of funds. And if somebody gets their hands on that, and can change even like one or two routing numbers on that thing, then they can get away with a very large amount of money very quickly that they’re not likely going to get caught. So just like when you go to sell that house now and they make you sign a piece of paper, in the closing that says you have verified the round numbers. If you got them wrong, it’s not their problem. You’re accepting liability. They’re not doing that in an abundance of caution. They’re doing it because it’s gotten people burned a lot. And we’ve seen companies get hit in close like that as well, either through sort of some of the traditional invoice fraud. We’ve also seen people actually intercede and interject themselves into flow of funds. And when that happens, y’all are having a really bad day.
Jason Pufahl 20:08
And it staying on the house analogy, then is that process as chaotic as buying a house, because oftentimes you’re not getting your, you know, your payouts and everything until the day of, maybe the hour of is same kind of experience when merging or buying companies?
Fred Purdue 20:26
A lot bigger. Yeah. There’s so much that goes on. There’s so many different players involved. There’s so much so many different components to a transaction, that you’re always in a mad sprint, always. There’s no way around it. It’s the nature of the beast.
Michael Grande 20:43
Well, that was very informative.
Jason Pufahl 20:45
And so I feel like you know, this is one of those topics, you’d say, well, we’ll spend 15 minutes on a little bit of info, or you’ll spend three days seminar, right.
Michael Grande 20:54
I would imagine from, you know, as you said, different verticals, different industries, different compliance requirements, regulatory burden. There’s so many different angles to look at when considering, especially IT diligence and cybersecurity risks when it comes to m&a. So, you know, I really appreciate you joining us today. I hope this was as enjoyable for you as it was for us and great to share some of your knowledge.
Fred Purdue 21:24
It’s always fun. Thanks for having me, Michael.
Jason Pufahl 21:25
You got it, Fred. Thanks for joining. And, of course, as always, right. If anybody has any questions, reach out to us. We’re happy to field them we can get Fred back on if there’s interest. And from that, as always, we hope you took something valuable from this. So thank you for listening.
Michael Grande 21:39
Thanks very much.
Fred Purdue 21:40
Thank you.
21:41
We’d love to hear your feedback. Feel free to get in touch at Vancord on LinkedIn. And remember, stay vigilant, stay resilient. This has been CyberSound.
Request a Meeting
Episode Details
Hosts
Guests
Fred Purdue Categories
Work with a Partner You Can Trust
Our goal is to provide an exceptional experience to each and every client. We learn your business and protect it as if it were our own. Our decades of experience combined with our expert team of engineers and security professionals provide you with guidance, oversight, and peace of mind that your systems are safe and secure.
Cybersecurity Tips In Your Inbox.
Get notified when we have something important to share!