Four top tips on tech due diligence

clock • 5 min read
Four top tips on tech due diligence

The British tech sector saw a record year in 2021, with investment in startups doubling to £26bn, says Philippe Thomas, founder at Vaultinum.

Such expansion is exciting for the industry and represents an opportunity for investors to add innovative new companies to their asset portfolio. However, at the same time, tech businesses are seeing new threats, which require a shift in approach when it comes to risk-mitigation tactics.

2021 saw the highest average cost of data breaches in 17 years, reaching 4.24 million by the end of the year. Additional risks associated with software failure, open-source software and intellectual property issues also prevailed in 2021, infamously evident in the recent log4j vulnerability affecting the operations of some of the biggest names in tech and government organisations worldwide.

Investors must increase their awareness of these potential dangers and ensure that their assets are appropriately protected.

Considering business potential through its software

As the tech sector booms, organisations can be tempted to focus on growing rapidly rather than ensuring that their software has long-term viability. Even though software is their primary asset, tech companies can fail to meet expectations in terms of scalability, performance, maintainability, cost, or delivery schedule.

Investors should ensure that any business asset they are investing in has set goals and a realistic path is laid out to achieve them. Operations and product teams should have a clear vision for scaling their software which is communicated to developers.

These developers must also have had a proper transfer of knowledge from any developers who participated in the initial development stages.

These open lines of communication within the target organisation demonstrate a potential for growth which is both realistic and will generate a return on investment.

Managing intellectual property (IP) rights

Investing in software is not only about its potential, but its IP rights. Investors should only consider funding businesses that can demonstrate full ownership of their assets, to avoid copyright theft later down the line, which would result in investors losing out.

As such, investors must ensure that the IP of any business they intend to spend money on is not only protected, but that these protections are managed and reviewed on a regular basis.

The target company must be able to prove that they own all the necessary rights to make, use, and sell their proposed products. Collective knowledge of these rights should be shared by all developers working on the product as an absolute minimum but for the more trustworthy companies, depositing their software source code with a trusted third party or copyright office can provide the best protection.

A deposit is a timestamped solution recognised in court that proves full ownership of a creation by securing IP rights and proving that the author of the creation had the idea first. A deposit solution should be viewed favourably, as it shows that the business has taken strategic steps to manage and protect its IP.

Assessing third-party software usage

More and more, businesses are relying on third-party software alongside their own in-house developed software to develop their software product and run their operations. As such, IP protection is only one step in implementing comprehensive tech due diligence - investors should also analyse the business use of third-party software.

There are two preventative measures that should be considered during pre-investment tech due diligence. Firstly, investors can look to see if the target company has signed escrow agreements with any software suppliers.

This is a contract that ensures the business can continue functioning even if the software supplier ceases to comply with software provision, usually in the incident of bankruptcy. The most robust escrow type is a tripartite agreement, signed by software supplier, client, and a trusted independent third party, with specific conditions under which the software source code will be released.

If these conditions are met and the software supplier can no longer carry out its function, the independent third party will grant access to the source code, allowing the client's business to continue. As well as ensuring business continuity, a software escrow shows that a business has been diligent in their risk mitigation, which investors should value highly.

A second measure that businesses should have in their arsenal is managing their usage of open-source software (OSS). Many in-house developers rely on OSS nowadays, as they need to develop quickly to attract investment attention.

As such, investors should ensure that target businesses have implemented sufficient OSS management processes that assess the licencing restraints of any software used, as well as regularly checking for any software updates. Bad OSS management can lead to potential financial, reputational, and IP losses, as well as business continuity issues if any software becomes outdated.

Uncovering cybersecurity vulnerabilities

The cost of global cybercrime is expected to rise by 15% per year over the next five years, resulting in an annual bill of $10.5 trillion by 2025. The importance of having a solid cyber risk management programme cannot be underestimated, and this is one aspect of a business that should be reviewed during tech due diligence.

Following the implementation of GDPR restrictions in Europe, companies must also guarantee that they are safely collecting, processing, and protecting both the data of others and their own confidential data. This involves building a reliable data management strategy and taking appropriate measures to protect any physical premises from unauthorised access or theft. Moreover, carrying out a comprehensive software due diligence process that analyses source code can enable the early identification of any potential data breach risks, allowing businesses to implement appropriate mitigation measures.

Those looking to invest in tech should carry out comprehensive due diligence which includes software alongside the traditional analysis of operations, financial, legal and HR.

Investors should engage with a specialist independent third party in this process, to ensure that due diligence measures are implemented comprehensively and effectively. AI advancements allow for an analysis of every line of code to identify possible cyber vulnerabilities, IP issues (usually linked with the use of open-source code) and maintainability risks, making audits less susceptible to human error.

Ultimately, this approach protects investors' reputation, ensures business continuity, and helps avoid potential legal liability for any vulnerabilities.

By Philippe Thomas, founder at Vaultinum