Skip to content

M&A

Buying or being bought — the IT bit

The hidden costs in a deal are usually in IT and data.

IT due diligence is often skimmed. It shouldn't be.

Documents to request

  • Asset list: hardware, software, SaaS, domains.
  • Supplier list with contract end dates.
  • Policies and incident history.
  • Insurance and certifications.
  • Backup evidence.
  • Staff training records.
  • Sub-processor list.

Red flags

  • No incident response plan.
  • No tested backups.
  • Single IT contractor with no handover.
  • Domain / DNS owned by IT supplier.
  • Outstanding ICO investigations.
  • End-of-life software in use.

Questions for the IT supplier and CTO

  • What three risks are you actively managing?
  • Worst incident in 3 years?
  • Who owns the domain, DNS, master admin?
  • Walk me through a leaver process.
  • Show me your last patching report.
  • Show me a recent backup restore screenshot.

First 90 days post-close

  • Take ownership of domain, DNS, master admins.
  • Reset every admin password.
  • Disable leaver accounts you find still active.
  • Map their tools register against yours.
  • Notify insurer of change of control.