Seven New Questions for M&A Due Diligence

Assessing a target's data assets isn't something to leave until after the transaction is completed. Here's what you need to find out up-front.
Craig CallMarch 3, 2016

Companies working on a merger or acquisition pore over a seemingly endless amount of material to determine the transaction’s suitability. Ironically, one of the most important assets for most companies, data, gets relatively little attention in the process.

Craig Callé

Craig Callé

Developing a comprehensive understanding of a target’s data and information assets usually results in a transaction with substantially lower risk — especially cyber risk — and creates vast opportunities for value creation.

Here are seven questions you should address when you conduct your next M&A due diligence to determine the extent to which the target operates in a data-centric manner.

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

  1. Can you show me your data map?

You might think this a fairly simple request, but few organizations can produce a good data map, which is essentially an inventory of data and information assets revealing where they are located. It’s no wonder that the state of cybersecurity is so poor. If you can’t locate these assets, how can you possibly protect them or, for that matter, create the most value from them?

Even the National Association of Corporate Directors’ Cyber-Risk Oversight Handbook warns directors to make sure management has a data map. Creating and sustaining one is not a small undertaking for the disorganized organization, but it can and should be done.

  1. What portion of your data is sensitive?

If the organization has not adequately mapped its data, it cannot accurately measure the portion deemed to be sensitive. An assessment of what is considered to be sensitive data is an essential exercise. Did Sony consider all the snarky emails about its celebrity clients to be “sensitive” or “crown jewels” and therefore worthy of special protection? Probably not.

Data and information assets are balkanized across an organization. They can be on paper, in data centers, on laptops and other mobile/portable devices, in the cloud, and elsewhere. There is compelling technology and processes available today to classify these assets.

  1. What cloud-based services are used, and how risky are they?

Lots of companies work hard to protect their computer networks. They build hard domes, fortified by firewalls and other forms of protection, to keep bad things out.

Yet, more than a third of business-critical applications were in the cloud by 2014, according to research by Ponemon Institute on behalf of Netskope (see page 6 in this report). And the shift from the use of traditional, on-premises, licensed software to software-as-a-service (SaaS) applications like is accelerating.

Companies’ visibility over the use of cloud-based services by employees and contractors today is very low, and that is a source of staggering security risk. There are more than 16,000 SaaS apps floating around out there, and fewer than 10% of them are enterprise-ready, according to a new report from Netskope (see the fifth slide of this slide deck).

Millennials are especially inclined to pull down an app without first seeking permission from IT. Many SaaS apps are downright scary from a security standpoint. Fortunately, there are ways to discover, analyze, and control the use of cloud-based services, but few companies so far have taken advantage of the enabling technologies.

  1. What is your level of cyber-hygiene, and that of your vendors with network access?

The data breach experienced by Target Corp. highlights the notion that an organization’s security is only as strong as its weakest vendor’s ability to secure their data. Every organization should know what it looks like from a hacker’s perspective so it can immediately address its shortcomings.

There are services available today that create a level of understanding that go far beyond the traditional vendor risk management methodologies such as questionnaires and penetration tests. We are entering an age of cyber transparency, where organizations carry cyber-risk ratings that are similar in nature to the credit-risk ratings by Moody’s and Standard & Poor’s.

How will your acquisition target compete in a world where poor cyber-hygiene can cost business?

  1. What data analytics tools do you use, and who is using them?

We are now in the golden age of data analytics, and the target’s level of sophistication is a function of the tools its people use to turn data into insights that generate revenue and shareholder value.

Is the CFO’s financial planning and analysis team just forecasting the next quarter, or are they shoulder-to-shoulder with business unit leadership, helping them mine vast amounts of structured and unstructured data at their finger tips?

Maybe the business units are simply taking matters into their own hands and using data analytics tools on their own. Inventory the tools in use and you will get an indication of the extent to which the culture is data-driven and the value that you can create once you own the place.

  1. How much of the target’s data is simply ROT?

Studies indicate that more than two-thirds of a typical organization’s data is redundant, obsolete, or trivial (ROT). This data can be in the form of old operational log files, data stored by departed employees, outdated drafts, copies of once-important documents that are no longer needed, etc.

When was the last time you obeyed your organization’s records retention policy, assuming it even has one? Yet there is a compelling case for reducing ROT data.

Storage comes in many forms, from tapes to flash memory, and, contrary to popular belief, it’s not cheap. Organizations that are good at content management are much better able to find and protect data that isn’t ROT. You can get into related issues like data quality while you’re at it. You should know where your target is located on its journey toward information governance maturity.

  1. What data would be valuable to third parties, and how much could you sell it for?

You may want to buy a company for lots of reasons, and you may never want to sell any of the target’s data to someone else. However, the analysis involved in answering this question will yield remarkable insights that you probably had not considered. The target’s data is often overlooked as a motivation for an acquisition, but it can generate tremendous value in the right hands, with the right tools and skills.

Final Thought

There is a tendency in M&A deals to treat data as just an IT issue that can get dealt with after the transaction closes, during the integration process. However, data is an asset of enterprise-wide consequence, representing considerable risk and reward. Make your transaction successful by treating data as a critical asset.

Craig Callé is CEO of Source Callé LLC, a consulting firm that makes organizations more data centric. He is a former CFO of’s Digital Media and Books businesses and other companies, and was an investment banker at Salomon Brothers. Prior to starting his firm, he was chief strategy officer at SHI International.