Case Study

Digital Risk and Compliance Due Diligence Supports $7 Million Valuation Adjustment in Manufacturing Industry Acquisition

  • LinkedIn icon
  • X/Twitter icon
  • PDF icon

In a competitive bidding scenario to purchase divested assets of a Taiwanese technology manufacturer, FTI Technology’s client sought support with conducting a detailed evaluation of the target’s IT and security risk position. FTI Technology’s global risk and compliance experts supported a wide-ranging due diligence exercise to uncover potential exposures and ensure the valuation accounted for the cost of any mitigation efforts that would be needed post-transaction.

Situation

The bidding process for the target was competitive, which placed the project under a four-week timeline; in parallel, the client had prioritized rigorous due diligence across many facets of the target’s business. Additionally, the target had placed significant limitations on the materials FTI Technology had access to in support of assessment and interviews, creating barriers for the team to evaluate the full picture with a high degree of rigor.

The target company had previously undergone a Systems and Organization Controls (SOC 2) audit; however, in refusing to share the audit results, the target was at risk of breaching contractual obligations that require SOC 2 attestation, a potential liability that the client would in turn inherit if the transaction were to proceed. This added a new dimension of risk to an already time-sensitive assessment.

Additionally, in the documents that were available for review, FTI Technology found that many of the target company’s IT risk management policies appeared to have been adapted from commercial, off-the-shelf templates widely available on the internet. This led to further exploration of whether the target’s IT risk program was genuine and how much was implemented in actual practice.

Our Role

Working in support of the client’s IT and data teams, FTI Technology’s experts utilized a bespoke framework to test the design and use of 200 IT, compliance and digital risk controls across 13 domains, to deeply and clearly determine the potential risks to the client if it were to proceed with an acquisition of the target. This included evaluating — across functions including data protection, third-party risk, audit, governance, incident response and more — whether each control was in place, if it appeared to address nominal risk and what the ultimate exposure would be to the client following the transaction.

This expert-led diligence exercise included:

  • Single-session interviews with key personnel at the target company to support assessment of the IT and information security infrastructure and controls in place.
  • Use of an assessment platform to enable collaboration on data entry and risk scoring, automating certain reporting components to accelerate the creation of a comprehensive report.
  • Assessment against industry-standard frameworks including ISO 27001/27002, the NIST Cybersecurity Framework and CSC 18 and evolving regulatory requirements such as the U.S. Department of Justice’s Bulk Data Transfer Rule.
  • Determination that approximately 90% of the target’s policies were in fact built upon generic templates, with no evidence that the controls outlined in the policies had been formally adopted or operationalized.
  • A roadmap for gap remediation and resolution of the target’s “technology debt,” outlining for the client next steps, cost and timelines for addressing identified risks.
  • Estimation of the total impact of risk and the program’s resilience on the valuation of the potential transaction, helping the client determine a competitive amount by which to reduce its offer to offset the assumption of potential risks.

Our Impact

Digital assets icon

FTI Technology’s analysis identified an estimated $7 million adjustment to the target’s valuation, calculated against the projected costs of implementing essential risk mitigation strategies and assurance measures to remediate the target company’s existing security and compliance exposures.

Automation icon

Across the 200 controls reviewed in the assessment, FTI Technology found fewer than 40 with documentation sufficient to be considered in place. More than 50 additional controls were either partially documented or verbally self-attested by the target without documentation. None of the 13 risk domains assessed were found to have sufficient controls in place to achieve functional risk management.

Expert advisor icon

Within only four weeks, the team delivered a complete report and recommendations to the client in support of valuation, negotiations and post-transaction risk reduction.

Related topics:
Risk & Compliance

Related Solutions