More than ever before, technology has become a key element of the already thorough due diligence processes that businesses go through, in order to secure funding from investors. Thus, being able to illustrate a strong and resilient infrastructure is vital for both start-up and established firms operating in today’s wider professional services landscape.
Today’s blog article will take a look at commonly asked due diligence questions (DDQs), as well as share best practices on how firms can leverage technology to win the trust of investors and subsequently unlock the capital needed to help their business flourish.
What are investors looking for?
Alongside assessing for a strong business model and market fit, investors are keen to ensure they’re investing in a business that has the capability to run efficiently. Downtime can cost a firm its reputation in addition to financial losses. Therefore, investors are increasingly demanding transparency around infrastructure, any third-party vendors used, and security strategies firms have in place. Some of the following technology related DDQs are being asked in today’s landscape:
Does the organisation have a formal and well-documented access control policy?
Where is/are the company’s data centre(s) located?
How often is the company’s disaster recovery plan tested?
Describe the software system(s) used to provide services to the client, including any relevant security features (e.g. Firewalls)
Does the organisation have oversight over the security practices of any third-party vendors used?
Access a list of sample technology DDQs here.
Building Your Technology Platform to Earn the Trust of Investors
Being able to illustrate a strong and resilient infrastructure is the key to earning the trust of investors and raising the capital needed to take your business to the next level. Firms are encouraged to ensure the following areas are taken into careful consideration when building, implementing and maintaining their IT strategy. These areas are crucial to operating your business at maximum efficiency and showcasing a bulletproof infrastructure.
Annual assessment/audit procedures – it is good practice to conduct regular audits of internal procedures and policies, and to document a summary of findings for future reference. Investors may ask to have visibility over this.
Access control policies – having a formal and well-documented access control policy in place is crucial to the safety of your organisation. The policy should be reviewed regularly to determine whether controls implemented are operating as intended. And, with remote working on the rise, firms should also be able to illustrate effective processes in place to deliver remote access.
Network security policies – having a robust firewall in place will give investors confidence in your network and its security, as will a strong intrusion detection system to prevent unauthorised access. Firms should also be mindful of protecting emails against spam and have a solution in place to ensure mobile devices and laptops are secure in the event of loss or theft. Ensuring emails and text messages are encrypted and archived is also crucial to avoid downtime, and will display a proactive side to the way you run your business to potential investors.
Physical security policies – Whilst having a formal physical security policy is integral, it is also important for firms to implement changes and enhancements to the policy when necessary. Firms will need to illustrate access controls in place for any server rooms, to ensure only authorised personnel have access to critical systems. Another key element of physical security is managing visitors in the office. Organisations must ask themselves if the right steps are being taken to ensure visitors do not have the ability to access sensitive systems and documents.
Disaster recovery & backup – it is vital for businesses to have an effective disaster recovery and backup plan for unexpected downtime or an outage of any scale. Firms are encouraged to have a ‘when’ not ‘if’ attitude to disasters. Policies should be reviewed to determine whether controls are operating as intended and are still relevant as the threat landscape continues to evolve. Investor’s will more than likely request a copy of a firm's disaster recovery plan as part of their operational due diligence procedure. So, it is important for it to be thorough with procedures, policies and training outlined, and regularly updated to ensure it is always relevant.
Systems and information security - regular vulnerability assessments are crucial to ensuring businesses are on top of systems and information security. Investor’s may demand transparency over security measures with respect to systems access. Firms may also be asked to describe in detail what security measures it retains on behalf of its client base, and how long the records are kept.
Managing third-party relationships – if firms decide to outsource any business functions, such as their IT, they must conduct thorough due diligence before choosing supplier(s) accordingly. It is good practice to investigate the following areas as part of this process, and readily be able to share this information with investors if asked to do so:
- Vendor and subcontractor locations
- Auditing processes
- Cyber and data breach notification processes
- Business continuity & disaster recovery processes
- Certifications and history of service level compliance
We hope you found this article useful. Our team of experts are more than happy to answer any questions or discuss this topic further. Please reach out to them via email or telephone, see contact details listed here.
Download a copy of our whitepaper ‘Outsourcing in the Alternative Investment Management Industry’ to learn more about managing third-party vendor relationships effectively.