South Florida M&A Advisors Podcast

EP #17: IT Readiness For Better Deal Outcomes with Matt Kinsey

Russell Cohen Season 1 Episode 17

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 29:07

Buyers aren’t just buying your EBITDA. They’re buying your risk profile, and IT is a huge part of what makes a deal feel safe or scary. I sit down with Matt Kinsey of IT Fusion to unpack how IT readiness impacts valuation, deal multiples, and transaction certainty in the lower middle market, especially for businesses in the $2M to $20M range. If you’ve ever assumed “we’re too small to be a target,” this conversation will change how you see diligence. 

We dig into the IT due diligence surprises that spook buyers fast: weak access controls, missing multi-factor authentication, undocumented patching, untested backups, and the bigger issue behind all of it, a lack of repeatable process. Matt explains why mature IT practices make your numbers more believable and your operations easier to replicate, which is exactly what buyers want after closing. We also talk about hidden cyber risk, including the uncomfortable reality that attackers can sit inside a network for a long time before triggering a breach, leading to holdbacks, retrades, or even a buyer walking away. 

From there, we get practical. Matt shares what a deal-ready environment looks like, how to prioritize in the last 90 days before going to market, and why a third-party IT readiness assessment can uncover quick wins that don’t require massive spend. We cover key compliance and regulatory exposure, including HIPAA, PCI compliance, FTC Safeguards, and Florida privacy requirements, plus why frameworks like NIST can show “reasonable” cybersecurity governance. We close with post-integration pitfalls like messy data integrity and missing admin access that can derail timelines and budgets if they’re not cleaned up early. 

If you found this useful, subscribe, share it with a fellow owner or advisor, and leave a review so more sellers can avoid preventable IT and cybersecurity risks before a transaction.

Welcome And Episode Theme

SPEAKER_00

Welcome to the South Florida MA Advisors Podcast, your trusted MA team. Here's your host, Russell Cohen.

IT As A Deal Risk Profile

SPEAKER_01

All right, I'm Russell Cohen from South Florida MA Advisors. And this morning, today, we have Matt Kinsey from IT Fusion. Thank you for joining the uh podcast, Matt. Glad to be here, Russell. All right, fantastic. So today, our theme is going to be how IT ready readiness impacts valuation and deal success in the lower middle market. And uh, Matt and I have known each other for a few years now, and we thought this would be a great topic to talk about the lower middle market. So, opening question uh for owners thinking about selling, IT is really often overlooked. How big of a role does it actually play in a transaction? Maybe you could shed some some light on that.

SPEAKER_02

Well, I mean, like anything else, it depends. It's gonna depend on the buyer, it's gonna depend on their risk tolerance, uh, it's gonna depend on the industry you're in. Uh, you know, uh a trades deal may not be as impacted by a IT issue as a medical practice. Medical practice has a lot more IT needs, although that's changing on a daily basis with the introduction of artificial intelligence and how it's improving efficiencies and business practice across many organizations. Um the way I look at it, uh, I don't know how you think about this, Russell, but companies, buyers aren't buying a company, they're buying a risk profile. And IT is really part of the risk profile of the company. So the more mature it is, the less risk there is in the deal for the IT buyer, for the buyer. Uh, and and the more practices that they're doing, the less risk there is. So I think the question in their mind is okay, you know, you as the owner, you've generated, you know, X percent EBITDA. Let's say you're at at 15% EBITDA, you got a really efficient business. And they're like, well, can we replicate that? You know, can we improve that? Because if they just replicate it, then their payback time is is quite long. But if they can improve it, then and they don't have to invest in IT systems and cybersecurity and compliance, then there's less money that they have to put in after the deal closes.

Due Diligence Surprises And Weak Controls

SPEAKER_01

Thank you. That's great. Yeah, it just depends on the the type of business that the advisor is selling, there's bigger risk, like you said, in medical versus the trades, which is very common, which I'm dealing with. Um, what do you from your experience, what's the most common IT issue, uh surprises that you would see during due diligence? The quality of earnings.

SPEAKER_02

I I I think the biggest thing is is can I trust the data that I've got? And when you don't have mature IT systems, it brings the quality of that data into question. Um, you know, it's just it's a sign as how trustworthy is this company? You know, I think the biggest thing I see is lack of controls. Uh so you know, they're doing things, they've got they've got the software, they've got antivirus, they they may have phishing protection, they may even be doing things like security awareness training, but are they locking out administrator access? Are they using multi-factor authentication where they need to? Do they have a firewall? I mean, these types of technical questions that come up, uh, you know, and as well as the process questions. You know, it's about how mature the business is. If I'm going to buy a business and they've got written processes that are easy to follow, easy to understand, I feel really good that we can replicate or improve the results. But if they don't have that written processes, I don't feel that way.

SPEAKER_01

I would think the larger the company, the more likelihood they've made that investment. The smaller, smaller companies are are probably thinking about it or haven't made that huge capital investment. Uh, but I would think the larger companies you you would think so.

SPEAKER_02

You would think so, but I mean I I recently went into a a 25-person firm that's doing um somewhere around six million dollars a year. So a lower middle, you know, a lower market MA deal. Um their controls are woeful. Haven't invested the money into their infrastructure. They have they haven't. They they they've thought I'm not a I'm not a target, which is uh completely inaccurate, but I think we'll get into that a little bit later. Yeah, no problem.

Valuation Hits And Hidden Breach Risk

SPEAKER_01

So uh can IT infrastructure uh actually impact evaluation on deal multiples?

SPEAKER_02

You know, I I've seen it happen, um, especially in in data sensitive organizations, uh, but even in lower deals, it's you know, what am I going to have to invest? Let's say I'm a buyer and I'm adding a company into my portfolio. What am I going to have to invest in order to get it up to standards?

SPEAKER_01

That's a lot of a lot of times these uh private equity groups have these larger companies that already made that infrastructure investment. Now they're doing the add-ons, and and the companies that they're buying had very minimal investments, so they know they got to bring it to the next level.

SPEAKER_02

Yeah, and and the standards just aren't there. Um and you know, now some of it's sunk cost. If if I have a standard that I use uh CrowdStrike and you're using something else, well, I know I'm gonna stop using, I'm gonna put CrowdStrike on as a buyer because that's what I use everywhere and I can manage it. But there's not a hidden breach that I'm worried about, and that's I think what concerns people because quite often the cyber criminal is in your system for a long period of time before they actually trigger their cyber criminal activities. They're trying to figure out who who you are, what data they have access to, can I copy the data so that now I can I have something to sell even if I don't get money from you, I'm gonna get money from other people with your data. There's all these questions that the cyber criminal has. And uh, you know, we've seen deals, we've seen instances in the news where they've been in the system for years without being discovered, and that's a hidden risk. And sometimes what I'm seeing now is um holdbacks on the deal, you know, for a certain period of time to make sure there wasn't a cyber breach, to make sure there wasn't some hidden liability, especially with the compliance standards. If something happened six months ago and now I bought the company and I wasn't aware of it, and now there's a data breach, and I as a new owner have to notify all my customers and go through all this. Well, that's money out of my pocket that I wasn't planning to spend.

What Deal Ready IT Looks Like

SPEAKER_01

And it's something that happened from before the deal took place. Pretty scary that you mentioned they're actually sitting in there waiting, waiting for the time to strike. You're like, oh my god. Yeah, that's unbelievable. Who would think that, you know, they would just be waiting. But um, so what does a deal-ready IT environment look like for a two to twenty million dollar business?

SPEAKER_02

Uh I think what it looks like is that you have mature IT practices, so you have the systems, the IT systems in place to manage your IT. You have a a map, uh, an atlas of what your systems are and how the data flows between them so that I can do the risk analysis. Uh, you have the cybersecurity tools that you need to not only protect, but to detect and to recover in the case of a breach. And you've got the compliance standards based on your industry, uh, you know, whether that's HIPAA or PCI compliance because you take credit cards, or FTC safeguards because you're an auto dealership, uh, or Florida Information Protection Act of 2014, because you have certain types of data in the state of Florida, uh, because I know you might primarily work in Florida. Um, I I those are the types of things because they don't want a hidden risk to pop up after the deal.

SPEAKER_01

So if the owner had 90 days before going to market, which you know, that's not much time, you know, where should they focus from an IT standpoint?

SPEAKER_02

Uh I it's it's really hard to say. That's where you want to get an analysis, and what we're seeing on deals now is due diligence on the IT systems to make sure. Uh, so what I would do is I would get an analysis from somebody and say, okay, let's get an analysis. So this is something my company offers and and many other companies offer. And they'll come in and say, okay, here's what you need to do to maximize the value. And what's uh like any other business decision, what's going to give me the biggest impact on the deal? You know, I'm sure you walk in and people's books are a mess. Uh you know, so you bring in an accountant, you clean up the books, and that has a huge impact on the deal for a relatively small amount of money. So that's the same question I think you want to ask, especially if you're intending to sell the business. Uh you want to say what can make the most amount of sense for me to implement now. And a lot of times it's not technology, it's process. You know, I just met with a um a company doing a cybersecurity assessment, and we found 250 social security numbers in documents on their system that I was easily able to access. Well, they already have a secure document storage facility. It's just people were downloading it, they were uploading it to their secure facility, but they weren't removing it from their downloads folder. So that's a process that was easy to fix. It didn't cost them anything to fix it, it just cost them some due diligence to make sure that people were doing the right thing. Uh, but then we also found some some technical issues that were low, like their their firewall was outdated. Well, you can get a firewall for under a thousand dollars. Right. All right, and and get those protections in, and now you're protecting the data better, protecting the business better.

SPEAKER_01

What are the biggest uh IT red flags that you typically uncover during diligence?

SPEAKER_02

Uh I'd say the biggest one is just a comp is lack of process. Um, you know, that we you don't have the policies, the processes, the procedures in place to protect the business. You know, simple things like when do you run your security patches? You know, are they run on a schedule or are you just letting Microsoft control it? Uh are you testing them? What are you doing with backups? Uh, how often are you backing up? How often are you testing your backups? Do you have a business continuity plan in case uh in case you have a fire at your location? Uh what about the data? Is the data stored just locally, or is there a backup stored in the cloud as well, so you always have access to it? Uh these types of questions about resiliency. Uh, you'll hear the phrase cyber resiliency. And the more resilient your business is, the more it's able to withstand uh potential downtime because of a system failure or because of a security issue, the more value there is in your company and the less risk there is to the buyer.

SPEAKER_01

Now, have you seen uh deals delayed or retraded because of IT issues? Have you first hand experienced seen that?

SPEAKER_02

Uh yes, we we had a client who was acquired. We fortunately were able to keep them as the IT company after the acquisition. Um, but we we received a document uh from the buyer, and it was a it was a long document. I mean more than 10 pages. I won't tell you exactly how many, but it was more than 10 pages. It took us quite a while to go through and fill it out. Uh, we did charge the the company for that because that's not part of the normal maintenance. Um, you know, we sent them our contract and then they sent back a bunch of questions. I didn't charge them to send the contract, but I charged them to answer the other questions. Um, and uh about a week later, after we sent it back, the owner of the local company called me and said, We need to fix these things or the deal's falling apart. Oh my god. Unbelievable. And and the thing is that these were things I had been talking to the owner about investing in for at least a year.

SPEAKER_01

Yeah, you're planting the seed, but they were probably thinking they were probably selling, so why would we need to do that, right?

SPEAKER_02

Right. And the owner, the the buying company just said, we're not purchasing unless you address these. Some of them did not cost any money to address, some of them were process. They wanted a business continuity plan, they wanted a disaster recovery plan, they wanted um an incident response plan, like who do you call, where's the cyber insurance, etc. Uh, they wanted an insurance policy to cover the company. Um, so there were all these things, and and every deal's different. And this one was in the trades, which was interesting.

SPEAKER_01

Amazing. Well, I guess you know, a good lead-in is your uh, you know, is your company's IT private equity ready? Because it sounds like most companies aren't. And everyone has a goal of selling in the long run. If you know they're gonna work on putting the money into the books, they got to put the money into the IT because the private equity group's at the probably at the very highest level, uh, and you're not.

SPEAKER_02

Well, well, look at it this way. Let's say you're in the trade. I know you do a lot of work of the trades, and you've got a fleet of vans, and all of your vans are 15 years old. Okay, and they're they've all got 200,000 miles on them. Well, what is the owner thinking? Because I'm gonna have to buy a I'm gonna have to buy a dozen new vans right to close the deal. Um, it's the same thing. If you've got antiquated systems, they know they're gonna have to buy new systems to get it up to speed.

SPEAKER_01

Now let's talk about cybersecurity, because that's very important. I know you're really uh strong on that uh on top of all the topics in your industry. Uh, how are buyers evaluating cybersecurity risk in smaller businesses today?

SPEAKER_02

Uh it is an essential, I think, from what I'm uh what I'm seeing more and more. Um now, again, it depends on the industry. You know, uh a small restaurant that's got 30 seats in it doesn't have the same issue as you know a multi-location company that's dealing with uh more sensitive data. So that's always truth. But the truth is every single company is a target because most of these attacks are automated. So there's not some guy going, oh, I want to go after Russell's business. There, I'll use an analogy. Um, where I live, I guess about a year ago, we got a notice from the police to remind us to lock our car doors at night. Because there were a group of people going up and down the streets and just trying to open your car door. They weren't targeting you specifically, they just came to your street, walked down, and if they could open your car door, they would get in and rifle through and see what they could get out of your car. All right, it's the same thing. That's what this automated systems do. They're searching the internet and they go, oh, that's interesting. I can get in. Now let me see what I can do. But if they can't get in, they move on to the next target.

SPEAKER_01

So uh small or large, everyone's a target at the same time, basically.

SPEAKER_02

Everyone's a target. Now there are some industries that are more targeted because, for example, health data is extremely valuable on the internet, financial data is extremely valuable to cyber criminals. Uh, you know, so those two areas in particular have have large values, and that's why you see in um federal standards like FDC safeguards, like HIPAA, to help protect that data.

Must Have Cybersecurity Before Market

SPEAKER_01

So, what are the must-have protections before going to market?

SPEAKER_02

Uh well, you you have to have some type of anti-malware. Uh, so that is um, you know, whether that's antivirus or EDR or MDR, there's all these different terms. Um, but you need to be able to protect your endpoints. You need to be able to protect your network, the physical, the physical network where your people work. Uh, you want some type of monitoring from a third party. So a security operations center that's mon watching the system for signs of compromise 24 hours a day. Uh, and you pretty much now you need to have security awareness training because the weakest link is your people. Uh, so these are things like sending out fake phishing emails to see who clicks on them. Uh, these are things like sending out security tips on a regular basis, annual security training is required by some industry standards and some federal standards. So, those types of things I think are the absolutely core essentials that every business needs. And if you talk to most third-party IT providers, they're going to provide those. Have you seen a breach impact a transaction? I've seen a breach kill a transaction.

SPEAKER_01

You know? Yeah, that's crazy.

SPEAKER_02

Yeah, I mean horrible. Oh, well, the you know, let's put it this way: it was a medical office, there was a breach. There were they were in the due diligence, they had to obviously they had to report the breach. The buyer walked out because now the company is gonna have to spend six figures to address the breach.

Readiness Assessments And IT Debt

SPEAKER_01

Well, there you go. Yeah. So going on to like a prep preparation playbook, what does IT readiness assessment look like before a sale? Because you mentioned that in the past.

SPEAKER_02

Yeah, I I think what it looks like is getting somebody in, um, and there there are companies that do this, we can do this, we can come in and do an assessment. We can do a security assessment, we can do a process assessment. Um, it's a relatively simple process, and we can identify things that you would want to address prior to sale to increase the value of your business. Um, you know, I honestly I don't recommend using uh AI to do this process right now because the AI can't get into your system. It can tell you things to look for. So it'll ask you this. Uh, you know, and and I just I went through and and just just to see what it would say, I went through and it was talking about you know, cybersecurity is now uh what they call it a deal gateway. Um are you scalable? Uh the biggest thing is you know IT debt. And what they mean by IT debt is things that you should have invested in or you would have been wiser to invest in and you haven't, and now that's creating a debt to the business that's not on the books that needs to be dealt with. Um, and then the big thing is compliance and regulatory exposure. Um, that is huge because uh if you have issues with IT regulations in your industry or from the federal government that you're supposed to be meeting and you're not, that is a huge risk to the organization.

SPEAKER_01

And how far in advance would you uh start preparing how uh where sellers should start preparing for IT?

SPEAKER_02

I I would begin a year out. You know, I would begin a year out. I mean, how how quick do you need to fix your books? Well, uh a year out, yeah, you know. Uh I mean this is not something where you just decide, oh, I'm gonna sell my business. And and let's be honest, uh, very few businesses sell in 90 days. Okay. There's a whole process, especially the bigger the deal. I mean, I know you I remember a couple years ago, you know, you were working on a deal for a year, okay, and and it almost fell apart multiple times. What you want to do is you want to eliminate the reasons the deal's gonna fall apart that you can control as as the business owner. And IT is one you have complete control over. You know, the buyer doesn't care which antivirus you're running, they want to know you're running antivirus, they want to know somebody's looking at your system, they don't care whether you're doing it in-house or you're using a third party. Um, but I would definitely bring in a third party to look at this. If you if your IT people are in-house, I'm sure they're great people. I'm sure that they're doing the best job they can. There are things they probably don't know. You know, that's why I have a team of nine people. There are things I don't know, but there are other people on my team who know them, and I bring them in.

Post Close Integration Breakdowns

SPEAKER_01

So let's say we we get to the closing table and now we're in post-integration. Um, so where does the IT integrations usually break down post-closing?

SPEAKER_02

So the reality is that something like 80% of IT projects are late and over budget. Okay. Um so the biggest area we see it is in data integrity. You know, um, some companies aren't very mature in the way they they track their data, you know. So I'll use my industry. Um I have multiple systems that record a company name. Okay. Is that company name recorded the same place everywhere? So that when I pull data in, I don't have to do a lot of data cleanup because that adds a lot of cost to it. Is my data and they call it normalized data? So does it always say South Florida MA, or does it say South Florida mergers and acquisitions? Does it say Russell Cohen? I mean, all of those could be you uh as a company, but how is it actually recorded in every system? So when I pull the data over, I don't have to do a lot of cleanup because that adds a lot of cost to most deals. Um, is the data so is the data clean? The other area is you know, do you have administrative access to everything? You'd be surprised. Uh I I met with a company, um, they did not have administrative access to their Microsoft email tenant. Okay, because their previous IT company that they fired refused to give it to them, and we had to go through a process with Microsoft to get it back. We were able to do it, but it was a pain in the neck, and it delayed things while we were doing it that could have broken a deal. You know? So those types of issues are really important as you work through them to make sure that your deal there's not another reason for the deal. There's enough reasons for a deal to fall through.

SPEAKER_00

Yeah.

SPEAKER_02

You're just trying to remove things that you have control over. Just be more proactive, no doubt, right? I I think that's the bit the the standard in most um industries right now, and the standard in court is what would a reasonable business owner do? And and that used to be this nebulous term, but the court cases over the last few years have pretty much defined what a reasonable business owner does. And it says, I picked a standard and we're following it, whether it's the NIST standard, whether it's a CSF standard, there's all these different um industry standards for cybersecurity and IT management. So we picked one and we're following it. Okay, and and we're on this journey. And if you're on the journey, you immediately create more reliability in the data that you're presenting, even if you're just you know a few steps into the journey. You know, maybe you're not all the way down at the end of the journey, but you're on that process because it's a thought process as much as a technical issue.

Three Moves To Prepare For Sale

SPEAKER_01

Thank you. Yeah, so we're gonna one last question. And let's say if a business owner uh was planning on selling uh in the next one to three years, what top three IT moves can they make today to make more and make their uh their business better prepared for sale?

SPEAKER_02

Well, first, if you haven't had a third-party assessment, get a third-party assessment scheduled. Have someone come in and look at your business, just like you have your CPA come in and look at your books, you know, have someone come in and look at your business and make sure uh and that they'll help you identify specifically in your business what needs to be done. So that's number one. Number two, plan to invest something. Okay, you know, figure out what your business is and then leverage that for the things that are going to make the most um business sense. And those are things that are going to do one of three things. You know, if you're gonna bring in IT sales are gonna increase uh IT projects are gonna increase sales, buyers love that. If you're gonna do it that it's gonna reduce costs, buyers love that. And if you're going to do it that it reduces reduces your risk profile, buyers love that. So those are the areas to do that. Things that are nice to have, put on the shelf. You don't you don't need those. But if they're gonna increase sales, reduce costs, or reduce risk to the organization, then that's where I would invest my money.

SPEAKER_01

Perfect. So, you know, a seller has a team of advisors, they got their financial advisor, they got the MA advisor, they got legal counsel, uh, they have consultants coming in. You know, it you would think that it would you're part of the team. Matt Kinsey and IT Fusion is part of the seller's team to the guide the business owner to the to the finish line. So, you know, it's it's a natural if you're gonna uh work with a a professional buyer, uh you need professional experts in every angle of your business, uh, because these buyers, this is what they this is what they do for a living, and and and most owners don't understand the IT part completely. So it's so important to have those special advisors as part of the team to get to the get to the finish line.

SPEAKER_02

What why do you think people have created a business out of um removing removing your experience of having to go to a car dealership to buy a car? Yeah, you know, why why are people willing to pay or actually you don't even have to pay in most cases because the dealer will pay them and they'll go through and they'll negotiate the deal for you. Uh they'll they'll get the car delivered to you because they're experts in this and they know how to get the best deal on the car.

SPEAKER_01

So, Matt, why don't you uh give a little plug for your company and how can people reach out to you? And and uh that would be great to because you've you've helped so many business owners today understand what their IT needs will be, you know, so so important in an MA transaction.

SPEAKER_02

Yeah, uh so we're located here in Southeast Florida, uh in in Broward County. Uh all three of our partners are here in Broward County, uh, but we have customers all the way west to California. Uh so um we haven't expanded north. We've been going west, but not more, not too much north so far. Uh but um we've got a team of nine people here. Uh we're we work primarily with legal and CPA firms, but we also have many clients in the trades uh that are willing to invest the money to create mature IT systems to reduce their business risk. Uh so we focus on it as a business risk rather than you know an IT maintenance issue. It's what's the business risk? How can we help you manage that? Uh so our website is itfusiontech.com, and you can email us at info at itfusiontech.com or give us a call at 954-900-1654. And we'd be glad to do an assessment. Uh, just for the if you mentioned that you were on this podcast and wanted interest it, we can do a complimentary assessment for you, courtesy of Russell Cohen, and we'd be glad to do that for you to help you as you work through your IT process in preparation for a sale.

SPEAKER_01

Matt, thank you for coming on the podcast. Extremely educational, so important. Uh, it has got me thinking uh even more in my deals now. So uh definitely we'll be uh bringing you in some of those deals to make sure we're private equity ready. And I say that all the time. So thank you for joining the podcast.

SPEAKER_02

Glad to be here, Russell. Have a great day.

SPEAKER_01

You too.

SPEAKER_00

Thanks for listening to the South Florida MA Advisors Podcast. For more information, visit SouthfloridaMA.com or contact 954 646 7651.