General Enquiries: 0207 242 1012

You are here: Home | Latest News | Ecommerce Due Diligence

subscribe to Rss Subscribe to RSS Feed

Ecommerce Due Diligence

Date: 13/08/2010

Ecommerce Due Diligence: image 1

By Colin Watson, Director, Watson Hall Ltd

Information is the working capital of many modern businesses, and the systems that collect, process, use and store the information need to be robust.

Where ecommerce channels are an important component of a business' operations, investment decisions should consider the factors associated with the online presence. Other risk decisions which could benefit from ecommerce due diligence are assessments for cyber liability insurance or other risk management services, and decisions regarding potential suppliers and business partners.

Ecommerce applications

Websites and smartphone applications can include a complex mix of legacy systems and emerging technologies, multi-channel communications, disparate office systems, data from a wide variety of sources and delivery through software on possibly compromised devices.

The apparent value of an ecommerce application cannot be determined by revenues, costs and market share alone. There can be hidden dependencies and liabilities which may matter in a short-term operational viewpoint. But these need to be identified and assessed as part of due diligence to ensure their significance is understood. Six recommended investigation aspects are described further below.

Intellectual property - It is surprisingly common to discover an organisation does not have full ownership of the designs, databases and software source code used to operate the website. The two most common issues in this aspect are, firstly using other software developer's intellectual property without permission or contrary to the terms of use, and secondly the development company or design agency retaining rights in the ecommerce application. The latter can be particularly problematic if work has been further sub-contracted and no agreements on IP ownership specified. These mean an application may have to be completely re-built, or cannot be altered without using the original developers or agency team. Sometimes ownership or control of the primary domain name resides with another party. Alternative domain names (e.g. .com vs .co.uk) and similar domain names (e.g. used by typo-squatters) should also be identified and ownership checked.

Third parties - The ecommerce website will not be completely standalone. There will often be contracts with payment authorisation services and probably external hosting companies. But other contracts may exist for services such as postal address look-up, data sources and feeds, affiliate marketing, monitoring, data processing and fulfilment services. The ecommerce application may be highly dependent upon all of these being available and working seamlessly and little thought may have been given to redundant or standby services. The contractual obligations, warranties, service level agreements and other guarantees should be identified. Complaints, disputes and contract renegotiations should be determined.

Sensitive data - The geographical location of the business and its customers will affect which personal data protection mandates affect the business, but it is often the case that adequate regard has not been made to obtain or track consent for the use of personal data. Data may not be accurate if there has not been regular integrity checks and correction undertaken. The data may actually be a "toxic liability" rather than an asset. Other sensitive data, such as payment card information, may exist in old databases and systems, so the current live ecommerce application may not be the only concern. Therefore, data source information, consents, uses, data retention & disposal policies and procedures should be obtained.

Security - Security considerations should be built into all stages of ecommerce application lifecycle from planning, through design, development, testing, implementation, operation and disposal. Evidence of security verification, problem detection and incident handling processes should be available together with results and reports. Procedures for disaster recovery and business continuity should exist and have been tested. Otherwise customer and other valuable data could disappear due to an accident or technical fault.

Operations - The maintenance and ongoing development arrangements for the ecommerce application may allow provision for privileged access by third parties to sensitive data and information systems. Examine who (and what) has access to the relevant information systems and business processes and whether good change control processes are in place can help identify the maturity of configuration and operational practices. Review availability and load monitoring data and details of previous and upcoming scheduled maintenance may reveal systemic problems.

Customers - Analyse customer locations, spending patterns, credit provision, returns and disputes to provide an insight into the workings of the organisation - wider than the application itself. For an ecommerce site, measures such as affiliate marketing costs, conversion ratios, visitor durations, bounce rates, page load times and shopping basket & checkout abandonment rates should be compared with competitors in the same sector. But online reputation measures such as customer groups, review sites, search engine rankings, security and privacy monitoring should also be used to reveal additional useful data.

Concluding remarks

By undertaking due diligence checks in these six priority aspects, potential investors will learn much about the business and its ecommerce risks. In terms of investments, mergers and acquisitions, undertaking due diligence on the ecommerce aspects can: - improve knowledge and negotiating position prior to investment, - increase the likelihood of success if the investment goes ahead, and - increase investor confidence.

The depth to which each aspect can be addressed will not always be the same and, to obtain the highest quality information requires positive engagement with the process by the business. In practice, any information helps reduce knowledge gaps and improve wider due diligence processes.

1. Press release, Privacy watchdog calls on CEOs to take responsibility for data protection safeguards, ICO, 29 October 2008, http://www.ico.gov.uk/upload/documents/pressreleases/2008/databreaches29october2008.pdf 2. Software Assurance Maturity Model, v1.0, March 2009, http://www.opensamm.org/

Latest News

Wealth Report and Due Diligence Report Updates

Date 05/01/2012

De Vere Wealth Report Case Studies

Date 05/01/2012

De Vere & Co strengthens its Computer Forensics capabilities

Date 10/11/2011

Trade Associations:

ABFA Logo fla Logo

De Vere & Co
10-11 Gray's Inn Square,
Gray's Inn Road
London WC1R 5JD
Tel: +44 (0) 207 242 1012
Fax: +44 (0) 207 242 2012