Every private equity deal team knows how to evaluate a balance sheet. Most know how to assess market position, management quality, and EBITDA trajectory. But when it comes to technology, even experienced deal teams often miss the risks that end up costing the most — not at close, but in the 18 months that follow.
After more than 25 years in technology leadership, including managing global infrastructure through one of the largest corporate bankruptcies in history, I’ve seen what happens when technology risk goes unexamined before a deal closes. The problems don’t announce themselves. They compound quietly — until they don’t.
Here are the five areas where PE technology due diligence most consistently falls short.
1. The MSP Contract Nobody Reads
Most mid-market companies run their IT through a managed service provider. When a PE firm acquires one of these companies, they inherit that MSP contract too — along with its liability caps, auto-renewal clauses, and performance terms that were negotiated years ago by someone who may no longer work there.
I’ve reviewed MSP agreements where the provider’s contractual liability is capped at one month of fees. On a $5,000 per month contract, that’s $5,000 of legal recourse for a breach that could cost ten times that to remediate.
What to look for: the liability cap, the termination for convenience clause, the SLA definitions, and whether performance is actually measured anywhere. Most of the time, it isn’t.
2. Cybersecurity Posture vs. Cyber Insurance Coverage
Deal teams increasingly ask whether a target company has cyber insurance. That’s the right instinct — but the wrong question.
The right question is whether the company’s actual security posture meets the requirements of the policy they’re paying for. Underwriters have quietly tightened their requirements over the past three years. Multi-factor authentication, endpoint detection and response, and documented incident response plans are now frequently listed as coverage conditions — not just best practices.
I’ve assessed companies that had cyber insurance in place but were actively out of compliance with their own policy terms. In a breach scenario, that policy wouldn’t pay. The deal team had no idea.
A 30-minute review of the insurance application alongside the actual security controls in place will tell you more than the certificate of insurance ever will.
3. Infrastructure Debt That Doesn’t Show Up on the Balance Sheet
Financial due diligence captures depreciated asset values. It does not capture the cost of running infrastructure that should have been replaced two refresh cycles ago.
End-of-life servers, unsupported operating systems, and networking equipment running on vendor-expired firmware are all common findings in mid-market companies. None of these appear as liabilities in the financials. All of them represent real capital expenditure in the first 12 to 24 months post-close.
I’ve seen companies where the infrastructure refresh requirement — just to bring the environment to a baseline of supportability — exceeded $400,000. That number was never in the deal model.
4. The Single Point of Failure Nobody Talks About
In many mid-market companies, one person holds the institutional knowledge of the entire technology environment. They know the firewall password. They know why the ERP was configured the way it was. They know which vendor to call when something breaks.
That person is often not the CTO. They’re frequently not in a senior role at all. And they are rarely identified during due diligence.
When that person leaves — which happens more often than not following an acquisition — the technology environment becomes significantly more fragile overnight. I’ve seen it happen within 60 days of close.
Ask during diligence: who are the technology knowledge holders, what is their retention risk, and what documentation exists if they leave tomorrow?
5. SaaS Sprawl and the Licensing Audit That Never Happened
The average mid-market company is paying for 30 to 50 SaaS applications. Roughly a third of those are either underused, duplicated by another tool already in the environment, or being paid for at a tier the company doesn’t need.
Beyond the cost issue, SaaS sprawl creates security exposure. Applications provisioned by individual departments — without IT oversight — often have direct access to company data, no offboarding process for departed employees, and no inclusion in the security review cycle.
A basic SaaS audit conducted during diligence routinely surfaces $50,000 to $150,000 in annual savings. More importantly, it identifies the data governance risks that legal and compliance teams care about.
The Bottom Line
Technology due diligence is not a checkbox. It is not a review of whether the servers are on and the backup is running. Done properly, it provides a deal team with a clear picture of post-close capital requirements, operational risk, and the technology gaps that will either slow value creation or accelerate it.
The firms that get the most value from technology diligence are the ones that treat it as a deal input — not a post-close afterthought.
Thomas Cloud is the founder of Vertex CTO Advisory, a technology advisory firm serving private equity firms and their portfolio companies in the Dallas–Fort Worth area. Vertex provides technology due diligence assessments, fractional CTO services, and infrastructure risk reviews for PE deal teams and mid-market leadership.