Tech Due Diligence — health checkup of an IT-unicorn

Innovative blood tests, hydrogen trucks, smart AR helmets and vegan mayonnaise. A pretty decent variety, isn’t it? But what do these points have in common? The fact that all of them went wrong. Of course, perhaps at an early stage, the authors-innovators were planning a breakthrough, but in reality it all boiled down to trivial fraud: fake test results, fraudulent financial reporting and outright deception of employees and investors. To find out how to avoid this we talked to Anatoly Zemtsov, an IT-lawyer and co-founder of DFCenter consulting that specializes in expert support of lawyers in complex litigation related to IT.

How come founders turn implementing an original idea into a banal fraud? There is no definite right answer. Perhaps one of the founders underestimated the complexity of the task and told investors so much about the great future during pitches that they believed it themselves. And while implementing the idea, when faced with objective and sometimes technically insoluble obstacles, they did not have the guts to stop everything, or at least make a timely pivot. This is, perhaps, understandable as the most stubborn ones often win. But few people can feel the line where perseverance and faith in oneself and the team is already being replaced by a manic phase and fanaticism.

It can happen differently, too. Let’s say a founder planned to "make money" quickly from the very beginning. They wanted to raise money from investors for beautiful words and colorful presentations, and then spent everything on personal needs rather than product and company development, namely a beautiful life with all its attributes from parties, sports cars and private planes.

Stories about magic ampoules from Theranos and trucks from Nikola One are gradually becoming a generic name, but even today not all investors are aware of such threats or pay attention to them. Although outright fakes like this one are no longer flawless.

How can we understand a project is fraud and correctly evaluate it? After all, this is something previously unheard of and incomparable, so to speak, disruptive innovation.

Indeed, no one can ensure that the technology is not based, for example, on an incorrect scientific hypothesis. But to filter out the risk that the product is in reality extremely far from the description in the presentation is a completely feasible task. MVP is an important stage, but if the start-up stops there, and "development" continues exclusively in emails to the investor, it is better to find out about this before this investor gives their money to the project. Independent audit helps to solve this problem.

Due Diligence is usually understood as a pre-investment audit - a fairly common practice of checking a company preparing for investment or sale. It is not the case on the Seed round, but starting from round A or in large M&A deals (Mergers & Acquisitions are two main types of transactions, when you can buy / sell a business or a part of it, as well as combine companies. - Startup Jedi) it is a must. Large investors hire specialized auditors, accountants and lawyers to get an idea of the real state of affairs of the future "unicorn". They check everything and prepare an independent opinion on possible financial and legal risks. They look for unpaid taxes, delays in contracts, courts and property rights - anything that can negatively affect the value of the company and trouble the investor.

At a time when people invested in factories, machine tools and other tangible assets, this was quite enough. And today, when the main asset of many startups is intellectual property, technology and the software code in which it is embodied, it is not enough to just look at the “papers”. It would be nice to check this code, too. You need to check its quality and figure out what it is made of. Therefore, Due Diligence must be technological.

ПЛАШКА Tech Due Diligence helps both investors and companies minimize risks

Companies usually have at least two risks associated with their own product, as regularly shown by judicial practice.

Thus, open source is very nice and convenient. But do not forget that it is not always free and certainly not ownerless. It is distributed under very specific terms of open licenses and has clear rules and restrictions on use.

Most recently, in mid-October 2021, in the United States, the Software Freedom Conservancy (SFC) filed a lawsuit against smart TV maker Vizio Inc. This company is far from small even by American standards with billions of dollars in turnover, and shares on the New York Stock Exchange. Here is what happened: Vizio uses open source in its commercial products with a GPL license, which in itself is not prohibited. However, according to the rules of the GPL, if you use open source in your development, you must provide the source code of your products at the first request of any person. But what commercial company is ready to share its developments with the market just like that? Neither is Vizio. Since 2018, the SFC has been writing claims and complaints to Vizio, but the company ignored them. And now it has come to the Californian court.

Another risk for an IT company can be, oddly enough, the professional background of employees. Sometimes a retired employee seizes the development of a former employer. And they use them later in a new workplace, while their new employer is often unaware of it, or in their own project.

Apple regularly makes similar claims to its former employees. А former Google engineer Anthony Lewandowski not only was himself sentenced to 18 month in prison for copying materials related to the development of drones from corporate databases, but also threw a curve on Uber. It was to Uber that he sold his startup based on stolen information, and he took over the post of vice president of technology there. When everything was revealed, Google sued Uber, accusing it of using stolen intellectual property and damages of $ 500 million.

Such cases, albeit with lower fines, are not at all uncommon in Russian courts today.

1. You will need a team of independent IT specialists who know how to write and analyze code. It can also be an individual expert if the project is small. But programming skills alone are not enough as you need to have an understanding of the situation in the IT sector as a whole, including problems, trends, prospects, and also have experience in IT-related areas.

You will also need skills for legally significant code comparison. This is done by computer-technical expertise, which helps to sort out complex legal disputes over software rights or, for example, in cases of plagiarism. Therefore, the team must have a specialist who is familiar with this practice. And of course, this team must have the infrastructure to launch and research such projects.

2. You need to transfer the code to experts or provide remote access to it. It can be either just program code written to a USB flash drive, or access to GitHub.

A small example can be conveyed at the discussion stage, but it is highly advisable to provide the bulk of the code for analysis if there is a contract and especially a confidentiality obligation. We are talking about minimizing risks, not increasing them.

3. The next step will involve IP / IT lawyers who conduct risk assessment. If there are risks, they help eliminate them, for example with clearance of rights or with the correct licensing.

So it’s a win-win situation, and the "unicorns" are growing to the delight of their founders.