Every industry.
Every IT complexity.

M&A IT challenges are industry-specific. Manufacturing has OT. Financial services has DORA. Healthcare has HIPAA. ACQI has discovery modules built for each sector's unique complexity.

PE
Industry

Private Equity

Private equity firms executing 1-3 platform acquisitions per year face a fundamental tension: IT due diligence demands thoroughness, but deal timelines demand speed. A 2-week LOI window leaves little room for the 124-module discovery that captures full technology risk. Post-close, the complexity multiplies — each portfolio company runs on different infrastructure, different vendor contracts, different security postures, and the PE deal team is expected to track IT risk across the entire portfolio from a single dashboard. Integration timelines compress as sponsors pressure management to capture synergies within the first 100 days, but IT integration work follows its own calendar of dependencies. ACQI built its platform specifically for this cadence: rapid discovery that fits LOI timelines, automated reporting that keeps deal teams informed without requiring IT expertise on staff, and a portfolio-level view that surfaces risk before it surfaces as a surprise at the next board meeting.

5-10
Portfolio companies typical PE portfolio

Key challenges

IT DD scoped to a 2-week LOI window while target leadership is simultaneously managing normal business operations and responding to buyer questions
Add-on acquisitions with 72-hour decision windows that require risk assessment without the luxury of a full 124-module discovery cycle
Portfolio companies running on aging infrastructure that has accumulated 5-7 years of technical debt with no documented asset inventory
Integration cost estimates that consistently run 40-60% over initial projections due to legacy system dependencies unknown at LOI
Synergy targets that include IT cost savings but lack baseline visibility into current spending across licenses, contracts, and headcount
IT leadership bandwidth stretched across simultaneous portfolio company initiatives with no dedicated resources at the fund level

ACQI covers

124-module discovery engine completable in 2-4 weeks with automated evidence collection that reduces target burden by 60%
72-hour fast-track DD using pre-built questionnaires and lightweight scanning that captures 80% of material IT risks for add-on assessments
Portfolio IT dashboard with automated risk scoring across all holdings, updated quarterly without requiring individual company engagement
Integration cost model with built-in contingency frameworks calibrated against 200+ manufacturing and technology integrations
IT Synergy Tracker template pre-populated with industry benchmarks for license rationalization, infrastructure consolidation, and headcount optimization
Automated board-ready reporting that translates technical findings into business risk language for investment committee presentations
MFG
Industry

Manufacturing

Manufacturing acquisitions present an IT due diligence blind spot that costs buyers millions in post-close remediation. The factory floor runs on Operational Technology — SCADA systems controlling PLCs, MES platforms tracking production, and industrial networks that were never designed with cybersecurity in mind. Standard IT due diligence finds the corporate email server and the ERP system; it misses the Windows 7 machine running a 2003-vintage SCADA HMI that controls a production line representing 15% of the target's capacity. Ransomware groups specifically target manufacturing because production dependency creates ransom leverage — a compromised PLC can halt an entire plant. Post-close, IT/OT integration requires coordinating with production scheduling, validating that security changes don't affect manufacturing safety systems, and navigating vendor relationships with industrial equipment OEMs who maintain remote access to production-critical systems.

70%
Of manufacturers targeted by ransomware

Key challenges

OT environment completely invisible to standard IT discovery tools that only scan IP-addressable IT systems
SCADA HMIs running Windows 7 or Server 2008 with no patching cadence and manufacturer support contracts expired years ago
IT/OT network segmentation that exists only as a design document, not as enforced firewall rules — production networks accessible from corporate IT
Vendor-managed OT systems where the equipment OEM holds remote access credentials and provides no asset inventory to the owner
Industrial protocols (PROFINET, EtherNet/IP, Modbus) that transmit sensitive production data with no encryption and default vendor credentials
Production-critical systems that cannot be patched without scheduled downtime, creating remediation timelines measured in months rather than weeks

ACQI covers

OT-specific discovery modules for SCADA, DCS, and PLC environments using passive network monitoring that doesn't touch production systems
Industrial network architecture mapping that identifies all OT assets, their communication patterns, and their dependency relationships
IT/OT segmentation assessment against IEC 62443 standards with specific remediation recommendations prioritized by exploitability
Vendor remote access audit identifying all OEM connections, their authentication methods, and session duration patterns
Cybersecurity posture scoring for OT environments using NIST CSF framework with manufacturing-specific maturity benchmarks
OT-specific incident response planning that separates IT incident response procedures from production-safe OT recovery sequences
FS
Industry

Financial Services

Financial services M&A carries regulatory obligations that don't pause for integration work. The Digital Operational Resilience Act (DORA) requires ICT third-party risk registers, Threat-Led Penetration Testing (TLPT) every three years, and incident reporting within strict timelines — obligations that transfer to the acquirer at close. A target's cloud concentration risk becomes your concentration risk; a target's ICT incidents become your regulatory reporting obligation. For insurance sector acquisitions, Solvency II capital calculations depend on operational risk models that include IT continuity assumptions. Post-integration, the regulator will scrutinize whether your ICT risk management meets the standard that existed before the transaction. ACQI's DORA readiness framework was built with European banking and insurance supervisors' expectations in mind, covering the ICT risk management requirements that financial services acquirers inherit at closing.

3
Years between mandatory TLPT cycles

Key challenges

DORA ICT third-party risk register incomplete, missing critical vendors who process data under arrangements that meet the threshold for ICT services
TLPT testing cycles that require 6-9 months of preparation and are only valid for 3 years — gaps in coverage create supervisory findings
ICT concentration risk from single-cloud-provider reliance that creates systemic risk the regulator specifically monitors
Regulatory incident classification and reporting timelines that require pre-built procedures, not ad-hoc responses after a breach
BC/DR plans tested annually with evidence packages that satisfy neither the business continuity team nor the regulator independently
Critical function mapping incomplete for significant entities where ICT failures could compromise systemic stability

ACQI covers

DORA ICT third-party register audit against ENISA guidelines with vendor classification matrix and concentration risk scoring
TLPT readiness assessment covering threat intelligence, vulnerability management, and the 14 TLPT requirements from EBA guidelines
Cloud concentration risk scoring across Azure, AWS, and GCP with dependency mapping that identifies single points of failure
ICT incident log analysis with automated correlation to DORA incident classification thresholds and reporting timeline tracking
BC/DR test evidence review against RTS on ICT testing and the EBA guidelines on ICT risk, producing board-ready documentation
Critical function dependency mapping for significant entities under SREP methodology, linking ICT systems to financial stability thresholds
HC
Industry

Healthcare

Healthcare acquisitions carry HIPAA compliance obligations that follow the Protected Health Information (PHI) regardless of what happens to the covered entity status post-transaction. When a private equity firm acquires a healthcare services platform, the PHI inventory — patient records in EHR systems, billing data in practice management software, treatment plans in care coordination platforms — creates remediation liability that can survive well beyond the integration period. The HIPAA retention requirement for PHI is 6 years from the date of creation or the last effective date, whichever is later. Post-separation, if a covered entity is dissolved or restructured, the compliance obligations around retained PHI don't automatically dissolve with it. Acquirers face BAAs with gaps that expose them to breach notification requirements, PHI in SaaS applications where vendors never signed agreements, and EHR systems with access control configurations that haven't been audited since implementation.

6
Year HIPAA minimum retention for PHI

Key challenges

PHI inventories incomplete — SaaS applications used by clinical staff that were never assessed for HIPAA compliance and have no Business Associate Agreements
EHR systems with multi-year access accumulation: former employees, departed contractors, and integration specialists who retain system access post-departure
Covered entity status transitions that require notified changes to business associate agreements and potentially new hybrid entity arrangements
6-year HIPAA retention requirements that create data guardianship obligations for separated entities long after integration teams have moved on
Clinical systems with patching constraints — EHR vendors who withhold support for version upgrades until the customer commits to a full migration
BYOD policies where clinicians use personal devices for PHI access but the organization has no visibility into device security state or data copying

ACQI covers

PHI inventory across all SaaS platforms, file shares, and EHR systems using data classification engine that identifies ePHI by content patterns
BAA gap analysis against all PHI-handling vendors, scored by risk tier with specific remediation recommendations for non-compliant arrangements
EHR access control audit and automated deprovisioning workflow for HR-integrated access termination across Epic, Cerner, and MEDITECH
Covered entity status transition planning including hybrid entity designation, affiliated covered entity configurations, and BAA hierarchy mapping
PHI migration path with HIPAA controls maintained end-to-end, including encryption validation and access logging during data movement
Incident response plan for PHI breaches with notification timeline tracking, covered entity coordination procedures, and OCR reporting workflow
TECH
Industry

Technology / SaaS

Technology acquisitions involve complexity that compounds in ways other industries don't face. A 5-year-old SaaS company typically runs across Azure, AWS, and GCP simultaneously — engineering teams provision resources in the cloud that makes sense for their specific workload, and the CFO finds out about the third cloud provider at due diligence. Technical debt accumulates in custom application architecture built to meet feature deadlines rather than maintainability standards; the application that processes 40% of revenue runs on a framework version that reached end-of-life three years ago. API dependencies create integration risk that only becomes visible when the acquirer attempts to migrate the target's customer data into its own platform. Open-source vulnerabilities in dependencies that were never scanned create liability that wasn't captured in the software composition analysis that the target's CTO believed was current. Developer workstations with exposed credentials and secrets represent an attack surface thatpenetration testers routinely find within the first hour of an engagement.

47
Average SaaS apps in tech companies

Key challenges

Multi-cloud environments where Azure, AWS, and GCP are used simultaneously with no centralized visibility or cost management
Shadow IT built by engineering teams using corporate cards and never reported to IT procurement — averaging 47 SaaS applications per tech company
Technical debt in custom applications built on deprecated frameworks with unknown vulnerability accumulation
API-first architecture with complex integration dependencies between services that break when either endpoint is modified
Open-source library vulnerabilities (Log4Shell, Spring4Shell, and 100+ other disclosed CVEs) that scan reports marked as "acknowledged" but unpatched
Developer workstation security with exposed AWS keys, GitHub tokens, and database credentials that live in environment variables

ACQI covers

Multi-cloud discovery across Azure, AWS, and GCP using cloud-native APIs to build asset inventory without credential scanning
SaaS shadow IT identification via network traffic analysis and SSO integration logs, finding applications engineering teams use that IT doesn't know about
Application portfolio technical debt scoring using industry benchmarks from the NIST BSIMM framework, prioritized by revenue impact
API dependency mapping using traffic analysis and OpenAPI schema discovery to document integration points before migration planning begins
Open-source vulnerability scanning across all application repositories using SBOM generation and CVE correlation to your specific dependency tree
Developer credential and secrets audit using CI/CD pipeline analysis and environment variable extraction, identifying exposed credentials before attackers do
PS
Industry

Professional Services

Professional services firms sell expertise and judgment — and their IT systems store the client data, communication, and work product that represent years of accumulated professional knowledge. When a law firm, consultancy, or accounting practice is acquired, the data assets carry confidentiality obligations that go beyond standard IT governance: attorney-client privilege, work product protection, and regulatory requirements from bodies like the SEC, FINRA, and state bar associations. Client audit rights in vendor contracts create exposure that most acquirers don't discover until post-close. A professional services firm's document management system — whether iManage, NetDocuments, or a homegrown equivalent — controls access to client matters that represent the firm's entire revenue base. Email and Teams communications contain privileged content that requires specific handling in any data migration. Conflict of interest systems, which should prevent the firm from representing adverse parties, depend on IT infrastructure that frequently has gaps in data separation.

30-40%
Of SaaS in PS firms is shadow IT

Key challenges

Client data spread across 15-30 SaaS applications — LinkedIn, Salesforce, HubSpot, practice management, document management — with incomplete Data Processing Agreements
Document management systems with complex access control structures that grant access by matter, role, and user with no centralized visibility into who has access to what
Email and Teams containing privileged communications that require special handling during any system migration or integration
Client matter separation requirements that depend on IT controls but have never been tested or audited for conflict escape scenarios
Professional liability insurance applications that ask for IT security posture representations that the firm cannot substantiate with evidence
Client audit rights in vendor contracts that require evidence of security controls, ISO 27001 certification, and SOC 2 reports that may not exist or may have expired

ACQI covers

Client data inventory across all SaaS platforms using DPA analysis tool that identifies gaps against GDPR, CCPA, and state bar requirements
Document management system access audit for iManage, NetDocuments, and Worldox with matter-level access mapping and departed user analysis
Email security and DLP assessment for Outlook and Teams with content classification that identifies privileged communications before migration
Conflict management system IT dependencies mapped against leading conflict checking platforms (Intapp, Foundation, CMS) with data separation testing
Vendor contract GDPR/DORA compliance review for all third-party processors with data flow mapping and cross-border transfer mechanism documentation
Client audit rights remediation roadmap with ISO 27001 and SOC 2 gap analysis, prioritized by client contract renewal dates and revenue impact

What's your industry?

Tell us what you're working on and we'll show you the ACQI modules that address your specific IT complexity.

See Industry-Specific Modules Talk to the Team