Reducing risks in VC investments Part II: investing in software

Here's the second part of a two-part feature on venture capital, risk and investment, by Martin Callinan (Source Code Control) and Kate Andreeva (Protecode). Their first post dealt with general issues regarding due diligence. The sequel, below, focuses on the special issues facing anyone thinking of investing in innovative software.

Technology risk

Not just the software: the business
strategy must be robust too 

Following the strategy review comes a technology review. In the case of a software-driven enterprise, the focus is typically on the ability of both the software and the development team to deliver on the product roadmap in line with the investor’s timelines. There will be a detailed review of the software architecture, code quality, software engineering quality, scalability, and robustness. 

If the company is a software start-up, an expected pre-requisite is that software development leverages open source software. There may well be valid reasons why a start-up would use open source software but, in the due diligence of a deal flow, the start-up will need a clear and strong justification as to why open source software has not been used. 

The reality is that many young companies do not understand the value of intellectual property and risks that can be engineered into software applications.  The types of risks that investors will look for are: 

• Software architecture, scalability, and extensibility

• Exposure to third-party platforms

• IP value: an objective view of the software’s unique value in the market

• IP and patent evaluation – are there any patent infringements?

• Third party dependencies

• Open source software risk exposure

To identify these technology risks, typically a third party specialist will be contracted to perform a source code review. This review can be initiated by the technology organisation before seeking investment, by the VC or private equity organisation as part of the due diligence process, or both. If the organisation goes into a funding exercise without visibility of the quality of their code and associated risks, there is a good chance that investors will view the investment as risky, regardless of the functionality of the technology in question 

Why due diligence should include an independent source code review

Apart from identifying current issues in the source code, such as licensing irregularities, problematic intellectual property, or potential security vulnerabilities in software components, which typically can be remedied, reviewing the source code can identify inefficiencies and flaws in the development process.  It can also identify the need to have a proper code inspection process during the development cycle, thus eliminating problems before they arise. 

It may be appropriate to create an open source software adoption process with proper tooling, which can help lower compliance costs, not to mention minimising disruptions during key transactions. Similar to bugs in software, it is far more efficient and cost-effective to catch issues early. 

Before discussing source code reviews it is important we are clear what we mean by “source code.” 

What is source code? 

Source code is a set of programming language statements and commands a software developer creates that becomes part, or all, of the applications that use website or device runs. There are a plethora of languages used by developers such as C, C++, C#, Java, or scripting languages such as JavaScript, PERL, Python, or PHP. The source code is compiled into an executable which the target device will execute.

What is a code review or audit? 

A code review or audit should be performed by an independent third party specialist. VC and private equity firms are unlikely to have these skills in-house. A software company seeking investment is however likely to have somebody in-house with the skills needed to perform the review – but that person may not be able to produce a reliable and objective report. 

Why is a code review imperative? 

Developers today rarely code a complete application from scratch. Applications are made up of components of code from a variety of sources which are stitched together to create the finished application. This makes for dynamic and agile development, but with it comes a number of inherent risks. Each component will have a number of attributes, such as how it is licensed and its version. 

Outside of the function of the application(s), investors need to have details of the make-up and provenance of the code components in the following areas: 

• Intellectual property and licensing

• Security of the software

• How the software be maintained and supported

• The capabilities and maturity of the components being used

• Ability to integrate with other applications

• Quality of the components that make up the application

• Innovation – if the application be evolved over time

• Viability of the open source community around the components being used

Fundamentally, the review boils down to assessing the overall quality and consistency of the code. The source code is an indicator of the quality of the organisation seeking investment. Software development is a creative exercise and developers should be allowed to express their personal style and approach, but in line with the organisation’s standards which all developers should follow. 

The code audit process 

First, a non-disclosure agreement (NDA) must be in place between the reviewer and the organisation. Once the NDA is in place, the reviewer will question key stakeholders in the organisations to ensure there is a clear understanding of the reasoning behind the audit and the organisation’s environment, such as the size of the portfolio, languages, and tools in use particularly any automatic code generators. A Statement of Work is then produced and agreed upon. This includes:

• A breakdown of the software portfolio into audit segments 
• Full automated source code scanning, analysis, and reporting 
• Resolve copyrights, standard headers, and author tags discovered in the portfolio 
• Analyse, verify modules, and issue regular audit progress reports 
• Quality review and sign off of licensing and copyright attributes of every software file in the software portfolio 
• Delivery of audit report(s), review of the reports.

The report will be reviewed and signed off by the organisation's management. Once signed of the final reports will be completed and delivered to the organisation. The reports will include:

• Audit Report: a high level executive report, containing information and graphic representation of licences, copyrights, OSS projects, security vulnerabilities, and encryption content within the software portfolio.
• Overview Report and Detailed file-by-file Reports: verified machine-generated reports on the software portfolio. The overview report should be delivered in pdf format. A detailed file-by-file report should be delivered in in CSV (readable by Microsoft Excel application) format.
• Concatenated Licence List report: containing a consolidated text of all available licences within the software portfolio in pdf format.
• Security Vulnerability Report: a cross reference of all security vulnerability information as reported by the National Vulnerability Database in pdf format.
• Encryption Report: a list of open source software projects detected in the portfolio that could be subject to export control, in pdf format.

About the authors

Martin Callinan has over 20 years’ experience in the software industry with a focus of Software Asset Management, IT Governance, and risk avoidance. He is currently the director at Source Code Control. Martin contributed to Working Group 21, the group responsible for authoring Standards relating to Software Asset Management, such as ISO/IEC 19770-1. In the past, he worked for Microsoft Limited, FrontRange Solutions, Centennial Software, Snow Software, and Express Metrix Limited.

Kate Andreeva is the Director of Solutions at Protecode and has over 15 years’ experience in the technology industry as an engineer and sales professional. With a background in electrical engineering and software development, Kate has honed her skills at companies including Performance Technologies, Level Platforms, Klocwork, and Coverity.

Reducing risks in VC investments Part I: risk and due diligence

If only ...

Here's the first part of a two-part feature on venture capital, risk and investment, by Martin Callinan (Source Code Control) and Kate Andreeva (Protecode). This post deals with general issues regarding due diligence, which this blogger regards as a small headache that one suffers in order to avoid a heavy hangover at a later stage. The second post, which will be published tomorrow, focuses on the special issues facing anyone thinking of investing in innovative software.

What should be included in the due diligence process?

The rapid pace of innovation in the technology sector attracts both venture capital (VC) and private equity investment into UK companies, with the bulk of investment in London-based organisations. The first quarter of 2015 saw London technology smash previous funding records. The amount raised by London companies comprises 80% of all UK companies with a value of $856.7m.With the technology sector being so buoyant, investors are inundated with deal flow, which influences the way investors exercise risk assessments. Early stage investors would review a few good companies each week. With such a competitive landscape, the challenge for technology entrepreneurs is getting the attention of investors. Key to this is clearly presenting the company’s strategy. A solid business plan is important but, if the overall strategy is weak, investment is unlikely to result.

Risk versus reward 

VCs are cautious with their investment money with good reason. Generally, they take enormous risks on untested ventures which they hope will eventually transform into the next big thing. With mature organisations, the process of establishing value and the prospect of a sound investment is reasonably straightforward, as there is a track record of sales, profits and cash flow with early stage ventures, VCs will delve deeper into the business, the opportunity, and the underlying technology behind the business.

Key considerations by late round investors include

• Management: who is the team behind the organisation and what is its track record? 

• Size of market: demonstrating the target market opportunity which will indicate the returns investors might expect from any investment. 

• Product quality: investors want to invest in a great product with a competitive edge that is long-lasting and sustainable. 

• Current revenue status of the early stage company. 

• Generation of actual and pipeline sales prior to any investment. 

• The risks: VCs take on risk; their skill as investors is understanding all risks and making fully informed decisions for a successful outcome. 

The entrepreneur needs to understand that not all money is the same and not all funding sources are equal. The entrepreneur must carefully consider the implications which may follow from the investor and other requirements of various financing sources. Some examples:

• Require board member status for investors.

• Require the employment of advisors.

• Require the creation of an advisory board.

• Investor invests and observes, but does not play an active role.

Business risk 

The business risk investors look at will depend on whether it is an early stage investment or a late round investment. 

The skill of early stage investment funds is being able to identify the potential of a technology even if the product (today) is not right or needs significant evolution to become successful. This way allows an early stage investor to maximise its return while minimising its initial investment. 

Outside of the technology, early stage investors will view the current revenue status of the early stage company to decide which investment fund(s), if any, the company would fit into. 

Late round investors would, by nature of the investment, seek clarity in the company’s business plan, which would include:

• Is this the right product for today and the future?
• Is there enough money in the fund to fully meet the opportunity?
• Is there an eventual exit from the investment, a chance to see a return?
• What are the regulatory or legal risks?

About the authors

Martin Callinan has over 20 years’ experience in the software industry with a focus of Software Asset Management, IT Governance, and risk avoidance. He is currently the director at Source Code Control. Martin contributed to Working Group 21, the group responsible for authoring Standards relating to Software Asset Management, such as ISO/IEC 19770-1. In the past, he worked for Microsoft Limited, FrontRange Solutions, Centennial Software, Snow Software, and Express Metrix Limited.
Kate Andreeva is the Director of Solutions at Protecode and has over 15 years’ experience in the technology industry as an engineer and sales professional. With a background in electrical engineering and software development, Kate has honed her skills at companies including Performance Technologies, Level Platforms, Klocwork, and Coverity.

IP Issues in Mergers and Acquisitions: Any Recent Examples of Due Diligence Failures Involving IP?

Corporate Counsel has published a pair of informative articles concerning due diligence and intellectual property.  The first article is titled, “Identifying IP Risks in M&A and Tech Joint Ventures: Beyond the Data Room”, by Anne Cappella, Charan Sandhu and Brian Chang of Weil, Gotshal and Magnes.  The second article is titled, “The Financial Impact of IP Issues in M&A,” by Steve Ball and Jon Winter of St. Onge Steward Johnston & Reens.  Both articles provide useful advice designed to help counsel avoid missing intellectual property issues during due diligence.  The overarching message is that corporate counsel should include intellectual property specialists in any due diligence of a potential target.  Both articles raise specific points that should be considered such as: proactively examining a target’s competitors to ascertain whether patent trolls have litigated against the target’s competitors to determine if your target is next; considering potential trade secret misappropriation actions by competitors of the target based on new hires by the target; ensuring that third parties who have worked with the target have not improperly claimed intellectual property possibly owned by the target; having clear title to intellectual property; and properly recording title.  The second article provides a couple of examples where intellectual property counsel were not consulted or there were intellectual property issues missed in the due diligence.  One problem involved Rolls Royce and BMW:

[I]n 1998 the Volkswagen AG Corporation purchased the automobile assets of the bankrupt Rolls-Royce Motor Cars Limited for $790 million, with the value of the physical assets estimated at $250 million. Volkswagen was unaware that Rolls-Royce’s trademark rights were subject to a nontransferrable license from Rolls-Royce Aircraft. Volkswagen purchased the plant, the machinery and the automobile designs from Rolls-Royce, but only learned after the deal that the purchased assets did not include the Rolls-Royce® trademark. So while Volkswagen was able to build the car, it could not brand it with the famous trademark. BMW then acquired the trademark rights for $65 million from the bankrupt Rolls-Royce Aircraft and forced Volkswagen to concede the brand, resulting in a huge windfall for BMW.

The most recent example included Apple’s acquisition of Beats Electronics:

Apple Inc. agreed to acquire Beats Electronics for $3 billion. In doing so, Apple purchased an infringement suit by Bose Corporation, which owns a number of patents directed to noise-cancelling headphones. After the deal was announced, Bose filed infringement suits in district court as well as at the International Trade Commission seeking to ban imports of the Beats headphones into the U.S.

I have to imagine that Apple’s counsel knew they were likely to be sued by Bose Corporation.  Are there any more recent public examples of IP failures in the due diligence before merger or acquisition with a target company? 

When clinical trial data is fudged; woe to the company or woe to the industry?

When I think of clinical test data, my attention is usually drawn to controversial Article 39.3 of

the TRIPS Agreement, which affords protection for confidential regulatory data in industries such as pharma and agrochemicals. Article 39.3 provides as follows:

“Members, when requiring, as a condition of approving the marketing of pharmaceutical or of agricultural chemical products which utilize new chemical entities, the submission of undisclosed test or other data, the origination of which involves a considerable effort, shall protect such data against unfair commercial use. In addition, Members shall protect such data against disclosure, except where necessary to protect the public, or unless steps are taken to ensure that the data are protected against unfair commercial use.”

However, the issue of trial data in the context of regulatory approval took on an entirely different meaning this week when it was announced, here, that a U.S. company, Hyperion Therapeutics, here, was cancelling its agreement to acquire the Israeli company Andromeda Biotech, here. Andromeda has been developing a Type1 (juvenile) diabetes drug (DiaPep 277).The value of the deal, which was announced a half-year ago, would have reached $570 million plus additional payments of royalties. As a part of the arrangement, Hyperion also undertook to fund Andromeda’s continued R&D activities. The primary beneficiary of the deal was Clal Biotechnology Industries Ltd, the controlling shareholder of the company. A first payment of $20 million dollars in cash and shares had already been made.

What was the reason for the cancellation of the transaction? As reported by Globes, a leading Israeli business newspaper, Hyperion advised that it had “uncovered evidence” that Andromeda employees had falsified certain clinical trials of the drug. More particularly, it is reported that Andromeda conspired

“with a third-party biostatistics firm in Israel to improperly receive un-blinded DIA-AID 1 trial data and to use such data in order to manipulate the analyses to obtain a favorable result.’ Hyperion further stated that ‘[a]ll of these acts were concealed from Hyperion and others. ”

Shares of both Hyperion and Clal Biotechnology nosedived in the aftermath of the disclosure.

What is both interesting and curious is that questions had already been raised about both the value of the transaction and the propriety of the company’s trial data. As for the price tag of the acquisition, Globes observed that “there were some who raised their eyebrows and wondered why the product was being sold at a relatively low price, earlier than expected, to a relatively unknown partner.” In light of recent developments, as observed by Globes,” the question arises whether other companies ran away from the deal after seeing Andromeda’s data.” Indeed, it is reported that rumors had already circulated in the past regarding what was termed “inconsistencies” between previously obtained trial results.

An interesting comment in this respect was reportedly made, here, by Mr Mori Arkin, a well-known investor, who often teams up with Clal Biotechnologies in investing in the biotech sector. Arkin is quoted as saying:

“There is no need for us to rebuke ourselves too much – neither the Israeli company nor the biomedical industry as a whole. The acquiring company, Hyperion, is not a large company. The data had these weaknesses from the beginning, and large companies probably realized it. If Hyperion overlooked weak points in the data, it’s their mistake, not that of the other side, and it’s not nice to make such unilateral accusations. It’s the court’s job to do that after a claim, and it’s not acceptable to lash out and damage the reputation of various parties.”

Arkin’s comments are particularly intriguing because they seem to place the burden for the failure to understand the problems with the trial data, at least in the context of the acquisition, on the acquiring party. In particular, it is suggested that the acquiring company (as a “small” company) did not carry out “proper” due diligence, in contrast with other, unnamed larger companies, which would likely have picked up on the “weak points of the data.” If Arkin is correct that size so matters in an acquirer’s ability to investigate a biotech target properly , especially when questionable data are at issue, this is a matter of material concern, giving new meaning to the term “caveat emptor” and raising a red flag on the ability of “smaller” biotech companies to carry out proper diligence in connection with acquisition activity.

Alternatively, however, perhaps what is taking place is an attempt by a major investor in the field to deal with a threat to the broader perception of the integrity of the entire industry, at least within the Israeli content. What better way to do confront this challenge (and presumably protect one's investments in the area) than to suggest that culpability lies not with the company and the ecosystem of the industry but with the acquiring company. The first class action suit has already been filed against Clal. Clearly, though, sorting out what really happened has only begun.