.svg)
Caveat Emptor: the risks you can't see will hurt the most
This is the second of three blog posts to highlight Noremo’s approach to Tech Due Diligence — the opportunities and the pitfalls. Here we focus on what Buy-Side investors must understand before they sign.
The Most Overlooked Risk in Private Equity
As spring approaches, Private Equity teams shift gears — from the strategising of the winter months to the execution of investment action plans for their priority targets. Deal teams review reams of documents in data rooms, investment principals meet management teams, and some may even visit target company sites in person.
Technology is one of the least well-understood yet truly critical success factors for determining a company’s future prospects. Commercial Due Diligence, Financial Due Diligence, Legal Due Diligence are well-understood disciplines for people with Corporate Finance and Legal backgrounds — the very same people who dominate senior positions at most PE funds. Yet Tech Due Diligence is too often treated as a necessary but inconsequential tick-box exercise, handed to a junior consultant from one of the same Big Four accountancy firms engaged to do everything else.
This is a mistake. Technology forms a vital foundational pillar for pretty much every business in every kind of industry.
Marc Andreessen made his now-famous observation that software was ‘eating the world’¹ back in 2011. Since then, the layers of technology inside every business have continued to rise. Companies merge or get acquired; systems and processes get duplicated — and confused. Legacy systems almost never get replaced or switched off. The result is a compounding architectural complexity that most PE investors simply do not see until it is too late.
The Techno-Archaeologist’s View
Think of it this way. Future techno-archaeologists will look back at the enterprise technology estates of the 2020s the way real archaeologists approach the excavation of an ancient Roman ruin — brushing back layers of mud and stone to reveal what was built on top of what, and why. Each layer tells a story. Each interface between old and new represents a moment when someone decided to bolt rather than rebuild. Each legacy system still running in the background is a weight the business carries forward.
Those layers of technology all add cost to the Income Statement. But far worse, they massively slow down a company’s ability to evolve — to design, integrate and deploy new platforms at speed. Whether that’s launching into a new geography, rolling out a new product line, or adding a subscription service alongside an existing revenue model, every one of those ambitions depends on the underlying tech estate being fit for purpose. The PE investor who does not properly excavate those layers before signing the deal is the one who will still be managing the dig three years into their ownership.
When the Infrastructure Collapses: The Maersk Story
Consider what happened to Maersk — the world’s largest container shipping company — in June 2017. NotPetya, a piece of malware originally deployed as a cyberweapon, spread without warning into Maersk’s global network. Within hours, computer screens went dark across the company’s Copenhagen headquarters. Terminals in 76 ports came to a standstill. Entry systems and phone networks stopped working. The company simply shut down.²
It took Maersk ten days to rebuild its network from scratch — replacing 4,000 servers and 45,000 PCs. The company’s chairman later told the World Economic Forum that the biggest cost was not the hardware: it was the lost business. Total damage: an estimated $250–300 million in a single quarter.³
Maersk is not a technology company. It is a shipping company. But every company is now a technology company — whether its leadership accepts that reality or not. The NotPetya attack did not discriminate. It exploited the same unmanaged legacy infrastructure, the same patching gaps, the same absence of robust business resilience planning that you will find in hundreds of mid-market businesses right now, quietly waiting for an acquirer who does not look closely enough.
For any buyer in the middle of Due Diligence on a business like Maersk at that moment, the deal would have collapsed overnight. The business had value. The hidden vulnerability destroyed it.
When the Migration Fails: The TSB Story
Technology risk is not only a cyber story. It is an integration story too — and that matters enormously in a PE context where post-acquisition value creation almost always depends on systems being combined, migrated or replaced.
In April 2018, TSB Bank attempted to migrate its 5.2 million customers from a legacy Lloyds Banking Group platform onto a new system developed by its Spanish parent company, Sabadell. It was supposed to happen over a weekend. Instead, 1.9 million customers were locked out of their accounts. There were data breaches, payment failures, and in some cases customers could see other people’s account details.⁴ The disruption persisted for weeks; some customers were still affected in December 2018.
The financial consequences were severe. Total costs ultimately exceeded £400 million — nearly double the original budget for the project.⁵ TSB’s CEO resigned. The bank was subsequently fined £48 million by UK regulators for failing to meet basic operational resilience standards.⁶
What a competent Tech DD process would have uncovered — had one been rigorously applied to the migration plan — was the catastrophic underestimation of system complexity, the inadequacy of testing, and the absence of any credible rollback plan. These are not exotic risks. They are the kind of risks that experienced technology professionals identify every day. They require someone who knows what they are looking for, and who has the seniority to be taken seriously when they raise the alarm.
The AI Question: Separating Signal from Noise
In 2026, a new layer of complexity has been added to the buy-side challenge. AI.
In every second data room, a sell-side investment banker is now proclaiming that their client is “AI-first and AI-forward.” It is the phrase of the moment. Stock market analysts are openly debating whether AI will begin to erode the high-margin recurring revenues of established SaaS platforms² — hence the recent pressure on listed software valuations. But for the businesses actually up for sale in 2026, the picture is far more nuanced and demands greater scrutiny than a slide deck allows.
There are three questions every buy-side investor should be asking — and that only a qualified Tech DD team can answer honestly.
First: is the AI capability real, or is it rented? There is an enormous difference between a business that has built proprietary AI models trained on its own proprietary data — genuinely defensible competitive IP — and one that has put a wrapper around a third-party large language model API and called it an AI product. The former can represent a significant source of durable value. The latter can be replicated by a competitor in weeks, and the margin sits with the model provider, not the business you are buying. During Tech DD, Noremo will assess model ownership, architecture, training data provenance and API dependency to establish which kind of AI capability you are actually acquiring.
Second: is the underlying data estate fit for purpose? AI is only as good as the data it runs on. A company can have the most sophisticated AI ambitions imaginable, but if its core data is fragmented across a dozen incompatible systems, inconsistently labelled, poorly governed and riddled with duplicates, none of those ambitions will be achievable within your investment timeframe. In our experience, data quality is the single most common gap between the AI story told in the management presentation and the AI reality uncovered during diligence.
Third: is there any AI governance in place? Regulatory pressure on AI is accelerating fast. The EU AI Act is already in force for high-risk applications. In the UK, the FCA has made clear that firms deploying AI in regulated activities will be held accountable for outcomes — not just intentions. A business that is deploying AI tools with no governance framework, no model audit trail and no accountability structure is carrying material regulatory risk. That risk will land on you as the new owner.
Avoiding Confirmation Bias on the AI question is just as important as the analysis itself. When a management team presents a compelling AI story, and your own investment thesis is built on a technology transformation narrative, the temptation is to believe what you want to believe. A rigorous, independent Tech DD process is your protection against that instinct.
Don’t Get Distracted by the Pretty Picture
Like the house buyers guided by a real estate agent on a sunny spring morning, it is easy to be dazzled by the surface presentation and miss the structural cracks underneath. The vendor has had months to prepare their story. Your window to look beneath it is measured in weeks.
Engage specialists who bring 25+ years of real-world technology and consulting experience. Who have sat in the CIO and CTO chair inside portfolio companies and understand what the pressures of that role look like from the inside. Who have been working with AI for over a decade and know how to separate genuine capability from marketing narrative. Who know how to peel back those layers of techno-archaeology, surface the hard-to-spot risks, and assess Tech team capability and culture — not just the systems themselves.
And who can carry that insight forward into the critical 100 days after deal completion, providing expert input to your Value Creation plan before the window to act is at its narrowest.
That is what Noremo does. That is why Tech DD deserves to sit alongside Commercial, Financial and Legal as a first-class discipline in every serious buy-side process.
In other articles in this series we cover:
References
¹ Andreessen, Marc. “Why Software Is Eating the World.” a16z.com, August 2011
² “Software Ate the World. Now AI Is Eating Software.” Business Insider, February 2026
³ “Throwback Attack: How NotPetya Ransomware Took Down Maersk.” Control Engineering, 2025
Maersk CEO Soren Skou confirmed $250–300m in lost Q3 2017 revenue. Chairman Jim Hagemann Snabe confirmed at the World Economic Forum that Maersk replaced 4,000 servers and 45,000 PCs.
⁴ “TSB Migration Disaster: How to Avoid a CIO’s Costly Mistake.” Ekco, December 2024
⁵ “TSB Bank IT System Migration Problems.” DocImpress
⁶ “TSB Bank Fined $62m for a Failed Mainframe Migration.” Futurum Group, 2022
Image credit: Google Gemini - Nano Banana Pro