LogMeIn – to increased audit risk?

LogMeIn may be familiar to you as a provider of remote support access software across the internet. What may be less well-known is that they also own GoToMeeting (web-conferencing) (formerly a Citrix offering) and LastPass (password and credential management). LogMeIn announced on December 17th, 2019 that they’ve been acquired by private equity partners Francisco Partners & Evergreen Coastal, with the deal due to complete by mid-2020.

Why ITAM practitioners should be wary

Why does this acquisition matter? Well, Francisco Partners were intimately involved with Attachmate, a long-term source of audit pain for many organisations. Evergreen Coastal are wholly owned by Elliott who have investment relationships with similarly audit-favouring publishers such as Quest & Symantec. In the case of Quest, Elliott partnered with Francisco to purchase it and a number of other software publishers from Dell in 2016. Elliott & Francisco also maintain substantial minority holdings in Microfocus, current owners of Attachmate and Novell’s legacy product stack – with Attachmate especially also known to enjoy a good audit!

Elliott have a reputation for being activist investors – meaning that rather than just taking a trading stake in a company for short-term gain, they seek to directly influence strategy. In particular, they target companies with relatively flat revenue growth and exert pressure to change that, with the aim of spinning-off profitable divisions and products to private equity buyers. Indeed, Evergreen Coastal was set up in part to do just that – provide a final destination for some of Elliott’s acquisitions.

Clearly, if Elliott are focused on growing revenue, the easiest way they can do that for a legacy, low-growth product offering is to milk existing customers, and aggressive use of audit clauses can be a quick win. GoToMeeting, acquired in a complex tax-efficient transaction from Citrix in 2016, contributes around 90% of LogMeIn’s revenue and is under significant market pressure from new entrants such as Zoom.

Managing legacy software

Software that’s been around for a while but is perhaps no longer used, particularly in larger organisations, can be a considerable source of financial and reputational risk. I encountered this when discovering and mitigating risk related to the Symantec products PCAnywhere & NetBackup. This was software that hadn’t been used for many years but was still installed in datacenters that had grown considerably in the interim, generating a potential non-compliance risk.

Software such as this is likely to be in the “long tail” of publishers that busy ITAM teams don’t pay too much attention to because they’re too busy looking after Tier 1 vendors or influencing the latest strategic software investments. That doesn’t mean that there isn’t a risk and I’d imagine that’s what caught out many who ended up having an expensive audit experience with Attachmate.

For LogMeIn & GoToMeeting there is also the risk posed by Shadow IT to be considered. These products are primarily delivered as SaaS, and as such could be acquired and used by anyone in an organisation without due diligence having been carried out by ITAM, Procurement, and Legal.

Take action now

With this deal not completing until mid-2020 now is the time to conduct a risk assessment of your estate. A non-exhaustive list of LogMeIn products is available here – https://en.wikipedia.org/wiki/LogMeIn#Products. Fortunately, many of these products will have locally installed components which should make it relatively straightforward for your existing toolsets to discover and inventory. Once you have an idea of the size of your estate, check your entitlements and audit clauses in order to estimate the size of the potential risk. Current LogMeIn terms are available here – LogMeIn Service Descriptions – pay particular attention to the definition of “Use Levels” in the first paragraph.