Don’t buy a breach or a bad reputation: A more effective approach to M&A due diligence

Companies invest significant time and energy to integrate networks and applications after an acquisition. However, the acquiring IT, security and intelligence teams rarely have the resources or internal processes to perform investigative diligence on a target before an acquisition. Being able to do so would enable them to better manage risk.

Questionnaires, interviews and cyber due diligence are commonly employed, but these efforts are typically only started after a letter of intent (LOI) is in place, and access to the organization and its networks is granted. In many cases, regulatory approvals may delay this access and information sharing even further. What results is a process that is often rushed and suboptimal.

As the M&A market accelerates, acquirers must change this dynamic to speed up the due diligence process and ensure any risks associated with cybersecurity posture, company reputation and key personnel are identified, evaluated and addressed early in the process.

Here are five key steps to a more timely and effective approach to M&A due diligence:

Be prepared with an action list on day one, not day 30

Due to constraints or the rushed nature of traditional diligence, companies often discover risk on day one, when the deal closes.

It is possible to understand material risks early in the process through the use of technical and intelligence-driven diligence. It enables you to better evaluate the opportunity and have integration teams equipped to manage accepted risk on day one.

You can begin intelligence-driven investigation and evaluation much earlier without needing network access or information sharing. This approach is increasingly being used to validate, or even replace, questionnaires and interviews. The key is to add open source intelligence (OSINT) to the due diligence process. OSINT is based on publicly available information and can include both freely available and licensed sources.

By using OSINT and initiating due diligence from “outside the firewall,” acquirers and their enterprise data decision-makers can begin their investigation at any point in the process, including in the target identification phase. Since it doesn’t require information sharing or access to the target’s applications and networks, initial evaluations can also be completed much faster than traditional cyber diligence, often within a period of a couple of weeks.

Identify stakeholders and manage the OSINT process

Once an organization decides to enhance its diligence process with OSINT, it is important to identify the individuals or organizations that will manage the process. This depends on the size of the organization, as well as the prevalence and complexity of the risks involved.

In any case, the identification of the risks and areas of concern should be defined through a collaborative effort between the investment or corporate development team and the security team.

In most organizations, OSINT and related cyber intelligence will be led by the chief information security officer (CISO). While OSINT brings capabilities beyond the confidentiality, availability and integrity of systems and data (often referred to as the “CIA Triad”), their team is often best positioned to have the technical and engineering knowledge to know how to collect, evaluate and analyze OSINT and related technical findings.

Additionally, corporate counsel is usually involved to assess legal risk and support the overall risk management for the organization.

In organizations that have a broader capability to leverage intelligence, they may have dedicated teams that address different components of the risk. These organizations can leverage much deeper OSINT investigations but also need to ensure coordination of the different teams involved, such as:

• Corporate or physical security teams may address protective intelligence risk to people, assets or facilities.
• Global investigation teams may address insider threats often in collaboration with the CISO’s organization.
• In technology platform companies, trust and safety teams defend against fraud and abuse protecting the platform and the participants on it.
• Marketing organizations can leverage OSINT to understand and address negative sentiment and misinformation.
• Corporate development or a representative on an investment committee can determine the business impact on a transaction.

Evaluate the three key areas of “outside the firewall” cyber risks

Cybersecurity risk

Investors and acquirers are usually concerned with identifying specific vulnerabilities in a target company’s network and infrastructure. The discovery of unknown cyber incidents affecting the target company could present material business risk or disqualify it from obtaining representations and warranty insurance to offset additional risks.

Leaks of customer data, indicators of current or past breaches, including malware infections, security misconfigurations and exposed passwords can all be identified through a combination of OSINT, the proper tools and expert analysis.

By looking at the external internet footprint of a company, you can understand a lot about its security posture as well as the technology choices it has made. You can learn a lot about its technology hygiene — is it running current versions? Are patches being applied? Is there vendor sprawl?

Many facets of a company can be the target of threat actors, and it is important to determine if companies, their key data or their individuals have been compromised. OSINT can identify risk factors that include breached credentials, exploitable software, stolen intellectual property and chatter on social media platforms and closed forums related to past, current or future attacks targeting the company.

Cybersecurity risks that can be identified and evaluated using an “outside the firewall” approach include:

• The number of reported infections and remediations over the last year according to external telemetry.
• The severity of vulnerable systems exposed to the internet.
• Probability of access vectors into a network using an exploit to vulnerable service.
• Gaps between technical diligence findings and what is documented in traditional diligence for internet-facing architecture.

Reputational risk

Too often people think of threat actors and attacks solely in the realm of cybersecurity. Looking beyond cyber risks, the use of OSINT tools coupled with a knowledge of public records and the surface, deep and dark web, allows those concerned with company reputation, including legal and marketing decision-makers at the acquiring firm, to assess and determine if the acquisition targets have excessive exposure or risk related to their brand or product reputation.

It’s not uncommon to find attacks against companies or brands. Senior executives and network administrators are also often the targets of bad actors. By systematically using OSINT tools to identify and investigate these threats, threat data can be provided to physical security and corporate protection teams, and action can be taken before problems arise.

Reputational risks that can be identified and evaluated using an outside the firewall approach include:

• Exposed credentials, including on the dark web, forums and technical sites.
• Leaked source code on third-party repositories. Can an actor take advantage of vulnerabilities and gain access to a network?
• Review of negative sentiment among executives and company.

Non-traditional business risk

Non-traditional risks can also be discovered digitally through publicly available information and provided to stakeholders. By gathering and aggregating relevant, potentially sensitive information about an acquisition target, investors can identify criminal histories or accusations against key personnel or investors, evidence of suspicious financial activity, indicators of undue influence and allegations of unethical business practices or mishandling of intellectual property.

The information is out there if you make use of available OSINT tools and know where to look. Identifying potential risks early in the process ensures a complete understanding of associated risk prior to concluding an investment or acquisition.

Non-traditional business risks that can be identified and evaluated using an outside the firewall approach include:

• Review of outstanding litigations.
• Discovery of derogatory information on executives.
• Investigation of existing investors, board members and key executives to identify past indiscretions or allegations regarding criminal activities, criminal connections or unethical behavior.

Distribute OSINT due diligence findings

For investment due diligence, the transaction owner (corporate development or the sponsor of the investment), the CISO and legal counsel are typically the primary stakeholders, as they are accountable for adjudicating the risk and implementing policy decisions around risk reduction with the state of the acquisition. The leader can vary by organization, but they need to coordinate across the business.

More broadly, upon identification of traditional and non-traditional risks, the team should again collaborate to identify areas of concern that may require deeper OSINT investigation.

While this is typically led by the general counsel or CISO function, it’s imperative that the owners of the relevant business risk are represented to determine whether to accept the risk or how to mitigate it.

Understand the importance of context

The use of OSINT can expedite the diligence process, but when disseminating the findings, it’s critical to provide context so the owner of the risk can be best prepared to understand and address it. As an example, a technical finding needs to be connected to business risk.

The presence of compromised credentials is a very different risk if those credentials belong to a systems administrator with elevated access or an executive or other key person. A key executive having another business may be perfectly acceptable, but the scope and scale may be critical to the analysis.

To give you an example of a M&A-related OSINT exercise, imagine you determine that the CEO of a company that was being acquired owned another company. It wasn’t seen as a big deal initially, but the detailed investigation determined that it was a significant on-going concern with a manufacturing facility.

While it wasn’t a competitive concern, the fact that it wasn’t disclosed and was likely a significant component of the executive’s time led them to continue with the transaction but declined to have that executive join the company post-transaction. The context to a finding is often as important as the finding itself to enable optimal risk management.

In some instances, OSINT may replace other methods in the due diligence process. In more complex situations, it can provide validation of diligence tools and also unveil potential risks that require deeper analysis.

Understanding the before and after picture is critical to managing risks associated with mergers and acquisitions. The findings must also be viewed in the context of the budget and maturity of the existing security program relative to the security program of the new parent company.

The traditional cyber diligence process can provide valuable information, but when complemented by an earlier outside the firewall approach using a combination of OSINT tools and methodologies, acquirers can gain a valuable time advantage, better realize what risk they are accepting, streamline the process and be better prepared to manage risk the day the deal closes.