Companies invest significant time and energy to integrate networks and applications after an acquisition. However, the acquiring IT, security and intelligence teams rarely have the resources or internal processes to perform investigative diligence on a target before an acquisition. Being able to do so would enable them to better manage risk.
Questionnaires, interviews and cyber due diligence are commonly employed, but these efforts are typically only started after a letter of intent (LOI) is in place, and access to the organization and its networks is granted. In many cases, regulatory approvals may delay this access and information sharing even further. What results is a process that is often rushed and suboptimal.
As the M&A market accelerates, acquirers must change this dynamic to speed up the due diligence process and ensure any risks associated with cybersecurity posture, company reputation and key personnel are identified, evaluated and addressed early in the process.
Here are five key steps to a more timely and effective approach to M&A due diligence:
Be prepared with an action list on day one, not day 30
Due to constraints or the rushed nature of traditional diligence, companies often discover risk on day one, when the deal closes.
It is possible to understand material risks early in the process through the use of technical and intelligence-driven diligence. It enables you to better evaluate the opportunity and have integration teams equipped to manage accepted risk on day one.
Leaks of customer data and indicators of current or past breaches can all be identified through a combination of OSINT, the proper tools and expert analysis.
You can begin intelligence-driven investigation and evaluation much earlier without needing network access or information sharing. This approach is increasingly being used to validate, or even replace, questionnaires and interviews. The key is to add open source intelligence (OSINT) to the due diligence process. OSINT is based on publicly available information and can include both freely available and licensed sources.
By using OSINT and initiating due diligence from “outside the firewall,” acquirers and their enterprise data decision-makers can begin their investigation at any point in the process, including in the target identification phase. Since it doesn’t require information sharing or access to the target’s applications and networks, initial evaluations can also be completed much faster than traditional cyber diligence, often within a period of a couple of weeks.
Identify stakeholders and manage the OSINT process
Once an organization decides to enhance its diligence process with OSINT, it is important to identify the individuals or organizations that will manage the process. This depends on the size of the organization, as well as the prevalence and complexity of the risks involved.