companies invest a lot Time and energy to integrate networks and applications after acquisition. However, purchasing, IT, security, and intelligence teams rarely have the resources or internal processes to review targets prior to an acquisition. If they can do this, they will be better able to manage risk.
Questionnaires, interviews, and cybersecurity due diligence are commonly used, but these efforts are usually not undertaken until a letter of intent (LOI) has been prepared and access to the organization and its network has been granted. In many cases, regulatory approvals can further delay this access and sharing of information. The result is a process that is often rushed and sub-optimal.
As the M&A market accelerates, buyers should change that dynamic to speed up the due diligence process and ensure that all cybersecurity, corporate reputation and key personnel risks that will be addressed shortly are identified, assessed and treated.
Here are five key steps for a timely and more effective approach to M&A due diligence:
Be prepared to make a to-do list on day 1, not day 30.
Due to the limitations or haste of traditional due diligence, companies often discover risk on the first day a deal closes.
Significant risks can be understood early in the process through due diligence based on technical and analytical data. This allows for a better assessment of opportunities and gives integration teams the ability to manage accepted risks from day one.
Customer data leaks and indicators of current or past leaks can be identified with a combination of OSINT, the right tools, and expert analysis.
You can start predictive research and evaluation a long time ago without the need to access the network or exchange information. This approach is increasingly being used to test or replace questionnaires and interviews. The key is to add open source information (OSINT) to the due diligence process. OSINT is based on publicly available information and may include both freely available and licensed resources.
By using OSINT and initiating “beyond the firewall” due diligence, buyers and decision makers of their business data can initiate an investigation at any point in the process, including the target identification stage. In addition, because no information sharing or access to the site’s applications and networks is required, initial assessments can be completed much faster than a traditional cybersecurity review, often within weeks.
Identify stakeholders and manage the OSINT process
Once an organization decides to improve the OSINT due diligence process, it is important to identify the individuals or organizations that will manage the process. This depends on the size of the organization and the magnitude and complexity of the risks.