Open-Source Intelligence – an invaluable tool for Mergers and Acquisitions
If your company is exploring the acquisition of another company, you must conduct rigorous due diligence to evaluate whether the target company will bring value to your organization. With some intelligence on the target company, It might even be possible to give a more accurate offer for the target company.
In mergers and acquisitions (M&A), the general rule is the target company prefers to sell the stock while the acquiring company wants to purchase only the assets. By purchasing only assets, the acquiring company doesn’t take on the liabilities of the target company. But these monetary liabilities are only the starting point.
Even if your company is only purchasing the assets, it’s purchasing intangible assets such as the goodwill and customer lists of the target company. Buyers usually want to value these intangibles highly so they can reap the tax benefits of their amortization. But what if these intangibles reduce the goodwill of the acquiring company?
Goodwill is the value associated with a company’s brand, its relationship with customers, employee relations, and several other intangibles. Open-source intelligence (OSINT) is great for finding information to help value a company’s goodwill. But that’s just the beginning of the many roles OSINT plays when considering a merger or acquisition of another company.
OSINT in the 21st century mainly relies on public information provided by the internet. Some of this information can provide in-depth guidance on the target company’s information technology (IT) and cyber security practices.
You need to know if merging your company’s IT infrastructure with the target companies will cost a fortune in time and money. You also need to know if your company will risk significant losses because of lax cyber security practices by the target company.
This whitepaper focuses primarily on how OSINT can affect the purchasing company’s cyber security exposure. But we will cover some other areas where OSINT can play a major role in the M&A due diligence process. Though we look at OSINT mostly from the acquiring company’s view, OSINT can also help target companies shore up weaknesses to become more attractive to potential buyers.
Before going into detail about what OSINT can do for you, let’s look at the history of OSINT.
A Brief History of OSINT
Internet-based OSINT is a relatively recent innovation. That’s surprising, considering massive amounts of data are available on the internet. Simple scraper technology can automatically download important data from the internet into your databases. Machine learning and artificial intelligence systems can quickly spot the data that’s important to you.
OSINT itself is not new. The precursor of the CIA, the Office of Strategic Services (OSS), used OSINT during World War II. The OSS’s research and analysis department analyzed open-source information, such as newspapers and radio broadcasts. The OSS found that carefully analyzing these freely available sources could provide crucial information on the enemy.
William J. Donovan, the coordinator of OSS, said, “Even a regimented press will, again and again, betray their nation’s interests to a painstaking observer.” It would amaze Donovan to see the massive number of open-source resources provided on the internet.
The CIA caught on to the need for OSINT after the September 11 attacks. Listening to “internet chatter” became a vital source of information necessary to foil potential terrorist attacks. But the CIA didn’t realize the full potential of OSINT until Iran’s Green Revolution and the Arab Spring between 2009-2012.
At first, American intelligence services focused on the elites in these nations. The intelligence services overlooked vital facts, such as that 60% of all links posted on Twitter during the first week of the Green Revolution were about Iranian politics. Intelligence services not paying attention to internet posts by everyday citizens allowed them to be surprised by the Arab Spring uprisings.
The CIA and the NSA learned from their mistakes. In 2015, a selfie posted on the internet by an ISIS member standing on the roof of a bomb factory was enough for intelligence services to locate the bomb factory. Within 24 hours of the picture appearing on the internet, the allied forces destroyed the bomb factory.
Modern use of OSINT is spreading. OSINT is being used by “citizen detectives” to solve crimes and catch fugitives. Political campaigns use OSINT for opposition research. Industry uses OSINT for espionage on competitors. Of course, a milder form of industrial espionage is using OSINT to research potential targets during the M&A due diligence process.
Why You Need a Cyber Security Assessment
A cyber-attack can cost a company millions of dollars. These losses aren’t only from the cyber-attack itself but also lawsuits. In 2017, Equifax suffered a data breach that led to lawsuits. The company settled with the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB), and 50 state attorneys general for up to $425 million.
It’s unlikely you want to purchase a company that doesn’t take cyber security seriously. The risk is just too high. On the other side of the equation, if your company is for sale, it must take cyber security seriously, or it will not be an attractive target for potential buyers.
Whether your company is seeking to purchase another, or your company wants to be bought, you need a cyber security assessment of the target company. At Rescana, we use our OSINT platform to provide automatic and comprehensive cyber security assessments of any company. Our huge data collection platform constantly monitors the web and the deep web for cyber risk data.
What Does a Cyber Intelligence Assessment Look For?
There are many things you will want to know about a target’s cyber security practices, including:
· Which IAAS, SAAS, and other AAS systems does the target use?
· Do the target’s IP addresses, domains, or services appear on indicator of compromise (IOC) lists?
· What email platform is the company using, and are they following recommended security practices?
· Does the target use strong and up-to-date transport layer security (TLS) certificates?
· Does the company keep its software and server security patches up-to-date?
These questions are only scratching the surface. For proper risk analysis, we must go deeper. You want to find any security misconfiguration that could lead to legal liability or public embarrassment of your brand.
At Rescana, we hunt for:
· Systems that still have default usernames and passwords
· Unpatched systems
· Files that aren’t encrypted
· Out of data software that is no longer receiving security updates
· Unsecured devices
· Less than optimal firewall protection
Any of these weaknesses could lead to a costly data breach. Even worse, it may have already led to a data breach that’s only discovered after your company has purchased the target company. The odds are that if this occurs, your company will be liable for the data breach. Purchasing the right to be a defendant in a lawsuit is never a good idea.
Of course, if you’re trying to sell your company, you must harden your systems against such vulnerabilities to be an attractive target.
What Will It Take to Merge Your IT Systems With the Target’s IT Systems?
Cyber security isn’t the only IT issue to be concerned about when purchasing another company. The target company has its own IT infrastructure. Its employees have grown used to that system. Merging different IT systems can take months, if not years.
You must transfer data from the target’s IT infrastructure into your systems. You may have systems the target doesn’t have. That means your company will need to add new capabilities to the target company’s infrastructure.
The target’s employees have grown used to their system. How much retraining will it take? Merging IT systems is an important consideration as it can take much time and money.
Other Key Areas for Risk Assessment with OSINT During the M&A Process
Cyber security isn’t the only area of cyberspace you need to investigate before purchasing a target. You will want to know about the company’s digital presence and supply chain risks. It’s a good idea to look at the dark web to determine if the target is involved in any shady business dealings or if there are any data breaches not yet widely known.
Digital Presence of the Target
A company’s digital presence is a critical intangible asset. It’s essential to know about the company’s online retail stores, digital marketing strategies, social media presence, and how customers view the company.
In the 2020s, with the importance of e-commerce, a company’s digital presence is often more significant than its brick-and-mortar presence. This is true not only for consumer retail but also for B2B businesses.
There are multitudes of review websites, including
· The Better Business Bureau
· Google reviews
· Ripoff Report
This list doesn’t even begin to cover the number of general review sites. There are also many specialties review sites, such as Avvo for attorneys and HealthGrades for doctors.
It’s important to know what the general attitude of customers is for the target firm or company. OSINT analysis of these review websites can give great insight into the target’s reputation. You probably don’t want to reduce your own reputation by purchasing a brand that has a bad reputation.
From TikTok to Facebook to Reddit, there may be important information about your target. At Rescana, we use SOCMINT (OSINT for social media) to find what you need to know about the target company. Has an insider posted a picture on Tumblr that inadvertently provides key non-public information about their company? You need to know.
You’ll want to know how well any digital marketing campaigns are working for your target. OSINT is easily available through search page rankings and prices paid in pay-per-click campaigns. Is their digital marketing strategy working? If this is relevant to your decision on whether to purchase the company, you need to know.
Supply Chain Information
In the 2020s, one of the most important factors you will want to know about your target is their supply chain. Problems with global supply chains is a primary topic on business and finance outlets. It’s a key reason for inflation.
Are the target’s primary suppliers overseas or local? What about the suppliers of the suppliers? You need this information to assess the supply chain risks you’ll be taking on should you buy the target.
Does your target use an integrated supply chain management system that allows them to see and manage risks coming from upstream suppliers? These programs are great for analyzing supply chain risks. But they can also be a weak point for data security. A supplier’s vulnerability may affect your target. OSINT can help you answer these questions.
At Rescana, we can quickly evaluate your vendors for any security issues that may affect your systems.
The Solar Winds Case
In the Solar Winds case, it was an IT management and security company that was hacked. Solar Winds wasn’t just any security company. It provided its services to companies like Microsoft and many government agencies worldwide.
When unknown hackers planted spyware in Solar Winds’ software, it resulted in breaches at:
· The European parliament
· The UK government
· Several high-level US government agencies, such as the Justice Department and the State Department
These are just a few of the thousands of organizations that were breached in this case. Was your target on the list? Has your target conclusively determined that they don’t have this spyware on their computers? If their systems were infected and you integrated your IT system with its infected system, your IT system is at risk.
M&A is a complicated process. There’s much to know before you can make an informed purchase decision. OSINT research can help you gather the precise information you need. At Rescana, we look forward to using our advanced OSINT systems to help you meet your M&A due diligence requirements. Contact us today to schedule a demonstration of the many ways we can help you.