After an acquisition, companies invest a lot of time and energy to integrate networks and applications. IT, security and intelligence teams rarely have the resources or internal processes to perform investigative diligence on a target before an acquisition. They would be able to better manage risk if they were able to do so.
After a letter of intent is in place and access to the organization and its networks is granted, cyber due diligence efforts are usually started. Regulatory approvals can delay access and information sharing. The process that results is often rushed.
As the M&A market grows, it's necessary for acquirers to change this dynamic to speed up the due diligence process and ensure any risks associated with cybersecurity are identified, evaluated and addressed early in the process.
There are five steps to a more effective approach to M&A due diligence.
Due to constraints or the rushed nature of traditional diligence, companies often discover risk on the first day.
Technical and intelligence-driven diligence can be used to understand material risks early in the process. It allows you to better evaluate the opportunity and have integration teams prepared to manage accepted risk on day one.
Leaks of customer data and indicators of current or past breaches can all be identified through a combination of OSINT, the proper tools and expert analysis.
Intelligence-driven investigation and evaluation can be started earlier without network access or information sharing. This approach is being used to replace questionnaires and interviews. Adding open source intelligence to the due diligence process is the key. OSINT can include both freely available and licensed sources.
By using OSINT and starting due diligence outside the firewall, acquirers and their enterprise data decision-makers can begin their investigation at any point in the process. Since it doesn't require information sharing or access to the target's applications or networks, initial evaluations can be completed much faster than traditional cyber diligence.
It is important to identify the individuals or organizations that will manage the process once an organization decides to enhance its diligence process with OSINT. This is dependent on the size of the organization, as well as the prevalence and complexity of the risks involved.
All Rights Reserved © 2024
