M&A follows a well-defined process that starts with potential target identification, due-diligence, synergies identification, and valuation eventually translating into the Sales Purchase Agreement (SPA) followed by the post-merger integration or separation execution activities.
In overall effort distribution, a relatively minor effort is typically put over a very short period of time on the pre-deal side up until the SPA is finalized, whereas most of the impact of it is realized during execution.
One of the important part of the process is the due-diligence concerns with research and identification of the key risks associated with the given transaction. Often it is a rigid process that follows agreed protocol and includes analysis and review activities on a specific target. The traditional scope of due-diligence includes financial, TAX, operations, HR, and IT due diligence. Due to its nature and quick pace it has barely experienced much innovation in the past, and almost blind when it comes to addressing recent trends and development that provides greater information availability and potentially can improve one’s negotiation position.
Some of the trends that M&A due-diligence activity should factor are:
- Brand equity in Digital space
- Social networks, media, instant feedback
- Penetration of smart/mobile devices and IoT (telemetry)
- Exponential growth of the data accumulated and exchanged
- Dark web and anonymous access network (e.g. ToR, IP2P)
Open Source Intelligence (OSINT) as an intelligence collection method has existed for more than 60 years and can be traced back to World War II. The key idea is that up to 80% of the information required to make a decision can be collected using open or public sources. See more detail about the history of OSINT here (Bellingcat).
I was keen to test this and here is what I came out. Assuming little/no information available around the target, when approaching due-diligence using OSINT method the following information is nearly on your fingertips:
| Information | Potential impact/insight | Technique (illustrative) |
| Commercial and customers information | Market reputation impact Leaked information (e.g. customer base) Past rates and/commercial information Potential lawsuits | Sweep over public AWS S3 and Azure blobs Aggregators of the compromising evidence Darknet search |
| Supply chain information and commercial | Identification of the key suppliers and reliance on key suppliers Each can be further assessed for associated risks | Public maritime and logistics hub information (open data) |
| Misconfigured internet exposed public services and portals | Current cyber posture Likelihood of already being compromised Geography and hosting location of the key infrastructure and associated cyber-threats Leaked access credentials | Open or free to use threat intelligence resources Darknet lookup Query open-leaking databases based on Elasticsearch, Kibana, MongoDB |
| Brand digital presence | Customer service perception Promise to customers and market (vs achievement) Effectiveness of the marketing campaigns | News aggregators and analytics agencies Web cache Social media sweeps Petitions aggregators |
| Organization structure and related | Organization structure Overall organization site and geographical distribution Employees information Approximate attrition information | Social media analytics Employees feedback aggregation services |
| Organization ownership structure and executive management | Information about associated parent company and sister companies Potential conflicts of interest | Public KYC aggregators |
| Involvement of the organization in illegal or shady activity | Long-term reputation impact Potential illegal activity Potential lawsuits | Public leaks lookups and document sweep (covering entity legal names, and key management personnel) |
It appears that OSINT provides unprecedented insight into the M&A due-diligence process (needless to say that it subject to agreement between parties involved in the transaction and adherence to the set protocol). In case you are interested in any of the tools that might be leveraged to illustrate above happy to share and/or discuss your views on the OSINT and M&A use cases.
For additional information and my points of view related to M&A check-out in my blog here.
