Here are some practical tips for completing tech due diligence, focusing on open source software, when your teams can’t meet, go to the office, or travel.
Numerous M&A transactions have been put on hold in recent weeks, while the parties wait to see what happens. Even deals that are moving ahead suffer friction from the verities of the day, as travel bans, quarantines, social distancing, closures of nonessential businesses, and shelter-in-place orders make it impossible to conduct due diligence in a normal fashion. So how do you assess technology when no one can travel?
There is much value to meeting in person, getting to know the other party in a transaction, and gaining an intuitive feel for the business and the technology itself. A target that might willingly let the acquiring CTO look over a shoulder at some code or who will happily whiteboard some details of the architecture may be less forthcoming via video conferencing. It may be impossible to properly populate the data room given employees working from home without ready access to physical files and diligence materials stored in a physical file room which is inaccessible due to travel restrictions. Nevertheless, some diligence activities are manageable in the current environment, and others become more important because of it. Here we offer some practical tips for those charged with completing technical due diligence in a time of social distancing, focusing on open source software, commercial in-licensed software, and security.
Set expectations early
On the sell side, make it clear that you do not have access to certain physical files, certain computer systems, and certain folks—and describe such files, systems, and folks—so the buyer knows what to expect at the outset.
On the buy side, explain to the seller that since it will be impossible to complete typical due diligence, you will rely more on reps and warranties, indemnification, and holdbacks/escrows. Consequently, the seller should expect heavier-than-typical deal terms and that some diligence will be completed later in the transaction than typical. In addition, explain that in areas where it is still possible to conduct diligence, the diligence may be more thorough than typical as a proxy for the inability to conduct diligence in other areas.
Leverage trusted third-party technical due diligence providers
Since it is hard for the parties to explore the technology hand-in-hand, a third party with whom the target is comfortable sharing its code can close the gap. An analysis of what’s in the code, valuable on its face, can also serve as a proxy for how well the target manages software development.
A code audit to identify open source and other third-party software components is even more important today. Few targets are able to identify all the third-party code in their codebases, and that’s even harder when the engineers can’t easily collaborate. Scanning the codebases can occur remotely. Audit results identify code risks, but they can also reveal a great deal about a company’s code development and management practices. Thus, they can act as a barometer for the quality of the processes used to produce that code.
Similarly, a third party with access to the code can quantitatively evaluate it for security vulnerabilities (in both open source and proprietary code), bugginess, and architectural quality.
Such quantitative information complements the qualitative assessment that comes from CTO-to-CTO video chats. But a third party interviewing technical leaders and informed by quantitative results can often provide a more-informed qualitative perspective.
Leaning more heavily on the third party to fill in the details, the acquirer will need to formulate integration plans or, in some cases, pre-closing remediation, deal terms, or adjustments to valuation.
While the points noted above appear buyer-focused, the seller can use them as a roadmap to prepare for diligence in advance, avoid surprises, and resist a buyer’s demands for more onerous deal terms.
Leverage expert, tech-savvy counsel
This is, of course, critical when it comes to open source. In today’s environment, it is especially vital that tech counsel craft reps, warranties, and other provisions to appropriately address all the heightened risks.
Use specialist attorneys to boil down the reports provided by the technical due diligence provider to a practical assessment of the target’s practices, especially in comparison to peer companies, and translate the results into terms for the definitive agreement.
A review of the target’s open source/third-party software policy, any notice/attribution files, and remote interviews with the target’s team regarding their typical approval process and approved/denied licenses allows a skilled practitioner to quickly learn a great deal about the target’s development practices.
An assessment of the target’s outbound open source contribution practices and a review of any public code repositories may help evaluate whether the target has procedures in place to ensure valuable intellectual property is not inadvertently released as open source and whether it obtains sufficient rights in third-party contributions to its open source projects. Again, this information can provide valuable insight into the company’s development practices.
Depending on the diligence findings, craft fulsome substantive and scheduling reps focusing on third-party software and consider making them fundamental reps. In addition, include remediation-focused covenants and closing conditions requiring remediation of known issues prior to closing, along with specific indemnities focusing on third-party software. Also plan for the inability to obtain any needed consents to transfer for commercial in-licensed software; given that many businesses are currently operating in crisis mode, these requests are unlikely to be a priority.
Again, while the points noted above are buyer-focused, the sell side can follow great practices in these areas to obtain more friendly deal terms and smooth the transaction process.
Overall, by leveraging trusted technical diligence providers and expert open source counsel, even without on-site face-to-face meetings, group dinners, and handshakes, it should be possible to complete diligence in these areas, get a feel for the target’s overall practices as a proxy for diligence in certain other areas, and include suitable protections in the acquisition documents.
*** This is a Security Bloggers Network syndicated blog from Software Integrity Blog authored by Synopsys Editorial Team. Read the original post at: https://www.synopsys.com/blogs/software-security/tech-due-diligence-social-distance/