Today’s software is very sophisticated and complex. With ever growing time pressure to bring products and features to market, many companies are increasingly integrating open source software (OSS) components into their product offerings. These could be simple functions to expedite database transactions to full-blown complex user-interface frameworks.
The use of OSS in any software products dramatically shortens the time to roll out new features. However, OSS also poses potential risks to software products and their organizations. Equity and investment firms must understand and assess a target company’s use of OSS and their risks as part of diligence in any M&A transaction. Failure to properly assess the open source software risks could lead to security exposure (ranging from denial of services to a high profile data breach) and in some extreme cases requiring the company to disclose its proprietary software to the open source community. In December 2008, the Free Software Foundation (FSF) filed suit and successfully forced Cisco to release the firmware source code for their Linksys WRT54G router to the open source community.
For these reasons, companies should conduct thorough due diligence to identify any OSS-related risks associated with an M&A target and take appropriate steps to manage those risks, such as remediate any license issue, implementing security controls, and incorporating appropriate legal protections into the transaction documentation.
Licensing Risks
There are several key risks related to licensing obligations when it comes to open source software in M&A transactions.
One risk is that the OSS used by the target company may be subject to very restrictive licensing obligations, such as the requirement to disclose the source code or to distribute any changes made to the code. So called “copyleft” licenses, such as GNU General Public License family (GPL), require a company to make its own proprietary software publicly available if it is derived from the OSS, as well as any modifications to such OSS.
Non-compliance with the licensing terms when using the OSS can result in legal liability, including copyright infringement and breach of contract.
Another risk is that the company may inadvertently be in violation of OSS licensing terms by distributing software that includes OSS components without meeting the requirements for attribution or providing the corresponding source code. This could lead to legal action and can also discredit the company’s reputation.
Even less restrictive OSS licenses that require disclosing only the changes to the OSS libraries could pose risk to organizations. An example of such risk is the OSS changes containing the company’s trade secrets. If not carefully examined, proprietary code that goes into the OSS libraries will need to be disclosed to the OSS community.
As OSS libraries and packages evolve, their licensing terms may change. This change is usually toward less restriction. However, some OSS authors may switch to a commercial licensing fee above a certain threshold, such as more than x number of users. Organizations must stay on top of their OSS license obligations, and evaluate changes to the licensing terms during upgrade.
Most of the OSS libraries are offered under standardized licenses which are usually categorized as:
- high risk (e.g. GNU General Public License)
- medium risk (e.g. Mozilla Public License)
- low risk (e.g. MIT License)
Some OSS projects use custom licenses that may contain terms imposing additional obligations and restrictions on the use of the product. It is crucial to identify such custom licenses within technical due diligence to allow legal teams to further analyze their terms in order to avoid any risks of non-compliance.
Another potential issue that is often overlooked is license conflicts. OSS libraries can contain subcomponents (termed “dependencies”) that are licensed under a different license than the main license under which the library is provided and thus can pose more restrictions.
To mitigate these risks, companies should conduct a thorough due diligence review to identify any OSS related licenses and obligations associated with the M&A target, and take appropriate steps to ensure that they can meet those obligations, such as obtaining necessary licenses, implementing security controls, and incorporating appropriate legal protections into the transaction documentation.
Cybersecurity Risks
Cybersecurity risks are a significant concern when it comes to OSS in M&A transactions. With most software products typically pulling in tens or even hundreds of OSS packages, it’s very easy to lose track of keeping up and updating vulnerable OSS packages.
One key risk is that OSS may contain security vulnerabilities that have been discovered and being actively exploited by attackers. These vulnerabilities can be found in any software, but OSS can be particularly vulnerable because it is often developed by a large and diverse community of contributors, and it is not always possible to know who is involved in the development and if any testing process. This can make it difficult to identify and address vulnerabilities in a timely manner.
In addition, OSS is often widely used and its source code is publicly available, making it an attractive target for attackers looking to exploit known vulnerabilities. If an OSS library is known to be used by “high value targets”, a sophisticated hacker could analyze the OSS source code to formulate a very specific exploit.
Another risk is that the OSS used by the target company may not be well-maintained or may not have been reviewed or tested for security vulnerabilities. This can expose the company to a range of cyber threats, such as data breaches, malware infections, trojan horse / backdoor planting, and other incidents that can result in significant harm to the company’s reputation and bottom line.
Finally, M&A transactions can also lead to increased cybersecurity risks by introducing new technologies, systems, and people into the company’s IT environment. The process of integrating the target company’s software products / solutions and IT systems with those of the acquiring company can create new attack surfaces and opportunities for attackers to gain access to sensitive data and systems.
To mitigate these risks, companies should conduct thorough due diligence to identify any cybersecurity risks associated with the target company’s use of OSS and take appropriate steps to manage and mitigate those risks. This can include implementing security controls to protect against known vulnerabilities, regularly reviewing the company’s OSS inventory, and incorporating appropriate legal protections into the transaction documentation. Additionally, it’s important to have a robust incident response plan in place and to ensure that the target company’s IT environment is properly integrated and secured following the merger or acquisition.
How Are Risks Assessed in M&A Transactions?
- Due Diligence
Conducting a thorough due diligence review is an essential step in identifying and assessing OSS-related risks associated with a potential acquisition target. - Audits and Assessments
OSS-related risks can also be assessed by conducting audits or assessments of the target company’s use of OSS. - Legal Review
A legal review of OSS-related licenses, agreements and other documents can be done to identify any potential risks or liabilities related to the target company’s use of OSS. - Technical Review
A technical review can be performed to identify any technical risks associated with the target company’s use of OSS.
All these steps, when combined, can give a comprehensive understanding of the OSS usage and risks associated, allowing companies to make better-informed decisions and manage OSS-related risks more effectively.
What is the Role of Technical Due Diligence in Assessing and Mitigating OSS Related Risks?
Technical due diligence plays a critical role in assessing and mitigating OSS related risks in M&A transactions. Technical due diligence is the process of evaluating the technical aspects of the target company, including its IT infrastructure, software, and systems.
During the technical due diligence, a team of technical experts will review the target company’s software inventory to identify any OSS that is used and any licenses and obligations associated with that software. This can also help to identify any security vulnerabilities, non-compliance issues, or other risks associated with the OSS, which can inform the overall risk assessment of the target company.
Additionally, technical due diligence can determine whether the target company has the ability to continue using the OSS after the merger or acquisition, if the company has the proper maintenance and support plan, and if any technical compatibility issues may arise from integrating the OSS into existing systems.
Another important aspect of technical due diligence for OSS related risks is evaluating the company’s IT infrastructure and identifying any vulnerabilities or security risks associated with the OSS. This can include assessing the company’s security controls and identifying any potential attack surfaces, as well as evaluating the company’s incident response plan to ensure that it is robust and effective.
Overall, technical due diligence is an essential step in assessing and mitigating OSS-related risks in M&A transactions, providing companies with a comprehensive understanding of the target company’s use of OSS, which is important to make informed decisions and to take appropriate steps to manage those risks.
