Assessing and consolidating domains and DNS providers are crucial “pre” and “post” M&A deal priorities. You are not only buying the valuable assets, you are also buying the cyber security risk.
In this paper we discuss:
- How to maximize deal value and mitigate post-close risks and costs
- The background problems: Hidden risks and network complexity
- Pre-deal due diligence assessment and planning
- Post-deal consolidation and integration execution
- M&A Best Practices: A Modern Approach to Empower Teams
Introduction
How due diligence teams can maximize deal value and mitigate post-close risk and cost.
There are many blogs, webinars, and how-to guides about acquiring domain assets – mostly centered on ownership rights, title, and brand protection during the M&A process. They are mainly useful to legal counsel, finance, and marketing but overlook a gaping area of risk and cost containment.
We’re talking about enterprise security and the network operations functions tasked with managing the DNS networks, mitigating risk, and managing integration costs after the deal closes.
Enterprise Value
Security Risk
Cost ContainmentIn this paper, we’ll discuss the known security and operations problems in acquiring domain and DNS assets, and effective ways to solve them. We’ll present a modern, best practices approach for companies active in M&A from pre-deal audit and assessment to post-deal consolidation.
Executive Summary
You are not just buying the assets – you are acquiring cyber security risk.
M&A teams face operational and IT risk when acquiring domain assets and the related DNS networks. The acquirer has a limited time frame to assume ownership of the domains and integrate them into network operations. These domains will have latent operational and security issues, unaddressed by the target company. The acquiring party does not have visibility into the true state, nor will it have any means to assess its security posture. The purchaser will be acquiring all the cyber risk and operational deficiencies associated with the target assets – and it will be largely blind.
Few operators have an accurate inventory of their domain assets and DNS network. That’s because their domains and DNS are scattered across multiple domain registrars, DNS services, and certificate authorities. Even when companies concentrate their high value domains on a single, corporate domain registrar, they invariably have more domains managed elsewhere. Put 10-20 DNS services into the mix and it’s a safe bet that management doesn’t have an accurate picture of its own DNS network.
The M&A team of an acquiring company has no accurate picture of the domain assets and DNS network they are buying, nor do they typically have an easy means to complete network and security due diligence. Hundreds (or thousands) of domains across many registrars and DNS services, require diligently managed zone files and the application of DNS security settings. M&A needs to assess the state of pre-deal DNS configurations for each domain. This includes an assessment of live or missing Name Servers, DNSSEC, DMARC, SPF, CNAMEs, A Records and TLS certificates with related versions and expiry dates.
M&A teams need reliable pre-deal audit data on the domain assets and DNS network they’re acquiring. Commercially available domain audit tools are uncommon. Thankfully, some firms have developed systems and techniques to audit domains and DNS networks. Using these technologies, due diligence teams gain invaluable data during the “pre-deal” phase, providing insights into the asset value, a one-time snapshot into DNS security posture, and a checklist to execute before and after closing.
Without accurate pre-deal data, M&A teams assume the risks in acquiring domain and DNS assets. Compounding the security risks are the operational issues of absorbing unknown digital assets into the acquiring company’s network operation. The buyer already has its own domain and DNS problems. Adding acquisition complexity exacerbates the problems with more registrars, DNS, and certificate authorities.
