Our experts' unique discoveries, observations, and opinions on what’s trending today in Business Risk Intelligence and the Deep & Dark Web.

Blog > BRI > M&A Due Diligence and Business Risk Intelligence: A Natural Fit

M&A Due Diligence and Business Risk Intelligence: A Natural Fit

Josh Lefkowitz

During the past year following Flashpoint’s expansion into Business Risk Intelligence (BRI), our customer base has grown to comprise distinguished organizations across 20 different verticals. Not only has this growth afforded us the privilege of getting to work closely with leading enterprises and agencies, it continues to help us develop innovative use cases for BRI. As I’ve shared previously, BRI’s applications are diverse and extend beyond just cybersecurity to also bolster physical security, combat insider threats, confront fraud, and many others.

To that end, I’d like to take this opportunity to discuss an especially compelling use case for BRI: mergers and acquisitions (M&A) due diligence.

Given that extensive due diligence is integral to the success of any M&A engagement, BRI and M&A are a natural fit. After all, any unknowns pertaining to the target company’s finances, reputation, strategy, liabilities, or compliance could hinder the short- and/or long-term success of any merger or acquisition. Not only can BRI help uncover these unknowns, it can enable potential acquirers to proactively address a broad spectrum of cyber and physical threats to which target companies may be susceptible, including:

Insider Threats

While intellectual property (IP) is an integral facet of many M&A engagements, IP can also be particularly vulnerable to insider threats. The high black-market value and ample demand for IP on the Deep & Dark Web means that for malicious insiders with access to valuable company information, selling such access can provide a quick and profitable return. But, without visibility in the forums and marketplaces where IP is bought and sold, insider threats may go undetected until the IP has been compromised and the damage has occurred.

Supply Chain Security

Given the increasing number of companies opting to outsource their supply chains, supply chain security has become an integral component of the M&A due diligence process. While outsourcing can lower costs and increase efficiency, it often prevents companies from having visibility into the production of their goods. As such, companies may not be aware of flawed manufacturing practices, insufficient quality controls, or other errors that could lead to security vulnerabilities within these goods. Since pre-emptive indicators of supply chain security issues often originate within the Deep & Dark Web, leveraging intelligence derived from these online regions is essential during the M&A due diligence process.


Companies targeted by fraud can incur substantial financial and reputational damages that require consideration during an M&A engagement. While fraudsters once relied on lower-level tactics such as carding and ATM skimming, the implementation of stricter anti-fraud measures has ultimately yielded larger-scale, more damaging fraudulent schemes. As most of these schemes develop within the Deep & Dark Web, combatting fraud proactively requires comprehensive visibility into these closed-access regions of the internet.

Data Theft

Since many companies store large volumes of customers’ and/or stakeholders’ personally identifiable identifiable information (PII), they can be desirable targets for cybercriminals seeking to steal and monetize PII. But without ample visibility into the Deep & Dark Web marketplaces and forums where criminal schemes are hatched and proprietary information is bought and sold, companies involved in an M&A transaction may struggle to detect and verify cyber indicators of compromise accurately and effectively.


Key business developments such as M&A engagements, especially for major brands, may be particularly susceptible to receiving unwanted attention from hacktivists, attention-seekers, and other threat actors motivated by financial, political, or personal gain. Since these actors’ schemes are often conceived and developed within the Deep & Dark Web, security teams without visibility in these online regions may not be aware of all cyber and physical threats to which their organizations and/or employees are susceptible.

It’s crucial to remember that for any M&A engagement to be truly advantageous, the acquirer must first gain an accurate and comprehensive understanding of the target company’s risk profile. And while it is impossible to proactively detect each and every threat and vulnerability contributing to an organization’s risk, BRI can help companies involved in the M&A due diligence process to identify and assess relevant risks more accurately and effectively. 

For more information on how BRI supports M&A due diligence, download our use cases here.

Related Posts

About the author: Josh Lefkowitz

Josh Lefkowitz

Josh Lefkowitz is the Chief Executive Officer of Flashpoint, where he executes the company's strategic vision to empower organizations with Business Risk Intelligence (BRI) derived from the Deep & Dark Web. He has worked extensively with authorities to track and analyze terrorist groups. Mr. Lefkowitz also served as a consultant to the FBI's senior management team and worked for a top tier, global investment bank. Mr. Lefkowitz holds an MBA from Harvard University and a BA from Williams College.