Proactive sell side due diligence to identify, inventory, assess, and, when necessary, remediate open source risks helps ensure the target company receives the best value for its products in an M&A event (and avoid lawsuits). Discovering these problems late in the game can dramatically affect the final purchase price, trigger the need for additional/longer/enhanced escrows, delay closing or even cause an acquisition to be called off altogether.
2. 2
A. Background: Casting the Net
B. Why Should You Care About This?
C. Impact on Due Diligence and Schedules
D. Impact on Deal Terms and Definitive Agreement
E. What Should You Be Doing Now?
F. Final Thoughts
Overview
3. 3
A. Background: Casting the Net
• Software+
• Transactions
• Business Models
• Inadvertent Software Companies
4. 4
• More than just open source software
• Typically any third party in-licensed software
• Commercial, freeware and open source
• In any form: Object code, binary code, source code, firmware,
microcode, drivers, libraries, routines and subroutines
• Extends to: APIs, SDKs, protocols, specifications and interface
definitions
• Not just embedded, but also for development and internal use
• Covers inbound SaaS offerings
• Sometimes applies to:
• Hardware
• Data
• Inbound content
Background - Casting the Net:
Software+
Really any in-licensed software/service (or more) for
developing, maintaining, supporting and offering your
products and services
5. 5
• Applies to all sorts of transactions
• Mergers & Acquisitions
• Divestitures
• Financings, including VC/PE investments
• Loans
• IPOs
• Customer agreements
Background - Casting the Net:
Transactions
6. 6
• Applies to all sorts of business models
• Traditional distributed
• Hosting
• SaaS
• PaaS
• IaaS
• Internal use
• In support of professional services
Background - Casting the Net:
Business Models
8. 8
Background - Casting the Net:
Even Where You Don’t Expect It…Inadvertent Software Companies
Agriculture
Banks and
Financial
Services
Automotive
Design/Custom
Products
- 3D printing
- DNA sequences
Hardware
- Medical Devices
- Lab and Diagnostics
Equipment
- POS terminal/bar code
reader
Content
Provider
- Media Companies
- Publishing
Companies
- Universities
Consumer
Products
- TVs
- Internet of Things
- Wearables
- Toys
- Greeting Cards
- Locks
Mobile Apps; SaaS Platforms; Code on the devices
Distributing and/or Hosting Code
9. 9
B. Why Should You Care About This?
• The Underlying Risks
• Licensing and Compliance Risk
• Security Risk
• Business and Operational Risk
• Remediation Risk
• Overall Impacts on the Deal
• It’s Not Theoretical Anymore: Recent Litigation
10. 10
Why Should You Care About This?:
The Underlying Risks - Licensing and Compliance Risk
• Use beyond scope of license
• Breach of licenses; automatic termination since no materiality
• Copyright infringement
• ‘Viral’ infection of proprietary code
• Automatic grant of licenses to certain of your patents
• Defensive patent termination rights
• Transfer/assignment/change-of-control issues
• Under licensing; not enough seats/licenses
• Combinations of components under incompatible licenses
• Notice and attribution non-compliance
• Failure to comply with licenses for “fourth party” components
11. 11
Why Should You Care About This?:
The Underlying Risks - Security Risk
• Avoid unknowingly using third party software with known security
vulnerabilities
• Any vulnerabilities associated with the components?
• Which components?
• What are the vulnerabilities?
• Any patches available?
• May have more vulnerabilities since the source code is available or
fewer vulnerabilities since more people are looking
12. 12
Why Should You Care About This?:
The Underlying Risks - Business and Operational Risk
• Dependence on code from competitor/hostile party
• Think ahead to integration and running the business or things can
become very difficult
• Changing the offering model
• Standardizing on certain components
• May be expensive or impossible to collect the key information later
13. 13
Why Should You Care About This?:
The Underlying Risks - Remediation Risk
Code
Remediation
• Removing, rewriting or
replacing code
• Costs: Engineering, time
Legal
Remediation
• Amending/terminating
agreements, seeking
clarifications, seeking
waivers of past liability,
re-licensing components
and obtaining new
licenses
• Often hard to remedy
past non-compliance
• Costs: Legal, time, fees
to licensors
Risk Mitigation/
Allocation
• Additional
representations and
warranties
• Remediation-focused
closing conditions and
best efforts covenants
• Specific indemnities
• Additional escrows
14. 14
Why Should You Care About This?:
Overall Impacts on the Deal
Macro Impacts:
• Delay
• Signing
• Closing
• Reduce Price
• By expected cost of
remediation
• By estimate of past
non-compliance
• Plus a premium for
the unknown
• Deal certainty
• Due to conditions
• Dependence on
third parties
• Kill the deal
• Upset the build vs.
buy decision
Diligence/Scheduling
Impacts:
• Inability to provide
basic materials
requested in
diligence and for
schedules
• List of in-licensed
software with license
and usage for each
item
• Open source policy
• Surprises discovered
during diligence
• Inability to cleanly
make reps
Lead to Additional:
• Diligence, such as a
code scan
• Reps and warranties
• Remediation
covenants and closing
conditions
• Specific indemnities
• Escrows
15. 15
• Shifting landscape of open source license enforcement
• No longer brought for ideological reasons; now commercial
software companies on both sides with hundreds of millions at risk
• Recent cases with much in common:
Why Should You Care About This?:
It’s Not Theoretical Anymore: Recent Litigation
Continuent v. Tekelec XimpleWare v. Versata Software
Filed July 2013 November 2013
Likely Settled February 2014 February 2015
Licensing Model Dual Commercial & GPL Dual Commercial & GPL
Claims
GPL violations, copyright infringement,
etc.
GPL violations, copyright infringement,
etc.
Alleged Damages "All profits"
In excess of $150MM for the copyright
suit
Remediation Appeared trivial Patch released in 2 weeks
Transaction Oracle bought Tekelec prior to suit Trilogy bought Versata prior to suit
16. 16
C. Impact on Due Diligence and Schedules
• Diligence Requests
• Requests for Policies and Procedures
• Typical Scheduling Requirements
17. 17
• Conduct a review of third party in-licensed software
• Initial step is to request list of in-licensed software, with license and
usage for each component
• Time to provide the list is important
Impact on Due Diligence and Schedules:
Diligence Requests
18. 18
• Request third Party in-Licensed software policy
(or lack thereof)
• Quickly learn a great deal about a company’s business, legal and
engineering practices
• Date implemented
• Written
• Approval process
• Documentation function
• Mechanism for on-going compliance
Impact on Due Diligence and Schedules:
Requests for Policies and Procedures
19. 19
Identify All In-Licensed Software Components
• Incorporated, embedded or integrated
• Used to offer any Company product/technology
• Sold with any Company product/technology
• Otherwise distributed by Company
• Used or held for use by Company, including use for
development, maintenance, support and testing
Impact on Due Diligence and Schedules:
Typical Scheduling Requirements
20. 20
Impact on Due Diligence and Schedules:
Typical Scheduling Requirements
Information for Each Component:
• Applicable versions
• Applicable license agreement
• How incorporated, embedded or integrated
• How used internally
• How distributed or bundled; distinguish source and binary
• Linking
• How modified
• How hosted; allow others to host
• Relevant Company products/technologies
• Payment obligations
• Audit rights
21. 21
List of Contracts Pursuant to Which:
• Company has agreed to create or maintain
interoperability or compatibility with any third party
software/technology
• Company has the right to access any software as a
service, platform as a service, infrastructure as a
service, cloud service or similar service
• Company has the right to access, link to or otherwise
use data or content
Impact on Due Diligence and Schedules:
Typical Scheduling Requirements
22. 22
Exceptions:
• Generally available commercial off-the-shelf software
with value of less than $1000-$5000
• Fourth party code; without knowledge
• Internal use only, non-development related software (e.g.
CRM, HR and accounting software); may be covered
elsewhere
• In-licensed software incorporated into office equipment or
other equipment/products purchased or leased
Impact on Due Diligence and Schedules:
Typical Scheduling Requirements
23. 23
D. Impact on Deal Terms and
Definitive Agreement
• Reps and Warranties
• Covenants and Closing Conditions
• Specific Indemnities
• Additional Escrows
24. 24
Except as scheduled, Company has not:
• Incorporated third party software into, or combined
third party software with, any Company product/
technology
• Distributed or modified any third party software in
conjunction with or for use with any Company product/
technology
Impact on Deal Terms and Definitive Agreement:
Reps and Warranties
25. 25
Impact on Deal Terms and Definitive Agreement:
Reps and Warranties
Company has not accessed, used, distributed,
hosted or modified any third party software in such
a manner as to:
• Require disclosure or distribution of any Company product/technology in
source code form
• Require the licensing of any Company product/technology for the purpose of
making derivative works/modifications
• Grant the right to decompile, reverse engineer or otherwise derive the source
of any Company product/technology
• Require distribution of any Company product/technology at no charge or
with limited usage restrictions
• Limit in any manner the ability to charge fees or seek compensation in
respect of any Company product/technology
• Place any limitation on the right of the Company to use, host or distribute any
Company product/technology
26. 26
The Company:
• Has no plans to do any of the foregoing
• Is in compliance [in all material respects] with
the licenses
• Has not been subjected to an audit, nor
received any notice of intent to conduct any
such audit
• Has no payment obligations, except as
scheduled
Impact on Deal Terms and Definitive Agreement:
Reps and Warranties
27. 27
• Commercially reasonable or best efforts covenant
• Actual closing condition
• Typically remediation focused:
• Code remediation
• Legal remediation
Impact on Deal Terms and Definitive Agreement:
Covenants and Closing Conditions
28. 28
• Specific indemnities
• At a minimum for errors/omissions and breaches/non-
compliance with in-licensed software related reps
• In respect of certain agreements, licensors and components
• Often included in IP indemnity and pushes amount higher
• Additional escrows
• Set aside for specific issues and to back-stop specific
indemnities
• Often included in general transaction escrow and pushes
amount higher
Impact on Deal Terms and Definitive Agreement:
Specific Indemnities and Escrows
29. 29
E. What Should You Be Doing Now?
• Best Practices
• Sell-Side: Seller/Investee
• Buy-Side: Buyer/Investor
30. 30
What Should You Be Doing Now?:
Best Practices
• Have a plan to identify, quantify and mitigate third party software-
related risks
• Conduct periodic in-licensed software audits and code scans
• Develop written polices and procedures for using and releasing
open source
• Implement for both internal code and transactions
• Include appropriate protections in contracts:
• Reps and warranties
• Indemnification
• Schedules of in-licensed software
• Rights to complete code scans
31. 31
• Conduct an in-licensed software audit/code scan
now
• Identify
• Analyze
• Plan/Remediate
• Put in place a written in-licensed/third party software
policy
• Review compliance
• Prepare for diligence
• Consider industry practices
• Know your likely buyer/investor
• Address the red and yellow flags
What Should You Be Doing Now?:
Sell-Side: Seller/Investee
32. 32
• Develop a game plan
• Timing is critical
• Kick-off diligence process early
• Prioritization is key
• Update due diligence request lists
• Update reps and warranties
• Develop policies regarding acceptable third party
software usage
What Should You Be Doing Now?:
Buy-Side: Buyer/Investor
35. 35
Final Thoughts:
Use of open source software
is unavoidable and can have a
major impact on a transaction
Often
insufficient to
rely on reps
alone
The more you
look the more
you find
Almost
impossible to
undo the
impact of poor
practices
A little can go
a long way