Don't Let Open Source be the Deal Breaker In Your M&A
-
Upload
black-duck-software -
Category
Technology
-
view
245 -
download
0
Transcript of Don't Let Open Source be the Deal Breaker In Your M&A
1
1
Don't Let Open Source be the Deal Breaker in Your M&A Deal
2
A. Background: Casting the Net B. Why Should You Care About This? C. Impact on Due Diligence and Schedules D. Impact on Deal Terms and Definitive Agreement E. What Should You Be Doing Now? F. Final Thoughts
Overview
3
A. Background: Casting the Net
• Software+ • Transactions • Business Models • Inadvertent Software Companies
4
• More than just open source software • Typically any third party in-licensed software • Commercial, freeware and open source • In any form: Object code, binary code, source code, firmware,
microcode, drivers, libraries, routines and subroutines • Extends to: APIs, SDKs, protocols, specifications and interface
definitions • Not just embedded, but also for development and internal use • Covers inbound SaaS offerings • Sometimes applies to:
• Hardware • Data • Inbound content
Background - Casting the Net: Software+
Really any in-licensed software/service (or more) for developing, maintaining, supporting and offering your
products and services
5
• Applies to all sorts of transactions • Mergers & Acquisitions
• Divestitures
• Financings, including VC/PE investments
• Loans
• IPOs
• Customer agreements
Background - Casting the Net: Transactions
6
• Applies to all sorts of business models
• Traditional distributed
• Hosting • SaaS • PaaS • IaaS
• Internal use • In support of professional services
Background - Casting the Net: Business Models
7
EVERYONE
Automotive
Retail
Healthcare
Software
Infrastructure
Banking & Financial Services
Internet of Things
Mobile
Background - Casting the Net: Software is Everywhere…
8
Background - Casting the Net: Even Where You Don’t Expect It…Inadvertent Software Companies
Agriculture Banks and Financial Services
Automotive
Design/Custom Products - 3D printing
- DNA sequences
Hardware - Medical Devices
- Lab and Diagnostics Equipment
- POS terminal/bar code reader
Content Provider
- Media Companies
- Publishing Companies
- Universities
Consumer Products
- TVs - Internet of Things
- Wearables - Toys
- Greeting Cards - Locks
Mobile Apps; SaaS Platforms; Code on the devices Distributing and/or Hosting Code
9
B. Why Should You Care About This?
• The Underlying Risks • Licensing and Compliance Risk • Security Risk • Business and Operational Risk • Remediation Risk
• Overall Impacts on the Deal • It’s Not Theoretical Anymore: Recent Litigation
10
Why Should You Care About This?: The Underlying Risks - Licensing and Compliance Risk • Use beyond scope of license
• Breach of licenses; automatic termination since no materiality
• Copyright infringement
• ‘Viral’ infection of proprietary code
• Automatic grant of licenses to certain of your patents
• Defensive patent termination rights
• Transfer/assignment/change-of-control issues
• Under licensing; not enough seats/licenses
• Combinations of components under incompatible licenses
• Notice and attribution non-compliance
• Failure to comply with licenses for “fourth party” components
11
Why Should You Care About This?: The Underlying Risks - Security Risk • Avoid unknowingly using third party software with known security
vulnerabilities • Any vulnerabilities associated with the components?
• Which components? • What are the vulnerabilities? • Any patches available?
• May have more vulnerabilities since the source code is available or
fewer vulnerabilities since more people are looking
12
Why Should You Care About This?: The Underlying Risks - Business and Operational Risk • Dependence on code from competitor/hostile party
• Think ahead to integration and running the business or things can become very difficult
• Changing the offering model • Standardizing on certain components
• May be expensive or impossible to collect the key information later
13
Why Should You Care About This?: The Underlying Risks - Remediation Risk
Code Remediation
• Removing, rewriting or replacing code
• Costs: Engineering, time
Legal Remediation
• Amending/terminating agreements, seeking clarifications, seeking waivers of past liability, re-licensing components and obtaining new licenses
• Often hard to remedy past non-compliance
• Costs: Legal, time, fees to licensors
Risk Mitigation/Allocation
• Additional representations and warranties
• Remediation-focused closing conditions and best efforts covenants
• Specific indemnities • Additional escrows
14
Why Should You Care About This?: Overall Impacts on the Deal
Macro Impacts:
• Delay • Signing • Closing
• Reduce Price • By expected cost of remediation
• By estimate of past non-compliance
• Plus a premium for the unknown
• Deal certainty • Due to conditions • Dependence on third parties
• Kill the deal • Upset the build vs. buy decision
Diligence/Scheduling Impacts:
• Inability to provide basic materials requested in diligence and for schedules • List of in-licensed
software with license and usage for each item
• Open source policy • Surprises discovered
during diligence • Inability to cleanly
make reps
Lead to Additional:
• Diligence, such as a code scan
• Reps and warranties • Remediation
covenants and closing conditions
• Specific indemnities • Escrows
15
• Shifting landscape of open source license enforcement • No longer brought for ideological reasons; now commercial
software companies on both sides with hundreds of millions at risk
• Recent cases with much in common:
Why Should You Care About This?: It’s Not Theoretical Anymore: Recent Litigation
Continuent v. Tekelec XimpleWare v. Versata Software Filed July 2013 November 2013
Likely Settled February 2014 February 2015
Licensing Model Dual Commercial & GPL Dual Commercial & GPL
Claims GPL violations, copyright infringement, etc.
GPL violations, copyright infringement, etc.
Alleged Damages "All profits" In excess of $150MM for the copyright suit
Remediation Appeared trivial Patch released in 2 weeks
Transaction Oracle bought Tekelec prior to suit Trilogy bought Versata prior to suit
16
C. Impact on Due Diligence and Schedules
• Diligence Requests • Requests for Policies and Procedures • Typical Scheduling Requirements
17
• Conduct a review of third party in-licensed software • Initial step is to request list of in-licensed software, with license and
usage for each component • Time to provide the list is important
Impact on Due Diligence and Schedules: Diligence Requests
18
• Request third Party in-Licensed software policy (or lack thereof)
• Quickly learn a great deal about a company’s business, legal and engineering practices
• Date implemented • Written • Approval process • Documentation function • Mechanism for on-going compliance
Impact on Due Diligence and Schedules: Requests for Policies and Procedures
19
Identify All In-Licensed Software Components • Incorporated, embedded or integrated • Used to offer any Company product/technology • Sold with any Company product/technology • Otherwise distributed by Company • Used or held for use by Company, including use for
development, maintenance, support and testing
Impact on Due Diligence and Schedules: Typical Scheduling Requirements
20
Impact on Due Diligence and Schedules: Typical Scheduling Requirements
Information for Each Component:
• Applicable versions • Applicable license agreement • How incorporated, embedded or integrated • How used internally • How distributed or bundled; distinguish source and binary • Linking • How modified • How hosted; allow others to host • Relevant Company products/technologies • Payment obligations • Audit rights
21
List of Contracts Pursuant to Which:
• Company has agreed to create or maintain interoperability or compatibility with any third party software/technology
• Company has the right to access any software as a service, platform as a service, infrastructure as a service, cloud service or similar service
• Company has the right to access, link to or otherwise use data or content
Impact on Due Diligence and Schedules: Typical Scheduling Requirements
22
Exceptions:
• Generally available commercial off-the-shelf software with value of less than $1000-$5000
• Fourth party code; without knowledge • Internal use only, non-development related software (e.g.
CRM, HR and accounting software); may be covered elsewhere
• In-licensed software incorporated into office equipment or other equipment/products purchased or leased
Impact on Due Diligence and Schedules: Typical Scheduling Requirements
23
D. Impact on Deal Terms and Definitive Agreement
• Reps and Warranties • Covenants and Closing Conditions • Specific Indemnities • Additional Escrows
24
Except as scheduled, Company has not:
• Incorporated third party software into, or combined third party software with, any Company product/technology
• Distributed or modified any third party software in conjunction with or for use with any Company product/technology
Impact on Deal Terms and Definitive Agreement: Reps and Warranties
25
Impact on Deal Terms and Definitive Agreement: Reps and Warranties
Company has not accessed, used, distributed, hosted or modified any third party software in such
a manner as to: • Require disclosure or distribution of any Company product/technology in
source code form • Require the licensing of any Company product/technology for the purpose of
making derivative works/modifications • Grant the right to decompile, reverse engineer or otherwise derive the source
of any Company product/technology • Require distribution of any Company product/technology at no charge or
with limited usage restrictions • Limit in any manner the ability to charge fees or seek compensation in
respect of any Company product/technology • Place any limitation on the right of the Company to use, host or distribute any
Company product/technology
26
The Company:
• Has no plans to do any of the foregoing • Is in compliance [in all material respects] with
the licenses • Has not been subjected to an audit, nor
received any notice of intent to conduct any such audit
• Has no payment obligations, except as scheduled
Impact on Deal Terms and Definitive Agreement: Reps and Warranties
27
• Commercially reasonable or best efforts covenant • Actual closing condition • Typically remediation focused:
• Code remediation • Legal remediation
Impact on Deal Terms and Definitive Agreement: Covenants and Closing Conditions
28
• Specific indemnities • At a minimum for errors/omissions and breaches/non-
compliance with in-licensed software related reps • In respect of certain agreements, licensors and components • Often included in IP indemnity and pushes amount higher
• Additional escrows • Set aside for specific issues and to back-stop specific
indemnities • Often included in general transaction escrow and pushes
amount higher
Impact on Deal Terms and Definitive Agreement: Specific Indemnities and Escrows
29
E. What Should You Be Doing Now?
• Best Practices • Sell-Side: Seller/Investee • Buy-Side: Buyer/Investor
30
What Should You Be Doing Now?: Best Practices • Have a plan to identify, quantify and mitigate third party software-
related risks • Conduct periodic in-licensed software audits and code scans • Develop written polices and procedures for using and releasing
open source • Implement for both internal code and transactions • Include appropriate protections in contracts:
• Reps and warranties • Indemnification • Schedules of in-licensed software • Rights to complete code scans
31
• Conduct an in-licensed software audit/code scan now • Identify • Analyze • Plan/Remediate
• Put in place a written in-licensed/third party software policy • Review compliance
• Prepare for diligence • Consider industry practices • Know your likely buyer/investor • Address the red and yellow flags
What Should You Be Doing Now?: Sell-Side: Seller/Investee
32
• Develop a game plan • Timing is critical • Kick-off diligence process early • Prioritization is key
• Update due diligence request lists • Update reps and warranties • Develop policies regarding acceptable third party
software usage
What Should You Be Doing Now?: Buy-Side: Buyer/Investor
33
F. Final Thoughts
34
Your Software
Application
Internally Developed
Proprietary Code
OSS Community
3rd Party Commercial Code
Outsourced Code Development
Final Thoughts: Protecting and Assessing the Code Base
35
Final Thoughts:
Use of open source software is unavoidable and can have a major impact on a transaction
Often insufficient to rely on reps
alone
The more you look the more
you find
Almost impossible to
undo the impact of poor
practices
A little can go a long way
36
Anthony Decicco Member
GTC Law Group 617.314.7892
[email protected] www.gtclawgroup.com
Thank You