The Role of OSINT and Intelligence Disciplines in Supplier and Third-Party Due Diligence

The Coalition of Cyber Investigators explore how leveraging OSINT, can elevate the quality of due diligence, transforming it from a sunk cost into a strategic value driver.

Paul Wright & Neal Ysart

12/2/20246 min read

The Role of OSINT and Intelligence Disciplines in Supplier and Third-Party Due Diligence

Introduction

Supplier and third-party due diligence are pivotal in minimising risks to reputation, regulatory compliance, and financial health. However, the depth of due diligence performed can be highly variable. Most companies only perform limited due diligence, mainly when customers are involved. Still, they also need to know about the risks involving third parties such as suppliers, agents, and service providers. This article explores how open-source intelligence (OSINT) and all its disciplines, such as Human Intelligence (HUMINT), can significantly enhance the quality of due diligence and make it a value-adding activity rather than a sunken cost. It focuses on three significant areas of risk: economic sanctions, conflicts of interest, and environmental, social, and governance (ESG) compliance.

The Importance of Due Diligence

Effective due diligence helps organisations identify, mitigate, and manage the risks of third-party relationships, but when poorly performed, it can expose companies to legal, financial, and reputational risks. This is one of the key reasons why OSINT and HUMINT can be valuable tools in risk management.

OSINT exploits publicly available information to uncover essential insights; HUMINT adds depth and context to these through intelligence collected directly from human sources. They help organisations go beyond surface-level evaluations to identify more profound and often hidden risks.

Key Risk Areas

1. Economic and Trade Sanctions

Economic sanctions remain a central risk in global supply chains. Sanctioned entities can include individuals, companies, and even countries, and violations can lead to severe penalties. For instance, the United States (US) Office of Foreign Assets Control (OFAC) has levied fines totalling billions of dollars[1] in the past decade against companies violating sanctions[2]. Complying with economic and trade sanctions requirements is complex and requires significant effort from companies to avoid violations. Given current global geo-political tensions, sanctions are continually being imposed and can be introduced at any stage, often without warning, and are frequently applicable with immediate effect. This results in a situation where having access to the latest information and intelligence is essential for companies to minimise the risk of a potential violation of sanctions requirements. At a minimum, OSINT techniques could be deployed to:

  • Track changes in ownership or affiliation to identify connections with sanctioned entities.

  • Monitor international watchlists and export control databases, such as OFAC’s Specially Designated Nationals (SDN) List[3] and the European Union (EU) Sanctions Map[4].

  • Generate alerts when newly imposed sanctions or changes in regulatory frameworks are identified.

Combined with commercial compliance tools, OSINT can help businesses identify risks and remain compliant with emerging sanctions requirements by adding a layer of insight, which may often be unavailable to commercial tool providers.

2. Conflicts of Interest

Conflicts of interest within supply chains are one of the significant risks for corruption, fraud, and bribery within the global economy. Indeed, in most relational or kinship-based business cultures worldwide, undeclared private relationships between company representatives and suppliers may badly compromise ethical practices and transparency. These hidden links can result in corrupt practices such as unfair contract awards, unjustified cost increases, or poor-quality work, jeopardising fair competition and project integrity.

However, OSINT techniques can be applied to help identify undisclosed personal or professional connections. For example, media analysis may unveil social interactions, business partnerships, or shared histories between key individuals not appearing in official documentation[5]. Equally important are public records investigations, which allow an investigator to confirm ownership structures, cross-reference board memberships, and identify potential conflicts of interest that could compromise procurement processes. These and other methods help ensure transparency and reduce the risks of corrupt collusion in procurement and supply chain processes.

HUMINT also significantly identifies conflicts of interest, especially in regions with limited or unreliable digital records. Field investigations and interviews with local contacts can provide invaluable insights into the intricate relationships that often characterise business environments in certain cultures. These efforts at gathering intelligence on the ground can uncover informal alliances, historical ties, or cultural obligations that may influence business decisions in ways not readily evident through document-based investigations alone. Local knowledge derived from HUMINT sources can often be a compliance professional’s secret weapon.

By combining OSINT and HUMINT approaches, companies can better understand potential conflicts of interest, thus enabling them to implement more effective risk mitigation strategies and maintain the integrity of their supply chains.

3. Environmental, Social, and Governance (ESG) Compliance

With increased stakeholder demand for more business accountability, ESG compliance has become increasingly critical. ESG-related supply chain risks include environmental hazards, such as deforestation or pollution; social risks, including forced labour, human rights abuse, and poor workplace conditions; and lapses in governance, including a weak anti-corruption framework and lack of board-level oversight on ethical business behaviour. The inability to manage these ESG issues can lead to severe repercussions, including regulatory penalties, reputational damage, and even loss of investor confidence.

However, companies can use OSINT, HUMINT and other intelligence disciplines to help mitigate such risks. OSINT techniques include monitoring adverse media coverage, and non-government organisations' (NGO) reports[6] about suppliers, analysing sustainability disclosures against industry benchmarks, and understanding public sentiment through social media and forums. Complementing these efforts, HUMINT provides critical ground-level intelligence, such as employee interviews that help verify compliance claims and uncover potential unethical practices not apparent in publicly available sources. Intelligence feeds of this nature can act as an early warning system to help companies understand the ESG risks in their supply chain and take proactive measures against any issues they identify before they escalate.

Strengthening Due Diligence Practices

To enhance supplier and third-party risk management, organisations should adopt the following strategies:

1. Conduct Comprehensive Due Diligence:

a. Conduct in-depth risk assessments of suppliers, incorporating OSINT and HUMINT techniques to help identify hidden vulnerabilities. The risk assessment should be refreshed periodically and event driven.

b. Ensure access to timely intelligence to identify changes in circumstances or status of third parties. This should include adverse media screening, beneficial owner review and comprehensive name screening against blacklists.

c. Consider the overall risk profile of key suppliers and identify measures that will enable businesses to continue if they suddenly become subject to sanctions and trading with them is prohibited.

d. Require employees to self-declare any potential conflicts of interest annually. This self-certification process should be mandatory in company policies, codes of conduct, and employment contracts. OSINT and HUMINT can often identify irregularities in the self-certification process.

2. Leveraging Technology:

a. Invest in technology platforms that can help automate due diligence processes, provide alerts when risk thresholds are breached, and provide continuous monitoring to detect changes in supplier risk profiles, such as adverse media reports, regulatory violations, or changes in financial health.

b. An alternative to investing in in-house technology solutions is to consider a third-party-managed service and outsource the work to an organisation specialising in delivering regulatory compliance services at scale.

3. Capacity Building:

a. Invest in training programs to enhance the analytical capabilities of due diligence teams, enabling them to interpret intelligence better and act on findings.

b. Ensure that OSINT and HUMINT expertise is embedded into the due diligence process, providing a more insightful edge to risk assessments on third parties.

Conclusion

Organisations can better understand third-party risks by integrating OSINT, HUMINT and other intelligence disciplines into due diligence frameworks. This proactive approach helps minimise the likelihood of legal or regulatory breaches and strengthens overall business resilience. As global supply chains grow more complex, leveraging intelligence disciplines is no longer optional; it is a cornerstone of well-informed risk management, where the ability to identify real-time intelligence and act upon it will determine whether organisations can anticipate disruptions, avoid significant regulatory penalties, and maintain a competitive advantage over those companies that have yet to recognise the benefits of intelligence-led due diligence.

Authored by: The Coalition of Cyber Investigators

Paul Wright (United Kingdom) & Neal Ysart (Philippines)

© 2024 The Coalition of Cyber Investigators. All rights reserved.

The Coalition of Cyber Investigators is a collaboration between

Paul Wright (United Kingdom) - Experienced Cybercrime, Intelligence (OSINT & HUMINT) and Digital Forensics Investigator; and

Neal Ysart (Philippines) - Elite Investigator & Strategic Risk Advisor, Ex-Big 4 Forensic Leader.

With over 80 years of combined hands-on experience, Paul and Neal remain actively engaged in their field.

They established the Coalition to provide a platform to collaborate and share their expertise and analysis of topical issues in the converging domains of investigations, digital forensics and OSINT. Recognising that this convergence has created grey areas around critical topics, including the admissibility of evidence, process integrity, ethics, contextual analysis and validation, the coalition is Paul and Neal’s way of contributing to a discussion that is essential if the unresolved issues around OSINT derived evidence are to be addressed effectively. Please feel free to share this article and contribute your views.

[1] Home. (n.d.). Office of Foreign Assets Control | U.S. Department of the Treasury. https://ofac.treasury.gov/ (Accessed November 28, 2024)

[2] Transparency International. (2020, May 12). Global Corruption Report 2005: Corruption in construction and post-conflict reconstruction - Publications. Transparency.org. https://www.transparency.org/en/publications/global-corruption-report-2005-corruption-in-construction-and-post-conflict/ (Accessed November 28, 2024)

[3] OFAC - Sanctions List Service. (n.d.). https://sanctionslist.ofac.treas.gov/Home/SdnList (Accessed November 28, 2024)

[4] EU Sanctions Map. (n.d.). https://www.sanctionsmap.eu/#/main (Accessed November 28, 2024)

[5] Fiorella, G. (2022, August 31). First Steps to Getting Started in Open Source Research - bellingcat. Bellingcat. https://www.bellingcat.com/resources/2021/11/09/first-steps-to-getting-started-in-open-source-research/ (Accessed November 28, 2024)

[6] NGO GUIDE. (2023, June 12). The importance of annual reports for NGOs: A Comprehensive Annual Report Guide (Part 2). NGO Guide. https://www.ngoguide.net/post/the-importance-of-annual-reports-for-ngos-a-comprehensive-annual-report-guide-part-2#:~:text= (Accessed November 28, 2024)