Cybersecurity Due Diligence in M&A: A Practical Guide

Introduction

The deal closes on a Friday. Integration kicks off Monday. By Wednesday, the acquiring team discovers the target company had an undetected breach running for 18 months — and the buyer now owns every bit of that liability.

This scenario isn't hypothetical. It's the pattern behind some of the most expensive M&A mistakes of the past decade.

Most deal teams scrutinize financials, legal exposure, and commercial risk with real discipline. Cyber risk gets a fraction of that attention — yet it can be just as material. A single undisclosed breach can trigger price renegotiation, regulatory scrutiny, and integration delays that erode deal value before the ink dries.

This guide covers the full arc: what cyber due diligence actually involves, how findings should shape deal structure, and what the post-close security work looks like in practice.

TLDR

  • Cyber risk is deal risk — undisclosed breaches and inherited vulnerabilities have forced major price reductions and triggered regulatory enforcement
  • Due diligence should begin before LOI — external attack surface review requires no data room access
  • The highest-risk window is the 90 days after close, when integration opens new attack surfaces
  • Board reporting should answer business questions, not recite a technical vulnerability list
  • Findings should feed directly into deal structure — price adjustments, escrows, or indemnification language

What Is Cybersecurity Due Diligence in M&A?

Cybersecurity due diligence is the structured assessment of a target company's security posture, breach history, technical vulnerabilities, governance gaps, data protection practices, and inherited cyber liabilities — conducted before or during a transaction to inform deal decisions.

That distinction matters. IT due diligence asks whether systems are functioning. Cyber DD asks whether they're secure, compliant, and free of active or historical compromise that the buyer would inherit.

A target's infrastructure can be fully operational and completely compromised at the same time.

What Cyber DD Actually Covers

A structured cyber DD engagement — typically scoped as a three-to-four-week assessment — should examine:

  • Infrastructure and cloud posture — internet-facing assets, misconfigurations, shadow IT
  • Incident and breach history — material security events in the past 24 months, open investigations
  • Identity and access controls — MFA coverage, privileged access, stale accounts, admin sprawl
  • Third-party and vendor risk — critical dependencies, contractual protections, unmonitored SaaS
  • Governance and compliance — security policies, incident response plans, regulatory posture (HIPAA, PCI-DSS, GDPR, SOC 2), and cyber insurance coverage
  • Valuation impact — translating findings into remediation cost estimates and deal structure implications

Six-area cybersecurity due diligence framework for M&A transactions overview

A pre-sale security assessment gives sellers the same advantage: it identifies weaknesses before buyer scrutiny begins, reducing diligence friction, supporting valuation, and avoiding last-minute surprises that stall or kill deals.

Why Cyber Risk Is a Deal Risk, Not Just a Technical Problem

When Yahoo disclosed breaches during its Verizon acquisition, Verizon reduced the purchase price by $350 million to $4.48 billion. The SEC later charged Altaba (formerly Yahoo) and imposed a $35 million penalty for failing to disclose the 2014 breach until 2016. The financial damage came from the disclosure failure, not the breach itself.

These are the deals that show cyber risk isn't a technical footnote — it's a valuation, liability, and governance problem.

Marriott's Starwood acquisition is the inherited liability case study every board should know. Marriott acquired Starwood in 2016, but a breach that began around July 2014 wasn't detected until September 2018 — two years after close.

The consequences were substantial. The FTC alleged breaches from 2014 to 2020 affected more than 344 million customers and required Marriott to implement a 20-year security program. Marriott separately agreed to pay $52 million to 49 states and DC.

The Threat Landscape During Live Deals

The deal process itself creates elevated attacker interest. The FBI has assessed that ransomware actors are very likely using significant financial events, including mergers and acquisitions, for targeting and extortion leverage. Attackers search for non-public financial information using deal-specific keywords — knowing that deal teams are under pressure, security controls are often deprioritized, and sensitive documents are being shared across unfamiliar systems.

Cyber due diligence needs to account for what the deal process itself creates, not only what the target already carries.

The Inherited Cyber Debt Problem

When a deal closes, the buyer inherits more than the target's assets. That includes:

  • Unpatched systems and unresolved vulnerabilities
  • Open regulatory inquiries
  • Historical breaches — whether or not they were disclosed
  • Underfunded or deferred security programs

This inherited cyber debt rarely appears on the balance sheet. It shows up in the integration budget.

For boards and audit committees, this makes cyber due diligence a governance obligation. Deal teams should produce a clear risk summary that directors can evaluate and act on — not a technical appendix that gets filed away.

What a Practical Cybersecurity Due Diligence Process Looks Like

Cyber DD operates in two phases: pre-transaction work that informs whether and how to proceed, and post-transaction work that stabilizes and integrates the acquired environment safely.

Pre-Transaction Assessments

External attack surface review can start before the LOI and before any data room access is granted. This maps all internet-exposed assets, identifies vulnerable services, open ports, cloud assets, and shadow IT that the target may not know it has.

Breach assessment reviews logs, endpoint telemetry, and threat intelligence for indicators of active or historical compromise. Targets are often unaware of intrusions that have been running for months.

Governance and compliance review evaluates the target's security policies, incident response plans, risk management frameworks, and regulatory compliance posture across applicable frameworks — HIPAA, PCI-DSS, GDPR, SOC 2, and others depending on the target's industry and geographic footprint. Cyber insurance coverage is reviewed here as well, examining whether it aligns with identified risk exposure.

Cloud and identity security review is where diligence most frequently finds gaps between what a target claims and what's actually deployed. Overstated MFA coverage is one of the most common issues.

Saying "we have MFA" without specifics about who, where, and what type is a red flag. Validation means pulling actual coverage reports for privileged accounts, critical applications, remote access, and email — not accepting a yes/no answer.

The Change Healthcare breach illustrates the stakes. Optum completed its acquisition of Change Healthcare in October 2022. The cyber incident that disrupted healthcare payments across the country occurred February 21, 2024. Senate Finance materials noted that UHG and Change policies required MFA on external-facing applications — a gap between policy and actual deployment that had material consequences.

Post-Transaction Priorities

That kind of policy-reality gap doesn't close on its own. Post-close work shifts from assessment to execution, and the first 45 days follow a structured stabilization plan:

  • Days 1–7: Crown jewels mapping, top 10 risk list, interim access and change policies, single incident reporting path, immediate lockdown of admin accounts and stale credentials
  • Days 8–21: SSO direction defined, EDR coverage established, email protections tightened, each top risk assigned a named owner with a decision on accept/transfer/fix
  • Days 22–45: Logging minimums set, incident response runbooks aligned across both organizations, tabletop exercise conducted, vendor and SaaS review completed

45-day post-close cybersecurity stabilization plan timeline with three phases

By day 45, the board receives a one-page risk brief, an integration scorecard, and a 90-day backlog with owners and measurable outcomes.

Interim CISO support fits naturally here: executive-level security leadership in the integration from day one, without the 4–6 month lag of a permanent search.

The Cyber Risks Most Likely to Come With the Deal

Certain risk categories appear consistently across M&A targets. Deal teams should treat these as presumptive until proven otherwise:

  • Active or historical breaches — undisclosed incidents that become the buyer's problem at close
  • Weak identity and access controls — no MFA on remote access, stale accounts, over-privileged users, shared admin credentials
  • Cloud and SaaS misconfigurations — overpermissioned IAM roles, unmonitored admin access, inadequate logging
  • Ransomware exposure — unpatched systems, missing endpoint detection, no tested backup restore capability
  • Third-party and supply chain vulnerabilities — vendor relationships, open-source dependencies, and software build pipelines inherited without review

The Supply Chain Inheritance Problem

When a deal closes, buyers inherit the target's entire vendor ecosystem — every third-party relationship, open-source dependency, and software pipeline risk included.

The MOVEit/Cl0p campaign shows what that exposure looks like at scale. CISA confirmed Cl0p exploited a SQL injection vulnerability in MOVEit Transfer, and by August 2023 the attack had compromised data at more than 600 organizations and affected nearly 40 million individuals. Companies that relied on vendors using MOVEit inherited exposure they never vetted. Acquirers face the same risk — and in M&A, there's rarely time after close to find out what the target's vendors were running.

M&A inherited cyber risk categories supply chain and vendor exposure breakdown

How Cyber Findings Should Shape Board and Deal Decisions

The purpose of cyber due diligence is not to produce a technical report. It's to answer business questions: Does this finding change what we should pay? Does it require a closing condition? Does it need indemnification language? Can we manage it post-close, and at what cost?

Categorizing Findings by Deal Impact

A practical three-tier framework:

Tier 1 — Requires immediate action before close:

  • Active compromise or indicators of undetected intrusion
  • Exposed sensitive customer or regulated data with no containment
  • No MFA on remote access or admin accounts

Tier 2 — Closing conditions or price adjustments:

  • Critical unpatched vulnerabilities across production systems
  • Major compliance gaps in regulated frameworks (HIPAA, PCI-DSS)
  • Undisclosed material security incidents in the past 24 months

Tier 3 — 90-day post-close remediation plan:

  • Governance gaps addressable through policy and training
  • Cloud misconfigurations without active exploitation
  • Incomplete logging or detection coverage

This categorization shapes deal structure directly. Tier 1 findings may stop or pause the deal. Tier 2 findings feed into holdbacks, purchase price adjustments, escrow arrangements, or representations and warranties. Tier 3 findings become the integration security backlog.

What Board-Level Reporting Should Look Like

Directors don't need a vulnerability list. They need plain-language answers to specific questions:

  • What are the top inherited risks and their business impact?
  • What does remediation cost, in ranges rather than exact figures?
  • What regulatory exposure exists and what's the enforcement risk?
  • What decisions does the board need to make today?

A board red-flag memo in an M&A context translates findings into business disruption language. Instead of "identity controls are weak in the cloud admin layer," the board version reads: "A compromised admin account could disrupt core systems and increase legal exposure if sensitive data is touched."

Three-tier M&A cyber findings classification framework deal impact and board reporting

That translation matters most in regulated industries — healthcare, financial services, retail — where the reporting carries direct legal weight. The FTC's action against Marriott established that acquirers inherit responsibility for the security practices of companies they buy. The SEC's 2023 cybersecurity disclosure rules require public companies to disclose material incidents within four business days of materiality determination and to report on board oversight of cyber risk.

Regulators increasingly expect evidence that cyber risk was genuinely assessed during deal-making, not just disclosed after the fact.

Decision rights and escalation thresholds must be established before close. Document the answers to these questions in writing — not improvised during an incident:

  • Who approves remediation spend?
  • Who determines when a finding is material enough to renegotiate?
  • What's the escalation path if a breach is discovered post-close?

Post-Close: Stabilizing the Security Posture After the Deal

The 90 days after close are the highest-risk window in any acquisition. Integration opens new attack surfaces. Identity systems are in flux. The combined organization often lacks unified visibility into threats. Attackers know this, and they time campaigns accordingly.

Core post-close priorities:

  • Establish shared logging standards, detection coverage, and patching SLAs across both environments
  • Define SSO direction, remove stale accounts, and document privileged access across the combined entity
  • Track Tier 1 and Tier 2 findings from pre-close assessments to completion, with named owners and target dates
  • Consolidate incident response into a single process covering the combined entity, with defined escalation paths and communication owners

Organizations that skip structured post-close security work tend to discover the risks they missed during diligence at the worst possible time — mid-incident, with two organizations still operating on separate systems and separate teams.

Interim CISO support during this window fills the leadership gap before a permanent hire is possible. The engagement embeds executive-level security leadership with the acquiring organization, triages inherited risk, establishes integration guardrails, and produces a board-ready roadmap. That work starts in days, not the four to six months a permanent search typically takes.

Frequently Asked Questions

What is cybersecurity due diligence in M&A?

It's the structured assessment of a target company's security posture, breach history, technical vulnerabilities, compliance gaps, and inherited cyber liabilities conducted before or during a transaction. The goal is to protect deal value and give boards and deal teams the information they need to make informed decisions about price, structure, and integration.

When should cybersecurity due diligence begin in the M&A process?

As early as the deal allows. External attack surface review can start before LOI without data room access. Deeper work — including breach assessment, cloud and identity review, governance analysis, and compliance evaluation — expands during formal diligence. Starting late compresses the window for findings to influence deal structure.

What are the biggest cybersecurity red flags in an M&A target?

Active compromise or indicators of undetected intrusion, missing MFA on remote access and admin accounts, unknown internet-exposed assets, weak cloud IAM permissions, short or missing log retention, unresolved critical vulnerabilities, and sensitive data exposure without containment. Any combination of these warrants immediate deal-team attention.

How do cybersecurity findings affect deal valuation or terms?

Material findings typically lead to price reductions, closing conditions requiring pre-close remediation, escrow arrangements, indemnification clauses, or representations and warranties tied to specific vulnerabilities. The Verizon/Yahoo deal — where Yahoo's disclosed breaches resulted in a $350 million price reduction — remains the clearest public example of cyber risk directly repricing a transaction.

Does the sell side also need cybersecurity due diligence?

Yes. Sellers who conduct a pre-sale security assessment identify and remediate weaknesses before buyer scrutiny begins. This reduces friction during diligence, supports stronger valuation arguments, and prevents last-minute deal disruption from findings the seller was unaware of — a common and avoidable source of deal delay.

What should happen to cybersecurity after the deal closes?

Post-close priorities should include:

  • Validating remediation of critical diligence findings
  • Unifying identity and access controls across both organizations
  • Establishing a combined incident response plan
  • Delivering a 90-day security roadmap with named owners and measurable outcomes

The first 45 days carry the highest risk and require structured execution, not improvisation.