Cyber Due Diligence in M&A: What CISOs Need to Assess Before the Deal Closes
Mergers and acquisitions carry hidden cyber risk that traditional financial due diligence doesn't capture. This brief covers what CISOs must assess before signing, the regulatory obligations that transfer with an acquisition, and how to structure post-merger security integration.
Acquisitions are one of the most efficient ways to inherit a serious cyber problem. The target company’s security posture has typically developed under different risk appetite, different budget constraints, and different leadership priorities — and once the deal closes, every one of their vulnerabilities becomes yours. The time to find that out is during due diligence, not when a ransomware group announces they’ve been inside the acquired network for fourteen months.
The 2016 Verizon-Yahoo acquisition remains the defining cautionary tale: a $350 million reduction in purchase price following the disclosure of two previously undisclosed breaches affecting over three billion accounts. That kind of discovery no longer surprises sophisticated acquirers. What surprises them is finding it after close.
What You’re Actually Assessing
Cyber due diligence in M&A has two distinct phases with different access levels and objectives.
Pre-signing (limited access): You’re working from documentation, questionnaires, and publicly available information. The goal is identifying red flags that affect deal valuation or structure — material vulnerabilities, known incidents, regulatory exposure, significant remediation costs — not a full security audit.
Post-signing, pre-close (deeper access): With appropriate NDAs and data handling agreements in place, you can access technical environments, review architecture, run scanning tools, and interview security staff. This is where material cyber findings can still affect deal terms, price adjustments, or representations and warranties insurance.
The Pre-Signing Assessment Framework
The starting point is a structured questionnaire covering seven domains:
1. Known incidents and breach history. Ask specifically about incidents in the past five years, including those that didn’t trigger notification obligations. Many organisations have detected and contained incidents without customer notification — those are still material to an acquirer. Look for patterns: repeated successful phishing campaigns, recurrent ransomware infections, or unresolved APT activity are different in character from a single isolated incident.
2. Regulatory exposure. What personal data do they hold, under which jurisdictions? An EU-facing business with poor data processing records may carry undisclosed GDPR exposure. A target operating in NIS2-regulated sectors (energy, transport, healthcare, financial infrastructure) carries additional obligations you’ll inherit. In the US, any publicly listed target is subject to SEC cyber disclosure rules — check their filings for material cyber disclosures.
3. Critical third-party dependencies. Who has administrative access to their environment? Legacy MSPs with broad network access, cloud providers, and outsourced development teams represent attack surface you’re inheriting alongside the business. The SolarWinds supply chain compromise affected acquiring companies who inherited compromised network management in their targets.
4. Identity and access posture. How many accounts have administrative privileges? Is MFA enforced? Are there shared credentials, dormant accounts, or service accounts with overly broad permissions? Active Directory misconfigurations transfer perfectly cleanly through an acquisition.
5. End-of-life and unsupported systems. Technology debt that a smaller organisation has tolerated may be unacceptable post-acquisition, particularly if the target will be integrated into a network hosting sensitive data. Enumerate unsupported OS versions, EOL application servers, and unpatched network devices.
6. Cyber insurance coverage and claims history. Review existing policy terms, coverage limits, and any claims in the past three years. A target with frequent claims or coverage exclusions for certain attack types tells you something about their risk profile.
7. Security staffing and programme maturity. A two-person security team managing a 500-person SaaS company has accepted risk differently than a company with a mature security organisation. Staff turnover in the security team in the six months before acquisition is a specific flag — knowledge walks out the door with people.
Red Flags That Should Affect Deal Structure
Certain findings warrant immediate escalation to deal leads rather than a note in the findings report:
- Evidence of an active or recent uncontained intrusion — the acquired company may be compromised at the moment of signing
- Undisclosed regulatory investigations related to data handling
- Significant PCI DSS non-compliance in a business where payment cards are the core revenue mechanism
- Third-party code in the product stack with a supply chain compromise history (specific to software acqusitions)
- Material exposure in a sector where NIS2 or DORA imposes incident notification obligations you’ll inherit
These can justify price renegotiation, escrow provisions, or specific representations and warranties that obligate the seller to cover remediation costs for pre-close issues.
Post-Close Integration: The 90-Day Window
The most dangerous period in an acquisition is the integration phase, when network trust boundaries are being collapsed and systems are being connected before security policies are aligned. The 2020 Marriott breach — which involved access through a network inherited from the Starwood acquisition — persisted precisely because integration created connectivity between environments with different security postures.
A structured 90-day integration plan should address:
Network segmentation first. Connect the acquired environment to your network through a controlled, monitored gateway — not through full trust. Treat the acquired network as untrusted until it meets your security baseline. This is operationally inconvenient and will create friction with integration teams. It is the correct default.
Privileged access consolidation. Identify every administrative account in the acquired environment. Existing admins should not retain access to the integrated environment without going through your identity provisioning process. Former employees of the acquired company are a specific risk — acquisitions generate staff departures, and access deprovisions are frequently delayed in the operational chaos of integration.
Security tool parity. Extend your EDR, logging, and vulnerability management to the acquired fleet on day one of integration, not when the “proper” integration programme gets to it.
Communication to staff. Attackers monitor acquisition announcements. Spear-phishing campaigns targeting employees of recently acquired companies — impersonating the acquiring company’s IT department — are a documented attack pattern. Brief acquired staff on the specific phishing risk before integration begins.
The Financial Exposure
Representations and warranties insurance (R&W insurance) now routinely includes cyber-specific coverage provisions — but underwriters are increasingly requiring evidence of cyber due diligence as a condition of coverage. A documented cyber DD process not only reduces your risk; it reduces your insurance cost and improves the quality of coverage you can obtain.
The cost of a serious cyber incident in the first twelve months post-acquisition — response, remediation, regulatory notification, reputational management — routinely exceeds the cost of a thorough pre-deal technical assessment by an order of magnitude.