M&A Cybersecurity Due Diligence: Protecting Deals from Hidden Risk
When you acquire a company, you acquire its cybersecurity problems. The Marriott-Starwood deal became the textbook case: an undiscovered breach affecting 500 million records was inherited along with the acquisition. But Marriott is not unique. Undisclosed security issues in M&A transactions are common, and the acquiring organization bears the consequences regardless of when the vulnerability or breach originated.
Cybersecurity due diligence has evolved from a checkbox in the broader IT review to a material component of deal evaluation. SEC disclosure requirements, escalating regulatory fines, and the sheer scale of potential breach costs mean that hidden cyber risk can materially affect deal valuation, trigger post-close liabilities, and complicate integration planning.
This guide provides a practical framework for cybersecurity due diligence in M&A, covering what to assess, when to assess it, and how offensive testing provides the validation that document reviews alone cannot deliver.
The Case for Cyber Due Diligence
Financial Materiality
The average cost of a data breach is $4.44 million globally and $10.22 million in the United States. For organizations with regulatory exposure, breach costs can reach hundreds of millions. These are material numbers in any deal context. Discovering after close that the target has a significant breach in progress or exploitable vulnerabilities that require millions in remediation directly erodes deal value.
Inherited Liability
Privacy regulations do not distinguish between the organization that created the liability and the organization that acquired it. GDPR fines, state privacy law violations, and contractual obligations all transfer with the acquisition. An acquiring company inherits the target’s compliance posture, including any gaps.
Integration Risk
Connecting two organizations’ networks, identities, and applications creates a temporary window of elevated risk. If the target’s security posture is weaker than assumed, the integration itself can introduce vulnerabilities into the acquiring company’s environment.
The Due Diligence Framework
Phase 1: External Assessment (Pre-LOI or Early Diligence)
Begin with what you can evaluate without target cooperation.
External attack surface analysis. Map the target’s publicly visible infrastructure: domains, IP ranges, cloud services, web applications, email configuration. The Praetorian Guard platform can assess the target’s external exposure using publicly available data, identifying exposed services, misconfigurations, and potential vulnerabilities before any information is exchanged.
Open-source intelligence. Search for disclosed breaches, regulatory actions, security-related litigation, and dark web exposure associated with the target. Cyber threat intelligence can reveal compromised credentials, data leaks, or active threat actor interest in the target.
Technology footprint. Identify the target’s technology stack, cloud providers, and third-party services through public information. This reveals the scope of the technical due diligence needed.
Phase 2: Document Review (Formal Diligence Period)
Once a confidentiality agreement is in place, request and review:
Security program documentation. Security policies, standards, and procedures. Incident response plan. Business continuity and disaster recovery plans. Evaluate not just existence but quality and currency.
Compliance status. Current certifications (SOC 2, ISO 27001, PCI DSS, HIPAA), audit reports, and identified gaps. Pay particular attention to findings from the most recent audits and whether they have been remediated.
Incident history. All security incidents from the past three to five years, regardless of whether they were publicly disclosed. The manner in which the target responds to this request (transparent vs. evasive) is itself a signal.
Third-party risk. Vendor inventory, assessment records, and third-party breach history. Supply chain risk transfers with the acquisition.
Security metrics. MTTR for critical findings, vulnerability backlog, attack surface coverage, and testing frequency. These operational metrics reveal the target’s security program maturity far better than policy documents.
Data inventory. What sensitive data does the target hold? Where is it stored? What protections are in place? What privacy regulations apply?
Phase 3: Technical Validation (Formal Diligence Period)
Document reviews tell you what the target claims. Technical validation tells you what is actually true.
Penetration testing. Test the target’s critical systems for exploitable vulnerabilities. This is the highest-value due diligence activity because it reveals the actual security posture rather than the documented one. Focus on systems that will connect to the acquiring company’s environment post-close.
Architecture review. Evaluate the target’s security architecture, identity infrastructure, network segmentation, and cloud security configuration. Identify integration risks and estimate the effort required to bring the target’s architecture into alignment.
Configuration assessment. Review security configurations for critical systems, cloud environments, and network infrastructure. Misconfigurations are among the most common sources of exploitable vulnerabilities.
Maturity assessment. Evaluate the target’s overall security program maturity to estimate the investment needed to bring it to the acquiring organization’s standards.
Impact on Deal Terms
Valuation Adjustments
Quantify the cost of remediating identified security gaps and incorporate this into deal valuation. Common adjustments include:
- Remediation costs. Estimated investment to close validated vulnerabilities and bring the security program to acceptable standards.
- Compliance costs. Investment needed to achieve required compliance certifications or close gaps in existing certifications.
- Technology debt. Cost of replacing end-of-life systems, upgrading legacy infrastructure, or implementing missing security controls.
- Integration costs. Security-specific integration expenses: identity consolidation, network architecture alignment, tool standardization.
Use cyber risk quantification frameworks to express these costs in terms that deal teams can incorporate into financial models.
Representations and Warranties
Include specific cybersecurity representations in the deal agreement: no undisclosed breaches, accurate incident history, compliance status as represented, and no known material vulnerabilities. Breaches of these representations create post-close recourse.
Indemnification
Negotiate indemnification for cyber risks that were discoverable by the target but not disclosed. This provides financial protection if post-close discoveries reveal security issues that should have been disclosed during diligence.
Escrow Provisions
For deals with elevated cyber risk, consider escrow provisions that hold a portion of the purchase price pending completion of security remediation milestones or a defined period without discovery of undisclosed breaches.
Post-Close Integration
Due diligence findings inform integration security planning.
Day One Security
Establish baseline security controls before connecting any systems. Implement monitoring at integration points. Verify that critical findings identified during diligence have been remediated or have compensating controls in place.
90-Day Plan
Address critical and high-severity findings from due diligence. Consolidate identity and access management. Establish unified security monitoring. Begin network integration with appropriate segmentation.
Long-Term Alignment
Bring the acquired entity’s security program to the acquiring organization’s maturity level. This includes tool consolidation, process standardization, compliance alignment, and ongoing continuous testing to validate the integrated environment.