When you acquire a company, you inherit their cybersecurity posture — including breaches they have not yet discovered, controls that look adequate on paper and are not, and material risks that did not surface during the standard due diligence process. The most well-known precedent is Verizon's Yahoo acquisition, where a breach that should have been discovered during diligence was discovered shortly after closing and resulted in a $350M purchase price reduction. The case made cybersecurity due diligence a permanent part of serious M&A practice. The discipline has matured since into a distinct specialty with practitioners, methodologies, and lessons that the field has learned the expensive way.
What Cybersecurity Due Diligence Actually Covers
Active threat assessment — has the target been breached and not detected; is there evidence of compromise in the systems and networks. Security posture evaluation — what controls actually operate, with evidence beyond self-attestation. Regulatory and legal exposure — privacy regulations the target is subject to, breach notification obligations potentially triggered, ongoing regulatory engagements. Third-party risk — the target's dependencies that the acquirer would inherit. Identity and access — what privileged access exists, what would need cleanup post-close. Each dimension has investigation techniques and produces findings that feed into deal economics or post-close remediation planning.
The Compromise Detection Phase
The single most consequential due diligence activity is determining whether the target has been compromised and has not detected it. The investigation typically uses dark web intelligence (are credentials or data from the target appearing in criminal marketplaces), passive network reconnaissance (are there signs of command-and-control infrastructure), and direct assessment of the target's detection capability (would they have detected a compromise if one had occurred). The investigation is non-trivial and is the area where many M&A cybersecurity programmes most clearly add value.
Reading Between the Self-Attested Lines
Targets answer due diligence questionnaires favourably. They have material incentive to do so. Strong M&A cybersecurity due diligence verifies claims rather than accepting them. SOC 2 reports requested rather than just acknowledged. Specific control evidence requested (recent access reviews, vulnerability scan reports, incident records, penetration test results). On-site or virtual assessment of high-risk areas. The verification work is more expensive than questionnaire review and is what produces findings that affect deal terms.
A pattern in post-close discoveries: a material security issue surfaces in the first six months after acquisition, the issue was discoverable during diligence with sufficient investigation, and the diligence work that would have surfaced it was descoped to meet deal timeline. The cost of the discovery exceeds the cost of the diligence work that was descoped by orders of magnitude. M&A cybersecurity is one of the areas where due diligence scope creep saves money on paper and costs money in practice.
Quantifying Findings for Deal Economics
Findings from cybersecurity due diligence feed into deal economics in specific ways. Material breaches discoverable but not yet disclosed may justify price reduction or deal cancellation. Required remediation work may be reflected in escrow, holdbacks, or post-close commitments. Specific risks may be addressed in representations and warranties with appropriate survival periods. The deal lawyers and finance team integrate the cybersecurity findings into the broader deal structure; cybersecurity due diligence that does not feed into these conversations is producing findings nobody acts on.
Post-Close Integration
Closing the acquisition is not the end of M&A cybersecurity. Integration of the target's systems, identity, monitoring, and processes into the acquirer's environment is itself a major cybersecurity workstream — often more demanding than the diligence that preceded it. Strong M&A cybersecurity programmes plan integration during diligence and execute it deliberately post-close, with milestones, dependencies, and accountability comparable to other major integration workstreams.
Components of a Programme That Holds Up
- Compromise detection as a non-negotiable diligence activity
- Verification beyond questionnaire response, with specific evidence requests
- Regulatory and legal exposure analysis aligned with the target's footprint
- Identity and access assessment to scope post-close cleanup
- Quantified findings feeding into deal economics — price, escrow, reps and warranties
- Integration planning during diligence, executed post-close as a deliberate workstream
- Specialist support — M&A cybersecurity is a distinct skill set, not a generic security task
Why the Discipline Will Continue to Grow
M&A activity continues. Regulatory accountability for inherited cyber risk continues to tighten. Past precedents (Yahoo, Marriott, and others) have established cybersecurity as a material diligence area in any serious transaction. The discipline of M&A cybersecurity is now a permanent specialty within both security functions and transaction advisory practice. Organisations active in M&A who do not run cybersecurity due diligence deliberately are taking inherited cyber risk into their deals; the cost when something surfaces post-close consistently exceeds the cost of the diligence work that would have prevented it.