Security due diligence in M&A: what buyers miss and sellers should fix

Cyber risk has become a standard part of M&A due diligence. It wasn't always. A decade ago, security review in an acquisition was mostly a checkbox: do they have an ISMS, are they compliant with the relevant frameworks, have they been breached recently. That approach survived until a series of post-acquisition discoveries changed the conversation. Yahoo's acquisition by Verizon was repriced by $350M after a pre-acquisition breach surfaced mid-deal. Marriott acquired a Starwood network that had been compromised for four years before the deal closed. The inherited liability model is now real and documented.

Buyers responded by building actual security diligence programs. Sellers who don't understand what those programs look for are negotiating blind.

What buyers are actually evaluating

Modern M&A security diligence covers three questions.

What is the target's current security posture?

Control coverage, KRI status, and basic hygiene, the same things an underwriter looks at: endpoint protection coverage, identity management maturity, patching cadence, network architecture. Buyers want to know whether the target has a functioning security program or has been running on luck.

What will it cost to bring the target up to standard?

Even a target with a decent program rarely matches the acquirer's requirements exactly. The gap analysis produces a remediation cost estimate that, in PE and strategic deals, often becomes a negotiating variable that affects purchase price directly.

Is there latent breach liability?

This is the Marriott and Starwood scenario: active or historical compromise that hasn't been disclosed. Buyers deploy external scanning, threat intelligence, and sometimes third-party technical assessments specifically to look for indicators of past or present compromise the target may not know about or may not have disclosed. Finding it during diligence is a deal variable. Finding it post-close is a lawsuit.

The diligence process in practice

Security diligence in a well-run transaction runs in parallel with financial and legal diligence. It typically involves four pieces.

Document review

The buyer's team reviews the target's security policies, audit reports (SOC 2 Type II, penetration test results, vulnerability scan summaries), incident history, and governance documentation. Gaps in this documentation are themselves a signal. An organization without recent pen test results and an up-to-date incident log has a program maturity problem.

Technical assessment

For higher-value transactions, buyers engage a technical team for an active assessment: external attack surface scan, architecture review, sometimes limited internal access for configuration review. Scope depends on deal size and risk profile.

KRI and telemetry review

Increasingly, sophisticated buyers ask for the actual metrics, not just the policy documentation. What's the current endpoint coverage rate? What does the patch compliance trend look like? What's the mean time to remediate critical findings? This is where having a KRI program pays dividends for sellers: it's evidence that controls are working, not just that they exist.

Management interviews

The security leader, or whoever plays that role, will be interviewed. Expect questions about the most significant incident in the past two years, how it was handled, and what changed as a result. Expect questions about known gaps and the plan to address them. Honesty is worth more than polish here. Buyers who discover post-close that a seller minimized or concealed security problems have legal remedies.

What sellers should do before a transaction

The time to fix security problems is before you're in a transaction, not during diligence. On diligence timelines you can't remediate material gaps. You can only explain them and negotiate around them. If a transaction is possible in the next 12 to 24 months, treat that window as your remediation runway. The highest-value pre-transaction investments:

Basic hygiene completeness

MFA enforcement across all remote access, EDR coverage across all endpoints, patch compliance on critical systems. These are the first things any buyer checks. Gaps here signal a program that's been underinvested, which invites deeper scrutiny and price adjustment.

Documented incident history

Buyers will ask about incidents whether or not you have documentation. A clear, accurate incident log with documented root cause and remediation is more credible than claiming a clean history. If you've had incidents, document how you handled them.

Clean identity hygiene

Privileged account sprawl, shared credentials, and unreviewed service accounts get disproportionate scrutiny, because they're high-probability attack vectors and because cleaning them up is tractable. Quarterly privileged access reviews, MFA on all admin accounts, and no shared credentials are achievable in the pre-transaction window.

Penetration test currency

A pen test from three years ago is not useful to a buyer. Budget for an external penetration test within 12 months of expected close, and remediate the findings before you enter the process.

The findings that affect deal value

Not all security findings are equal in a transaction. A few categories consistently affect price or deal structure.

Discovered breach indicators

If the buyer's technical team finds evidence of active or historical compromise, malware samples, command-and-control traffic, suspicious outbound connections, data staged for exfiltration, expect a material negotiation event. Depending on the findings and the buyer's risk tolerance, that ranges from an escrow holdback to a deal pause to a walk.

Regulatory exposure

Unaddressed gaps in regulated data environments (healthcare, financial services, companies with significant EU data subject exposure) carry compliance cost that affects deal modeling. An unresolved HIPAA or GDPR gap belongs in the deal structure.

Third-party contract provisions

Many enterprise contracts include security and data handling requirements. If the target's program doesn't meet the requirements in its key customer contracts, the acquirer is inheriting potential breach-of-contract liability. Legal diligence covers this, but the security team needs to provide accurate input on whether the contractual representations are actually true.

Cyber insurance gaps

If the target has no cyber insurance, inadequate limits, or significant policy exclusions, the acquirer may be inheriting uninsured risk. Buyers evaluate this explicitly, and it's worth knowing what underwriters look for before you sit down.

For PE-backed companies specifically

Private equity firms have developed their own security diligence and portfolio monitoring programs. The most sophisticated shops now require KRI-level visibility into portfolio company security posture as part of ongoing monitoring, not just transaction diligence.

PE diligence focuses on breach likelihood expressed as a confidence level (not just "medium risk"), regulatory and legal exposure mapped to specific statutes, IP ownership integrity (particularly for technology companies where the IP is the asset), and contractual representation exposure. If you're in a PE portfolio or headed toward a PE transaction, assume the buyer has a framework for each, and prepare accordingly. The security leader's job in a PE-backed company is to translate program status into the verdicts the PE board needs, not to deliver a technical briefing.

After close: the inherited liability window

Buyers who close without finding security problems aren't necessarily clear. They may have inherited a dormant compromise that hasn't surfaced yet.

The standard practice for post-acquisition security integration is a 90-day rapid assessment: complete the technical review of the acquired environment, identify gaps relative to acquirer standards, and establish a time-bound remediation plan. This window is also when acquirers run threat hunting specifically looking for indicators of historic compromise that diligence may have missed. The goal is a clean baseline. You can't manage inherited risk you haven't characterized.