M&A Due Diligence Has a Cyber Problem

Executive Summary

Mergers and acquisitions are among the most consequential and time-pressured decisions an enterprise makes. They involve enormous financial stakes, compressed timelines, incomplete information, and a natural tendency toward optimism. It is precisely the environment in which cyber risk is most likely to be underweighted.

The consequences of inadequate cyber due diligence in M&A are well-documented and consistently severe. Organizations have acquired companies that were already compromised — discovering active attackers in the acquired network only after integration was underway. They have inherited security debt so significant that remediation costs materially exceeded the deal model's assumptions. They have absorbed regulatory liabilities, pending breach disclosures, and contractual security obligations that fundamentally altered the risk profile of the transaction.

The Marriott-Starwood acquisition is the most prominent example — the Starwood breach that ultimately cost Marriott over $123 million in GDPR fines was an active compromise at the time of the acquisition, running undetected for two years, and transferred entirely to Marriott along with the rest of the Starwood estate.

Why This Matters Now

Several factors have elevated the cyber dimension of M&A risk significantly in recent years.

The regulatory environment has changed. GDPR, SEC breach disclosure rules, HIPAA, and a growing list of sector-specific requirements mean that an acquired company's historical data handling practices are not just a technical concern — they are a regulatory liability that transfers with the acquisition. Due diligence that does not surface these liabilities before closing transfers them at full value.

The attack surface has become harder to assess. Cloud environments, SaaS-heavy architectures, and complex third-party dependency chains make a meaningful security assessment significantly more challenging than it was when the target ran on-premises infrastructure that could be directly scanned and evaluated.

And cybercriminal sophistication has increased to the point where active compromises — attackers who have been present in a network for months with no visible indicators — are a realistic risk in any significant M&A target. The M&A process itself is known to attract criminal interest: a high-value target under time pressure, with teams from multiple organizations sharing information across unfamiliar networks, is an attractive operational environment for sophisticated threat actors.

CISO2CISO Insight

Every M&A target should be assessed with the assumption that it may be actively compromised. Not because it is likely — but because the cost of discovering an active compromise after closing dramatically exceeds the cost of the assessment that would have found it before.

What Cyber Due Diligence Actually Requires

Standard financial due diligence reviews audited financials, legal agreements, intellectual property ownership, and regulatory compliance status. Cyber due diligence requires a different set of questions — and a different methodology for answering them.

Active compromise assessment. The highest-stakes question in cyber due diligence is not whether the target has good security policies. It is whether the target is currently compromised. This requires active technical assessment — not questionnaire review — including analysis of network traffic patterns, endpoint telemetry, authentication logs, and dark web intelligence for signs of active attacker presence. This assessment cannot be completed in a single day, and it cannot be outsourced to the target's existing security team.

Security debt inventory. Understanding the accumulated technical and security debt of the target requires direct assessment of the environment: vulnerability scan results, penetration test history, patch currency across critical systems, legacy architecture dependencies, and identity configuration across cloud and on-premises environments. The goal is not a comprehensive audit — it is a material liability assessment: are there security issues significant enough to alter the deal model or require immediate post-close remediation investment?

Regulatory liability assessment. What data does the target collect, process, and store? Under what regulatory frameworks? Has the target had any breach events — reported or unreported — that create ongoing liability? Are there contractual security obligations with customers, partners, or regulators that would transfer with the acquisition and that the acquiring organization is not currently meeting? These are legal questions with security dimensions, and they require collaboration between the CISO, legal counsel, and privacy team.

Integration risk assessment. How complex is the integration of the target's environment into the acquirer's? What are the highest-risk integration points — shared identity systems, network connectivity, data integration, SaaS platform consolidation? Integration is often when pre-existing security issues in the target environment become incidents in the combined environment. Planning the integration sequence with security architecture in mind — particularly the sequence of network connectivity and identity integration — is a material risk mitigation step.

Third-party dependency audit. What are the target's most critical vendor and technology dependencies? What are the security and contractual terms of those relationships? Are there concentration risks — dependencies on a small number of critical vendors — that are not visible in the financial statements?

Executive Framework

What CISOs Should Do Next

• Establish a formal cyber due diligence protocol — a defined methodology and checklist that is activated for every M&A transaction above a materiality threshold.
• Build or contract for the active compromise assessment capability — the technical assessment that looks for signs of current attacker presence requires specialized expertise and tooling that most organizations do not have internally.
• Establish a communication channel between the M&A team and the CISO from the earliest stages of deal evaluation — not just when the deal is in advanced stages.
• Include cyber risk findings in the deal model — security debt remediation costs and regulatory exposure estimates should be reflected in the financial analysis, not siloed as a separate security report.
• Develop a post-close integration security playbook — a defined sequence and timeline for security integration that minimizes the window during which the combined environment has elevated risk.
• Establish breach liability representation requirements in deal documentation — representations and warranties regarding breach history and security posture, with appropriate indemnification provisions.

Board-Level Questions

• Does our M&A process include a formal cyber due diligence protocol, and who is responsible for executing it?
• How would we identify an active compromise in an acquisition target before the deal closes?
• Are cyber risk findings from due diligence reflected in our deal financial models and negotiation strategy?
• Have we assessed the security integration complexity and timeline for our most recent acquisitions?

Final Executive Takeaway

Cyber risk is a material M&A risk that is still systematically underweighted in most transaction processes. The organizations that are managing it well have made one fundamental shift: they treat cyber due diligence as a financial risk assessment, not a compliance exercise — with findings that inform deal pricing, deal structure, and integration planning.

The cost of a thorough cyber due diligence engagement is modest relative to the cost of discovering post-close that you have acquired an active compromise, a regulatory liability, or security debt that was not in the deal model.

The question is not whether cyber risk matters in M&A — it clearly does. The question is whether it is being assessed with the rigor and urgency that its potential financial impact warrants.