All articles M&A Security

Cybersecurity Due Diligence in M&A

Cyber due diligence exposes the gap between a target's stated security posture and reality. Here's what deal teams keep getting wrong.

Nick Shevelyov

Nick Shevelyov

Founder, vCSO.ai · Former Chief Security Officer, Silicon Valley Bank

Published

Read time

13 min

Share

Cybersecurity Due Diligence in M&A: How to Find the Gaps That Reprice the Deal

The questionnaire is the prospector’s claim. The operator’s review is the crucible. What remains after the heat is the posture the deal should actually be priced against. The word “diligence” comes from the Latin diligentia — carefulness, attentiveness, the quality of taking pains. Somewhere between Latin and the modern deal process, we lost the original meaning. Cyber due diligence in most transactions became a checkbox ritual: send the questionnaire, receive the answers, file them behind the quality-of-earnings report, close the deal. The carefulness evaporated. The attentiveness was never there. Cybersecurity due diligence, done properly, is the discipline of measuring the gap between a target’s stated security posture and its actual one — before the wire goes out. That gap is where deals get repriced, where regulatory exposure hides, and where post-close surprises live. I’ve run these reviews on transactions ranging from $50 million growth-equity rounds to $400 million private-equity acquisitions, and the pattern repeats with unnerving consistency. The target fills out the questionnaire honestly. The deal team treats the answers as fact. And nobody asks whether the two describe the same company. The five areas where cyber due diligence reprices a deal:

  1. Data handling scope — does the target know where all its sensitive data actually lives?
  2. Access control hygiene — who has access to what, and is it still appropriate?
  3. Incident history and detection capability — not “have you been breached,” but “would you know?”
  4. Regulatory exposure — do the filings and contracts match the data practices?
  5. Control degradation — which controls were real three years ago and have silently rotted since?

The deal community is not flying blind by choice. The data is loud. PwC’s dealmaker research found that roughly four in five buyers uncovered cybersecurity issues in at least a quarter of their targets over a two-year window. More sobering: in 2024, over half of dealmakers discovered significant cyber problems only after closing, and nearly three-quarters said they would walk from a deal over an undisclosed breach. The findings exist. The discipline to surface them before signing is not often enough.

Why Cyber Due Diligence Fails at the Questionnaire

A self-attested security questionnaire is the most common instrument in deal-level cyber assessment. It is also the weakest. Charlie Munger taught me to ask a simple question: show me the incentive, and I will show you the outcome. The team filling out a security questionnaire has every incentive to present the best possible version of their program. Not because they are dishonest — most are not — but because the questionnaire asks about policy, not practice. It asks about production environments, not the test databases where engineers park real customer data to debug a problem at midnight. It asks about controls that were designed, not controls that have silently degraded since the last audit. The structural defect is in the scope. Compliance audits scope production. Penetration tests scope production. The questionnaire describes production. Everything outside that perimeter goes unexamined. In one engagement, production-grade protected health information sat in three test environments for nineteen months — no encryption, no access segmentation, fourteen contractors with expired background checks still holding the keys. The target’s compliance team didn’t know, because their instruments never looked there. That is not a failure of honesty. It is a failure of coverage. And it is exactly the kind of failure that reprices a deal.

The 48-Hour Cyber Due Diligence Sprint

There is a reliable objection from deal teams: “We don’t have time for a cyber deep dive. The exclusivity window is tight and the seller won’t extend.” I hear it on nearly every engagement, and my answer never changes. You don’t need a month. You need 48 focused hours with the right operator asking the right questions. The first day is structural. Review the architecture diagrams, the network topology, the identity and access configuration, the data-flow maps, the incident history. Not the questionnaire — the actual artifacts. Architecture diagrams lie less than questionnaires because they were drawn for engineers, not for buyers. The distance between what the architecture shows and what the questionnaire claims is your first signal. The second day is the seams. Non-production environments. Third-party vendor access — and it matters, because industry data attributes a majority of breaches to third parties, not the target’s own four walls. The data flows were added after the compliance map was drawn. The cloud accounts spun up for a project and were never decommissioned. The privileged accounts still belong to people who left two years ago. This is where the Red Swans hide. A Red Swan is a risk the organization believes it has managed but hasn’t — a concept I introduced in Cyber War and Peace to distinguish it from Nassim Taleb’s Black Swans. A Black Swan is an unknown unknown. A Red Swan hides in plain sight, in controls that have silently degraded and assumptions that stopped being questioned. A 48-hour sprint won’t find every vulnerability, and it isn’t meant to. It’s meant to identify the structural gaps that alter the acquisition’s risk profile — findings that should inform deal pricing, escrow terms, reps-and-warranties language, and the first hundred days of integration.

What Cyber Due Diligence Actually Looks For

The deal community still conflates cybersecurity due diligence with a vulnerability scan plus a cover letter. They are not the same exercise. Vulnerability scans find technical flaws in software — useful, but flaws almost never reprice a deal. What reprices a deal is the structural distance between the described program and the operational reality. That distance shows up in five places. Data handling scope. Does the target know where all its sensitive data lives — not just in production, but in every environment, every backup, every third-party integration? If the data map is incomplete, every compliance claim built on top of it is incomplete too. Access control hygiene. Who has access to what, and is that access still appropriate? Privileged accounts untouched since the last security leader departed. Contractor access that outlived the contract. Service accounts with administrative rights nobody can explain. Incident history and detection capability. Not “have you had a breach” — every company has had incidents. The real question is whether they detected them, responded competently, and documented what happened. The absence of incident records is not a clean bill of health. It is, more often, a detection problem wearing the costume of a clean record. Regulatory exposure. Are the target’s regulatory filings, privacy notices, and contractual commitments consistent with its actual data practices? The compliance gap that matters in a deal is not the gap between the target and a framework. It is the gap between the target’s representations and its reality. Control degradation. Controls implemented correctly three years ago and never tested, maintained, or updated since. Firewall rule sets that grew by accretion until no one understands what they permit. Endpoint detection was deployed to 90% of the fleet, but it never reached the last 10%. As a working rule, roughly one in five controls a company believes are operating are partially or fully broken at any given moment — and that degradation is invisible until someone looks. The questionnaire is a photograph. The environment is a film. The seller hands you the photograph; the operator watches the film.

What the Repricing Cases Teach

The history of deal-level cyber failure is written in two names every dealmaker should know. When Yahoo’s breaches surfaced during its acquisition by Verizon, the purchase price fell by $350 million — about seven percent of the deal. And when Marriott acquired Starwood, the attackers were already resident in Starwood’s systems, undetected, before the ink dried. The compromise wasn’t discovered until roughly two years after close, and it led to years of litigation and regulatory settlements totaling tens of millions. Neither was an exotic, unforeseeable event. Each was a Red Swan inherited at closing — a degraded reality that a careful assay would have surfaced before the wire went out. The lesson is not that breaches happen. It’s the acquirer who finds the finding pre-close that gets to choose — walk, reprice, or remediate with a funded plan — while the acquirer who misses it simply inherits the outcome, on someone else’s timeline.

The Cost of Skipping Cyber Due Diligence

There is a calculation that teams don’t always make explicit. The cost of a five-day cyber review is trivial relative to the deal value — less than a rounding error in the transaction fees. The cost of skipping it is the full tail risk of what you didn’t find. Post-close discovery of a material gap triggers a cascade: remediation spend, regulatory penalties, breach-notification obligations if reportable data was involved, insurance repricing, and — in the cases that hit hardest — damage to the acquirer’s portfolio reputation that bleeds into the next fundraise. The average cost of a data breach reached roughly $4.88 million globally in 2024, the steepest jump since the pandemic, driven largely by business disruption and longer recovery windows. Those are the numbers that move a pro forma and stretch a synergy timeline. For private-equity and venture sponsors, the cybersecurity due diligence framework should be as standard as the quality-of-earnings workstream. Not optional. Not “only if the target is regulated.” Every deal where the target handles customer data, employee data, or intellectual property — which is every deal.

The Regulatory Layer Has Teeth — and a Contested Future

Regulatory exposure deserves its own attention now, because the ground is moving. The SEC’s disclosure regime requires public companies to report a material cybersecurity incident on Form 8-K within four business days of determining materiality. That rule has grown teeth: the Commission has pursued enforcement against companies for misleading or downplayed incident disclosures, and the SolarWinds litigation tested how far the agency’s authority over cybersecurity controls actually extends — with a court trimming significant portions of the case. For an acquirer, this changes the math on a target’s undisclosed or mishandled incident. You are not only inheriting the breach. You may be inheriting a disclosure liability. Here is the nuance an honest advisor has to hold. That same disclosure rule is now contested. In 2025, under a new Commission majority, a coalition of banking and industry associations petitioned the SEC to rescind the four-day Item 1.05 requirement, and the rule’s long-term survival is genuinely uncertain. It would be a mistake to read that uncertainty as relief. The disclosure obligation is a reporting mechanism; the underlying risk — a compromised target, an undocumented incident, a misrepresentation, a forensic review will later expose — does not care which way the regulatory winds blow. Diligence priced to today’s rule is brittle. Diligence priced to the durable reality underneath it survives the next administration.

Cyber Due Diligence Beyond the Buy Side

The conversation usually starts with buy-side sponsors, but the discipline runs in both directions. On the sell side, the smartest founders run a pre-sale cyber assessment before entering a process. The logic is the inversion of the buy-side case: anticipate what a credible buyer’s diligence will find, then either fix it or document it cleanly enough that the buyer’s discount is bounded. A founder entering a sale without this preparation is gambling that the buyer’s leverage will be polite. It rarely is. I’ve watched sellers lose more in a single purchase-price adjustment from one undisclosed finding than a full pre-sale remediation would have cost. Post-close integration is the third window, and increasingly the most dangerous one. Two security programs merge. Two incident-response playbooks collide. Two identity systems get rationalized. And the attacker’s opportunity widens precisely here — the prevailing 2026 framing of “autonomous threats” exists because AI-accelerated adversaries probe faster than distracted IT teams can defend during a transition. The interim CISO model exists for exactly this window: an operator with deal experience who builds the integration plan, runs the hundred-day calendar, and ensures the access-control inheritance doesn’t become the breach disclosure eighteen months later. For portfolio companies that have years past close and are heading toward a secondary or an IPO, a full security risk assessment and third-party vendor review belong in the pre-exit preparation. The next buyer will run their own crucible. You want to know what they’ll find before they find it. If you’d rather enter that process knowing where the dross is, a focused pre-close or pre-sale cyber assessment is the right starting point.

What the Assayer Knows

In the old mining towns, every claim came with a promise. Rich ore, pure vein, fortune waiting to be extracted. The assayer’s job was not to trust the promise. It was to place the sample in the crucible, heat it, and measure what remained after the dross burned away. The assayer did not care about the prospector’s enthusiasm or the investor’s timeline. The assayer cared about what was actually there. Cyber due diligence is assaying. The questionnaire is the prospector’s claim. The operator’s review is the crucible. What remains after the heat of independent scrutiny is the actual security posture — and that posture, not the questionnaire, is what the deal should be priced against. The teams that build this discipline into every transaction sleep better after closing. The ones still debating whether it’s worth the calendar days are the ones who haven’t yet lived through the finding that repriced everything. Which group would you rather belong to?

Frequently Asked Questions

What is the difference between cyber due diligence and a penetration test?

A penetration test simulates an attacker exploiting specific technical vulnerabilities in a defined scope, usually the production environment. Cyber due diligence is broader and more strategic: it evaluates the target’s overall security posture, governance, regulatory compliance, data handling, access controls, and incident history to inform deal-level decisions. A pen test may be one input to a diligence review, but the two are not interchangeable.

How early in a deal should cyber due diligence begin?

At the letter of intent, when the diligence calendar is being built. Running cyber diligence alongside the quality-of-earnings and legal workstreams — not after them — gives the deal team enough runway to act on the findings, whether that means renegotiating, repricing, or structuring escrow. Starting two or three weeks before close leaves almost no room to do anything but absorb what you find.

Does cyber due diligence apply to non-regulated industries?

Every industry that handles customer data, employee records, or proprietary intellectual property carries cyber risk that can reprice a deal. Regulated targets carry obvious exposure, but unregulated targets often carry greater latent risk, precisely because no external auditor has ever looked. The finding that costs the most in a transaction is frequently the one nobody expected because the industry “wasn’t a cyber target.”

How is AI changing M&A cyber due diligence?

On both sides of the table. AI-accelerated adversaries probe targets and integration environments faster, widening the attacker’s window during the post-close transition when two systems are merging and teams are distracted. At the same time, AI tooling can speed the diligence itself — surfacing data-flow anomalies and access-control gaps faster than a manual review. The judgment about what those findings mean for deal value still belongs to an experienced operator, not the tool.

Who should conduct a cybersecurity due diligence review?

An independent operator with actual CISO experience. Deal-team advisors — legal, financial, even IT consultants — bring valuable perspectives but typically lack the instinct for where security risk hides in operational environments. The difference between an operator and a consultant is the difference between someone who has reported to a board under live scrutiny and someone who read the report after the fact. That instinct is what turns a questionnaire review into a genuine assessment.

Nick Shevelyov is the founder of vCSO.ai and author of Cyber War and Peace. His firm advises private-equity sponsors, corporate acquirers, and growth-stage companies on pre-close cybersecurity due diligence and post-close integration.

Share this article

Keep reading

More on m&a security

M&A Security

Cyber Finding That Almost Killed a $400M Deal

May 6, 2026

Security Strategy

How to Build a Cybersecurity Strategic Plan

Jun 22, 2026

Risk Management

Cyber Insurance Requirements in 2026

Jun 19, 2026
Talk to us Tell us your needs →