Cyber Finding That Almost Killed a $400M Deal
A single cybersecurity due diligence finding repriced a $400M PE acquisition. What the deal team missed and how operators catch it.
The deal team was confident. Four months of financial diligence, two rounds of management presentations, a clean quality-of-earnings report. The target company — a regulated-industry platform handling sensitive personal data — had returned a 200-question security questionnaire with no red flags. The letter of intent was signed. The purchase agreement was in markup. Closing was eighteen days out.
Then the managing partner asked a question that changed the trajectory of a $400 million acquisition: “Should we get an independent cybersecurity due diligence review before we wire the money?”
That question is why I’m writing this.
Why Cybersecurity Due Diligence Starts Where Questionnaires Stop
Self-attested security questionnaires are the deal world’s version of asking a suspect to grade their own alibi. The target’s internal team fills them out. The answers reflect what leadership believes is true, filtered through what legal counsel wants to disclose, shaped by what the CISO thinks the buyer wants to hear. None of that is dishonest, necessarily. It’s structural. The questionnaire asks about policy. It doesn’t ask about practice. It asks about production environments. It doesn’t ask about the rest.
The PE firm brought us in on a Monday. Five-day Initial Review. The scope was narrow by design — not a penetration test, not a full security audit, but an operator-led assessment of whether the target’s cybersecurity posture matched what the deal model assumed. We were looking for the assumptions that stop being true under scrutiny.
We found one on day two.
Day Two: The Finding Nobody Was Looking For
The target had a mature production environment. Encrypted at rest, encrypted in transit, role-based access controls, annual penetration testing by a reputable firm. The compliance certifications were current. On paper, this was a well-run security program.
But cybersecurity due diligence is not a paper exercise. We asked to see the non-production environments. Test. Staging. Development. The environments where engineers build and break things before code reaches production.
What we found: production-grade protected health information — real patient data, real records, real identifiers — sitting in three test environments. No encryption at rest. No access segmentation. Accessible to fourteen third-party contractors whose background checks had expired or never been completed. The data had been there for at least nineteen months, based on the log artifacts we could reconstruct.
The target’s security team didn’t know. Their compliance audits scoped production. Their penetration tests scoped production. Their questionnaire answers described production. The test environments were a blind spot so complete that the people filling out the questionnaire were telling the truth as they understood it.
They just didn’t understand enough.
Why This Finding Repriced the Deal
A misplaced test database is a technical problem. What we found was a governance problem with regulatory exposure attached.
Here is what the finding actually meant, translated into deal language.
The target had been handling regulated personal data outside its documented data-handling scope. Its regulatory filings described a data environment that didn’t include these test instances. Its contractual representations to data subjects — the privacy notices, the consent frameworks, the BAAs with covered entities — were drafted against a data map that was incomplete. Every compliance certification the target held was issued against a scope that excluded the environments where the most sensitive data actually lived.
This wasn’t a vulnerability. It was a latent regulatory exposure. The kind that triggers mandatory breach notification if discovered by a regulator, that invalidates compliance certifications if reported by a whistleblower, that reprices cyber insurance if disclosed to the underwriter. The kind that a cybersecurity due diligence checklist built by operators — not consultants — is designed to catch.
The financial exposure was quantifiable. Regulatory penalties. Mandatory notification costs. Litigation reserve for the class that forms when notification goes out. Remediation of the environments themselves. Re-certification of every compliance framework that scoped against the incomplete data map. Potential contract repricing with the covered entities whose data was exposed.
We ran the numbers through a Monte Carlo simulation. The expected loss distribution had a fat tail.
The Conversation, the Repricing, and the Close
I have delivered findings like this more times than I’d like to count. The conversation is never comfortable. A managing partner who has spent four months building conviction on a deal does not want to hear that the risk profile just shifted.
But I have learned that the worst version of this conversation is the one that happens twelve months post-close, when the regulator finds the same thing we did, except now the PE firm owns the liability.
Forewarned is forearmed.
I presented three options. Walk away from the deal entirely — the finding was material enough to justify it. Proceed at the original terms and accept the risk — defensible if the remediation costs were bounded and the regulatory probability was low. Or renegotiate: reprice the acquisition to reflect the remediation cost, carve a remediation escrow from the purchase price, and build a 100-day remediation plan into the post-close integration calendar.
The managing partner asked one question: “If you were the operator inside this company, how long would it take to fix?”
Ninety days for the technical remediation. Six to nine months for the regulatory re-certification. Twelve to eighteen months before the compliance posture was genuinely clean — not just patched, but structurally rebuilt so the blind spot couldn’t recur.
How the Deal Actually Closed
The deal closed. Not at the original terms.
The purchase price was adjusted downward by an amount that reflected the expected remediation cost plus a risk premium for the regulatory tail. A remediation escrow was carved from the seller’s proceeds, released in tranches against verified completion of the 100-day plan. The post-close integration scope expanded to include a full data-mapping exercise across every environment — production, test, staging, development, sandbox — with the results reported to the acquirer’s board quarterly.
The target’s CTO was replaced within six months. Not punitively — the board and the CTO agreed that the program needed an operator whose instinct was to look where nobody was looking, not just where compliance said to look. The new hire’s first project was an enterprise-wide data discovery exercise that found two more instances of sensitive data in environments that compliance had never scoped. Smaller. Less sensitive. But the pattern was real.
The PE firm has since made independent cyber risk assessment a standard part of their pre-close process. Every deal. Not optional. Not “if the target is in a regulated industry.” Every deal.
What the Deal Team Missed — and Why
The deal team didn’t miss anything they were trained to find. Financial diligence was thorough. Legal diligence was thorough. The security questionnaire was a reasonable instrument for what it was designed to do.
What the deal team lacked was an operator’s instinct for where risk hides.
I spent fifteen years as Chief Security Officer at Silicon Valley Bank, defending the bank of the innovation economy against nation-state adversaries. The lesson that transfers most directly to deal-level cyber assessment is this: sophisticated adversaries — and sophisticated risks — don’t live where you’re already looking. They live in the seams. The test environments nobody scopes. The contractor access nobody reviews. The data flows that compliance doesn’t map because the data map was drawn before those flows existed.
A security questionnaire checks the rooms you’ve already furnished. An operator checks the rooms you forgot you had.
This is why I wrote Cyber War and Peace — not as a technical manual, but as an argument that the hardest security problems are governance problems wearing technical clothing. The finding that almost killed this deal wasn’t a zero-day exploit or an advanced persistent threat. It was a gap between what the organization believed about itself and what was actually true. The kind of gap that only surfaces when someone with operating experience — someone who has lived through the consequences of unscoped environments and unaudited access — walks through the building and opens the doors that aren’t on the tour.
No silver bullet, no silver buckshot. Just the discipline to look where nobody else is looking.
Cybersecurity Due Diligence Isn’t About Finding Vulnerabilities
The deal community still treats cybersecurity due diligence as a vulnerability scan with a cover letter. It isn’t. The vulnerabilities are almost never what reprices a deal. What reprices a deal is the structural gap between the target’s stated security posture and its actual security posture — the distance between the questionnaire and the reality.
An interim CISO engagement during M&A exists precisely for this window. You don’t need a permanent security executive to run a five-day Initial Review. You need an operator who has sat in the seat, who has reported to boards under pressure, who knows what a regulator will find because they’ve been on the receiving end of the inquiry.
The Romans had a word for the person brought in during a crisis with defined authority and a defined exit date. The diligence advisor plays the same role: concentrated authority, defined window, clean handoff. The finding gets surfaced. The deal team makes an informed decision. The engagement ends.
Frequently Asked Questions
What does cybersecurity due diligence actually uncover that financial diligence misses?
Financial diligence quantifies what the target reports. A cyber-focused review tests whether the target’s reporting reflects reality. The gaps typically live in data handling practices, access control hygiene, incident history that was never disclosed, and regulatory exposure that the target’s compliance team hasn’t scoped. These are the findings that reprice deals or trigger post-close liability — and they don’t show up in a balance sheet.
How long does a pre-close cyber risk review take during an M&A transaction?
A structured Initial Review takes five business days, from scoping call to findings delivery. Deeper assessments — penetration testing, full architecture review, regulatory exposure modeling — can extend to three or four weeks depending on the target’s complexity and the deal timeline. The key constraint is fitting the review into the exclusivity window without delaying close.
Should every PE acquisition include a cyber risk assessment, or only regulated targets?
Every acquisition. Regulated targets carry obvious exposure, but unregulated targets often carry more latent risk because nobody has ever looked. The finding in this case study — sensitive data in test environments — occurs across industries, not just healthcare or financial services. If the target handles any customer data, employee data, or intellectual property, the cybersecurity posture is a deal-pricing variable whether you measure it or not.
What happens if material cyber findings are discovered after close?
The acquirer owns the liability. Post-close discovery of material security gaps typically triggers remediation costs, potential regulatory penalties, insurance repricing, and — in the worst cases — breach notification obligations that damage the acquired brand and the acquirer’s portfolio reputation. Pre-mortem thinking applied to deal structure is what separates buyers who catch findings pre-close from buyers who inherit them.
The Question That Should Have Been Asked Earlier
The managing partner’s question — “Should we get an independent review before we wire the money?” — was the right question. It just came late. Eighteen days before close, with the purchase agreement in markup, is not the ideal moment to discover that the target’s data environment is larger and riskier than anyone documented.
The better version of that question gets asked at LOI, when the diligence calendar is being built. It gets asked alongside the quality-of-earnings workstream and the legal diligence workstream, not after them. It gets asked with enough runway to act on whatever the findings reveal — to reprice, to escrow, to remediate, or to walk.
Every deal team that has lived through a finding like this one asks the question earlier on the next deal.
The ones who haven’t lived through it yet are still deciding whether cybersecurity due diligence is worth the calendar days.
I know which group sleeps better after close.
Nick Shevelyov is the founder of vCSO.ai and author of Cyber War and Peace. His firm’s M&A cybersecurity due diligence practice has advised PE sponsors, corporate acquirers, and investment banks on pre-close security assessments and post-close integration.
