Cyber Finding That Almost Killed a $400M Deal
A single cybersecurity due diligence finding repriced a $400M PE acquisition. What the deal team missed and how operators catch it.
The deal that almost died wasn’t killed by a hacker. It was almost killed by an assumption. Four months of financial diligence. A clean quality-of-earnings report. A 200-question security questionnaire was returned by the target with no red flags. Letter of intent signed, purchase agreement in markup, eighteen days to close. Then the managing partner asked the question that changed the trajectory of a $400 million acquisition: “Should we get an independent cybersecurity due diligence review before we wire the money?” Honor demands I speak to the circumstances.
Why Self-Attested Security Questionnaires Are the Weakest Form of Diligence
Charlie Munger had a line I keep close: “Show me the incentive, and I will show you the outcome.” A self-attested security questionnaire is a structural mismatch between question and answer. The target’s internal team fills it out. The answers reflect what leadership believes is true, filtered through what counsel wants to disclose, shaped by what the CISO thinks the buyer wants to read. None of that is dishonest. It’s predictable. The questionnaire asks about policy. It does not ask about practice. It asks about production. It does not ask about everything else. The PE firm brought us in on a Monday. Five-day Initial Review. Narrow scope by design — not a penetration test, not a full audit, but an operator-led look at whether the target’s actual posture matched what the deal model assumed. We weren’t hunting vulnerabilities. We were hunting the assumptions that stop being true under scrutiny. We found one on day two.
The Cybersecurity Due Diligence Finding That Repriced the Deal
The target had a mature production environment. Encryption at rest. Encryption in transit. Role-based access. Annual penetration testing by a reputable firm. Current compliance certifications. On paper, this was a well-run program. But cybersecurity due diligence is not a paper exercise. We asked to see the non-production environments. Test. Staging. Development. The places where engineers build and break things before code reaches the customer. What we found: production-grade protected health information — real patient data, real records, real identifiers — sitting in three test environments. No encryption at rest. No access segmentation. Accessible to fourteen third-party contractors whose background checks had expired or were never completed. The data had been there for at least nineteen months, based on the log artifacts we could reconstruct. The target’s security team didn’t know. Their compliance audits scoped production. Their pen tests scoped production. The questionnaire described production. The test environments were so complete a blind spot that the people filling out the questionnaire were telling the truth as they understood it. They just didn’t understand enough. There’s a phrase from my last book that fits here. The Red Swan: a risk an organization believes is managed but isn’t. Black Swans are unknown unknowns. Red Swans hide in plain sight — silently degraded controls, assumptions we’ve stopped questioning. This wasn’t a vulnerability. It was a Red Swan with regulatory exposure attached.
Why a Test Environment Becomes a $400 Million Problem
A misplaced test database is a technical problem. What we found was a governance problem with regulatory teeth. The target had been handling regulated personal data outside its documented data-handling scope. Its regulatory filings described a data environment that didn’t include these test instances. Its privacy notices and data-subject contracts were drafted against an incomplete data map. Every compliance certification it held had been issued against a scope that excluded the environment where the most sensitive data actually lived. This is the structural problem with self-attestation. The organization is accurately describing the version of itself it can see. The Red Swan is the version that can’t. The financial exposure was quantifiable. Regulatory penalties. Mandatory breach notification costs. Litigation reserve for the class that forms when the notification goes out. Remediation. Re-certification of every framework scoped against an incomplete map. Potential contract repricing with the covered entities whose data was exposed. We modeled it. The expected loss distribution had a fat tail.
The Conversation No Deal Team Wants to Have
I have delivered findings like this more times than I’d like to count. The conversation is never comfortable. A managing partner who has spent four months building conviction does not want to hear the risk profile just shifted. The worst version of this conversation, though, is the one that happens twelve months post-close, when a regulator finds the same thing we did, except now the PE firm owns the liability. Forewarned is forearmed. I presented three options. Walk — the finding was material enough to justify it. Proceed at the original terms and accept the risk — defensible if remediation costs were bounded and regulatory probability was low. Or renegotiate: reprice to reflect remediation cost, carve a remediation escrow from the purchase price, and build a 100-day plan into post-close integration. The managing partner asked one question: “If you were the operator inside this company, how long would it take to fix?” Ninety days for the technical work. Six to nine months for regulatory re-certification. Twelve to eighteen months before the compliance posture was structurally clean — not patched, but rebuilt so the blind spot couldn’t recur.
How the Deal Actually Closed
The deal closed. Not at the original terms. The purchase price moved down by an amount reflecting expected remediation and a risk premium for the regulatory tail. A remediation escrow was carved out of the seller’s proceeds and released in tranches upon verified completion of the 100-day plan. Post-close integration scope expanded to a full data-mapping exercise across every environment — production, test, staging, development, sandbox — with quarterly board reporting. The target’s CTO was replaced within six months. Not punitively. The board and the CTO both agreed the program needed an operator whose instinct was to look where nobody was looking, not just where compliance said to look. The new hire’s first project found two more instances of sensitive data in unscoped environments. Smaller. Less sensitive. The pattern was real. The PE firm has since made independent cyber risk assessment a standard part of every pre-close process. Every deal. Not optional. Not “if the target is in a regulated industry.” Every deal.
What the Deal Team Missed — and Why
The deal team didn’t miss anything they were trained to find. Financial diligence was thorough. Legal diligence was thorough. The questionnaire was a reasonable instrument for what it was designed to do. What the deal team lacked was an operator’s instinct for where risk hides. Fifteen years as Chief Security Officer at Silicon Valley Bank — defending the bank of the innovation economy against nation-state adversaries — taught me one lesson that transfers most directly to deal-level cyber assessment. Sophisticated risks don’t live where you are already looking. They live in the seams. The test environments nobody scopes. The contractor access nobody reviews. The data flows compliance never mapped because the map was drawn before those flows existed. When I assess a control, I ask three questions. Is the capability there? Is it configured correctly? Is it applied with full coverage? Capability, configuration, coverage. If I get to yes on all three, I assume 20 percent of the answer is wrong anyway, and I keep looking. That habit — earned, not taught — is what separates the operator from the questionnaire. A questionnaire checks the rooms you’ve already furnished. An operator checks the rooms you forgot you had.
Cybersecurity Due Diligence Isn’t About Finding Vulnerabilities
The deal community still treats cybersecurity due diligence as a vulnerability scan with a cover letter. It isn’t. Vulnerabilities almost never reprice a deal. What reprices a deal is the structural gap between the target’s stated security posture and its actual security posture — the distance between the questionnaire and reality. That distance is the Red Swan. Hiding in plain sight. In production-grade data sitting in non-production environments. In compliance certifications scoped against the wrong map. The contractor access that nobody re-baselined since the contracts were signed. An interim CISO engagement during M&A exists precisely for this window. You don’t need a permanent security executive to run a five-day Initial Review. You need an operator who has sat in the seat, reported to boards under pressure, and knows what a regulator will find because they have been on the receiving end of the inquiry.
Frequently Asked Questions About Cybersecurity Due Diligence in M&A
What does cybersecurity due diligence actually uncover that financial diligence misses?
Financial diligence quantifies the target’s reported figures. A cyber-focused review tests whether the target’s reporting reflects reality. The gaps live in data handling practices, access control hygiene, undisclosed incident history, and regulatory exposure that the target’s own compliance team hasn’t scoped. These are the findings that reprice deals or trigger post-close liability. They don’t show up on a balance sheet.
How long does a pre-close cyber risk review take during an M&A transaction?
A structured Initial Review takes 5 business days, from the scoping call to the delivery of findings. Deeper assessments — penetration testing, full architecture review, regulatory exposure modeling — can take three or four weeks, depending on the target’s complexity and the deal timeline. The constraint is to fit the review into the exclusivity window without delaying the close.
Should every PE acquisition include a cyber risk assessment, or only regulated targets?
Every acquisition. Regulated targets carry obvious exposure. Unregulated targets often carry greater latent risk because no one has ever looked. The finding in this case study — sensitive data in test environments — occurs across industries. If the target handles customer data, employee data, or intellectual property, cybersecurity posture is a deal-pricing variable whether you measure it or not.
What happens if material cyber findings are discovered after the close?
The acquirer owns the liability. Post-close discovery typically triggers remediation costs, regulatory penalties, insurance repricing, and — in the worst cases — breach notification obligations that damage both the acquired brand and the acquirer’s portfolio reputation. The deal team that catches the finding pre-close gets to choose. The one that misses it inherits the choice.
The Question That Should Have Been Asked Earlier
The managing partner’s question — “Should we get an independent review before we wire the money?” — was the right question. It just came late. Eighteen days before close, with the purchase agreement in markup, is not the ideal moment to discover the target’s data environment is larger and riskier than anyone documented.
The better version of that question gets asked at LOI, when the diligence calendar is being built. It is asked alongside the quality-of-earnings and legal diligence workstreams, not after them. With enough runway to act on whatever the findings reveal — to reprice, to escrow, to remediate, or to walk. Every deal team that has lived through a finding like this asks the question earlier on the next deal. The ones who haven’t lived through it yet are still deciding whether cybersecurity due diligence is worth the calendar days. I know which group sleeps better after closing. Forewarned is forearmed.
Nick Shevelyov is the founder of vCSO.ai and author of Cyber War and Peace*. His firm advises PE sponsors, corporate acquirers, and investment banks on pre-close cybersecurity due diligence and post-close integration.*
