Cyber security due diligence in mergers and acquisitions is the process of independently assessing the security posture of a target organisation before a deal completes. It identifies inherited vulnerabilities, active compromises, and technical debt that can significantly affect deal value or expose the acquirer to post-completion regulatory and financial liability.
For acquirers and investors, financial due diligence is standard practice - but the security posture of a target organisation can carry liabilities that no balance sheet discloses.
How Should Investors Assess Cyber Security Before Committing Funds?
What Exactly Are You Investing In? What Will Your Money Be Used For?
Let's take the example of a software start-up - they've built a product, probably nowadays in the cloud, and are now seeking investment in return for equity.
As a potential investor, you're going to ask them many questions about the business model, revenue and growth projections, numbers of current customers, target market and on and on. And of course, modern investment due diligence will also include many questions about "what have you done about the cyber security of the product?" Investors conducting modern due diligence will expect substantive, evidenced answers.
As a company seeking investment in a SaaS (Software as a Service) product or software business, if you don't have a solid answer to this, you may find your potential investor very quickly getting cold feet. Investors in whatever form are not looking to invest new money just so you can then go off and spend it in adding security - they will expect you to have taken care of this already. Investors expect security to be built in - not a gap to be explained away. The IBM Cost of a Data Breach Report 2024 puts the global average cost of a data breach at $4.88 million - a figure that can land entirely on the acquirer's balance sheet when a compromise is inherited and goes undetected until after completion.
They also know that the addition of security late in the day can be much more expensive than building it in from the get-go.
Security Due Diligence Questions Every Investor Should Ask
A thorough cyber due diligence checklist will cover many more dimensions, but these are a good starting point:
- Have you built security into the software development process? What does that look like?
- Have you done a Penetration Test, and was the organisation who did the test suitably certified?
- What are you doing about ongoing security testing? Does it keep up with your release cycles?
- How do you handle your own supply chain security?
- Would you be the weak link in someone's supply chain?
- What backups and recovery processes are in place?
These are a starting point; a thorough assessment will cover many more dimensions.
Why Does Cyber Security Matter in Mergers and Acquisitions?
The Cyber Security Risks in M&A Are Significant
Mergers and Acquisitions (M&A) activity in the UK continues at pace, with deals driven by the need to accelerate growth, access new markets, and acquire technology capabilities. Organisations pursue M&A to accelerate growth and enter new markets.
With an M&A comes real financial scrutiny over the company's accounts, current, forecast, and historic. Additionally, cross-company integration benefits factor into decisions amongst many other criteria. Does the organisation being acquired have the kind of culture that fits? Does the technology stack fit? How long will it take to integrate it into our existing stack? How easily is that achieved?
And now, importantly of course, does the security posture of the organisation give reason for comfort or concern?
M&A cyber security is a serious risk area and for good reason. If you are about to spend many millions of pounds on an M&A deal, then you really should be looking into the organisation's security. Ransomware remains a dominant threat facing UK organisations - the Verizon Data Breach Investigations Report 2024 found ransomware or extortion involved in approximately one-third of all confirmed breaches globally.
How Acquirers Inherit Cyber Compromises: The Verizon/Yahoo and Marriott/Starwood Cases
Two documented cases illustrate the scale of risk:
Verizon / Yahoo (2017). When Verizon acquired Yahoo's core internet business, Yahoo's undisclosed data breaches - affecting approximately 3 billion user accounts - were discovered during the acquisition process. The deal price was reduced by $350 million as a direct result, from approximately $4.83 billion to $4.48 billion. In 2018, the SEC charged Yahoo's successor entity $35 million for failing to disclose the 2014 breach to investors in a timely manner - the first SEC enforcement action for a cybersecurity incident disclosure failure. The lesson here is not simply that sellers must disclose: buyers must independently verify, because the seller may not know the full extent of their own exposure, or may not be incentivised to volunteer it.
Marriott / Starwood (2016-2018). Marriott completed its acquisition of Starwood Hotels and Resorts in 2016. What neither party identified during due diligence was that Starwood's systems had been compromised since 2014 - approximately two years before the acquisition closed. The breach was not discovered until September 2018, two years post-completion, by which point an attacker had had access to the combined network for the entire integration period. Approximately 339 million guest records were exposed, including passport numbers and payment details. The UK Information Commissioner's Office issued Marriott a fine of £18.4 million under GDPR (reduced from a proposed £99 million notice of intent following representations from Marriott). This is the canonical inherited compromise scenario: the buyer acquired the target, integrated the systems, and the pre-existing attacker gained access to the combined network without anyone noticing.
Threat intelligence from Coveware and Mandiant documents that ransomware operators - including REvil - routinely review financial records and insurance certificates on compromised networks before setting demands. The 2021 attack on CNA Financial, one of the US's largest commercial insurers, illustrates the specific targeting of organisations with insurance exposure. In an M&A context, an attacker sitting on a target's network while a deal is negotiated has every incentive to wait.
What Does a Cyber Security Due Diligence Assessment Cover?
Due Diligence Must Include Cyber Risks and Independent Security Assessments
The extensive due diligence during M&A is now extending to cover scenarios exactly like those above. Whether you are the acquirer or the acquiree, you need to have a strong assessment of the other party's security. This needs to be several steps further than a standard supply chain management review. In fact M&A often falls outside of these review processes, mainly due to the confidentiality applied to M&A. M&A teams typically operate separately from supply chain and risk functions.
Third-party independent assessment is essential to give unbiased, expert opinion to the interested parties. Output from activities such as Penetration Testing (CREST-scoped), Vulnerability scanning, Cloud Security Reviews and OSINT (Open Source Intelligence) gives a clear picture of the security status and highlights associated risks. An independent M&A cyber risk assessment should map findings against ISO 27001 controls and evaluate maturity against the NIST Cybersecurity Framework to give the acquiring party a structured, comparable view of risk. For UK targets, the presence or absence of Cyber Essentials certification - the UK government's baseline technical standard covering five fundamental hygiene controls - is a meaningful signal in its own right. And of course, the security consultants are governed by strict confidentiality and non-disclosure agreements.
Applying the shift-left principle from software development, security assessment does not need to wait until the M&A process is advanced - early OSINT and passive reconnaissance can run in parallel with financial due diligence, feeding decision-making before significant commitment is made. Many of the differing activities involved in the analysis of the Security Position can be run in parallel to each other. Early OSINT can give interesting insights into the organisation and the people involved, feeding early decision making ahead of any detailed technical and procedural analysis.
Given that a deal might be called off, or at least significantly revised, on the basis of security issues - and most would and should be - do the assessments early. Don't wait till everything else is agreed, only to then find that you are buying into an unacceptable risk. The M&A process itself is often hugely expensive and time consuming, so it's much better to get the whole picture as early in the deal as possible.
The table below maps the key security activities across each stage of a typical deal process.
| Due Diligence Stage | Activity | Purpose | Who Delivers |
|---|---|---|---|
| Pre-LOI / Early | OSINT and passive reconnaissance | Identify public-facing exposure and known breach history | Independent security consultancy |
| Due Diligence | Penetration testing (CREST-scoped) | Validate exploitability of identified vulnerabilities | Independent security consultancy |
| Due Diligence | Vulnerability scanning | Enumerate unpatched systems and misconfigurations | Independent security consultancy |
| Due Diligence | Cloud security review | Assess cloud environment configuration and access controls | Independent security consultancy |
| Post-Completion | Remediation validation | Confirm agreed findings have been resolved | Independent security consultancy |
organisations that integrate cyber assessment early in deal processes have better visibility and more options to protect deal value, avoid inherited liability, and achieve post-completion integration without disruption. As a CREST-accredited independent cyber security consultancy, Precursor provides the expert, confidential assessments that investors and acquirers need at every stage of the deal process. Contact us to discuss your assessment requirements.
Frequently Asked Questions
What is cyber security due diligence in M&A?
Cyber security due diligence in M&A is the independent assessment of a target organisation's security posture before a deal completes. It identifies vulnerabilities, active or historical compromises, technical debt, and compliance gaps that could affect deal value or create post-completion liability for the acquirer. It is distinct from financial or legal due diligence and typically requires specialist security expertise.
Why can't standard due diligence processes cover cyber security?
Standard M&A due diligence relies on document review, financial analysis, and representations from the seller. Cyber security risks are not always visible in documents - active compromises may leave no obvious trace, and sellers may be unaware of the full extent of their own exposure. The Verizon/Yahoo case demonstrates that even Yahoo's internal teams did not fully understand the scale of their breach until after the acquisition process began. Independent technical assessment is the only way to surface what the seller does not or cannot disclose.
When in the M&A process should cyber security assessment begin?
As early as possible - ideally before Letter of Intent (LOI). OSINT and passive reconnaissance can begin at the earliest stages of deal evaluation without requiring access to the target's systems, and can inform the decision to proceed before significant time and cost is committed. Technical assessments including penetration testing and cloud security reviews should be conducted during the formal due diligence phase, in parallel with financial and legal workstreams.
What happens if a cyber security issue is found during due diligence?
Findings typically result in one or more of: price renegotiation (as in Verizon/Yahoo, where the deal price was reduced by $350 million), escrow arrangements to cover the cost of remediation, specific indemnities from the seller against undisclosed breach liability, or - in cases of active compromise or unacceptable risk - termination of the deal. Early assessment gives the acquirer the most options; findings discovered post-completion significantly reduce leverage.
Does an ISO 27001 certificate on the target organisation mean it is secure?
ISO 27001 certification indicates that the target has documented an information security management system and had it independently audited against the standard's requirements. It is a meaningful baseline signal but does not guarantee the absence of vulnerabilities or active compromises. Certification scope may cover only part of the organisation's operations. Independent penetration testing and vulnerability assessment are required to validate whether controls are effective in practice, not just in documentation.