Contact Us

Cyber Due Diligence in M&A: A Guide for Small and Midsize Firms

Buying the Breach: Cyber Due Diligence in M&A

When you acquire a company, you also acquire everything wrong with its security. Smaller buyers can least afford the surprise.

Most deal teams stress test the financials, scrub the contracts, and confirm the customer list. Then they wire the money. What they rarely examine with the same rigor is the one thing that can quietly erase the value they just paid for: the target’s cybersecurity. Two of the most cited cautionary tales come from the largest deals on record, and they are worth remembering precisely because the buyers had resources a small firm does not.

When Verizon agreed to buy Yahoo, two enormous data breaches surfaced during the process, eventually understood to affect all three billion Yahoo accounts. Verizon cut the purchase price by $350 million, the two sides agreed to share the legal fallout, and Yahoo later paid a $35 million SEC penalty for failing to disclose the breaches in the first place.

When Marriott bought Starwood in 2016, it inherited a reservation system that attackers had been living inside since 2014. No one noticed until 2018, by which point the intruders had been resident for roughly four years, two before the deal and two after. The breach exposed the records of hundreds of millions of guests, including millions of unencrypted passport numbers. The UK’s Information Commissioner’s Office fined Marriott 18.4 million pounds, after initially proposing 99 million, and explicitly faulted the company for insufficient due diligence. A 2024 settlement with the FTC and state attorneys general followed.

Marriott and Verizon survived. They are enormous. The lesson for a smaller acquirer is the uncomfortable inverse: if a breach of that magnitude is a line item for a global company, a far smaller breach can be fatal to a deal a fraction of the size. You are buying the same kind of risk with far less margin to absorb it.

Why Smaller Acquirers Are More Exposed, Not Less

It is tempting to assume cyber due diligence is a big company concern. The opposite is closer to the truth.

Smaller targets often have weaker security. A founder-run company, a regional competitor, or a bolt on acquisition frequently has no security leader, informal IT, unmanaged devices, and years of accumulated technical debt. The smaller the target, the more likely its security has never been seriously examined.

Smaller deals get thinner diligence. On a modest transaction, the budget and the calendar are tight, so cyber gets reduced to a questionnaire the seller fills out about itself. That is not diligence. It is self attestation, and a seller who does not know it has a problem cannot disclose it.

The math is less forgiving. The global average cost of a data breach reached 4.88 million dollars in 2024, according to IBM. A figure like that barely moves a multinational. Against a single digit or low double digit million dollar acquisition, it can wipe out the entire investment thesis.

The “too small to be a target” myth. Attackers do not hand pick victims by brand name. They scan for exposure and exploit what they find, and smaller companies tend to have more of it. Being unknown is not the same as being safe.

What You Actually Inherit Be attentive to cybercriminals

When the deal closes, you do not just acquire revenue and people. You acquire the target’s entire security posture and its history, including:

  • Breaches already in progress. The Marriott case is the defining example. A target can be compromised right now and not know it, which means a questionnaire will come back clean while attackers sit inside the asset you are about to own.
  • Undisclosed past incidents. Events the seller never reported, or never detected, that can surface as regulatory penalties, lawsuits, or customer loss after you hold the keys.
  • Compliance exposure. If the target handles regulated data, payment card information, health records, or government information, you inherit its gaps and its liability the moment you close.
  • Technical debt and weak fundamentals. Unpatched systems, shared passwords, no multifactor authentication, flat networks, and forgotten cloud accounts that become your problem to fix.
  • The target’s vendors and integrations. Its suppliers, software, and remote access become extensions of your environment, and its weakest connection is now yours.

The Stakes Are Not Theoretical

Across the deal community, cyber surprises are common, not rare. In a widely cited Forescout survey, 53%of acquirers said they had encountered a cybersecurity issue during M&A due diligence serious enough to jeopardize the deal, and 73% said an undisclosed data breach would be an immediate deal breaker. Other studies repeatedly find that a large share of buyers discover a security problem only after the transaction has closed, when the leverage to do anything about it is gone.

That timing is the whole point. Before you close, a finding is a negotiating chip. After you close, the same finding is a cost you simply own.

Cyber Due Diligence on a Real Budget

The good news for smaller acquirers is that effective cyber diligence does not require a Fortune 500 program or a year of work. It requires a focused assessment, scoped to the deal and delivered inside the diligence window, that answers a short list of high value questions:
  • What does the target look like from the outside? An external attack surface and digital footprint review shows what an attacker already sees: exposed systems, leaked credentials, and signs of prior compromise.
  • Is the target breached right now? This is the Marriott lesson. A check for indicators of an active or past compromise is no longer a luxury add on. For any deal of consequence, it is the question that matters most.
  • How healthy are the fundamentals? Identity and access controls, email security, multifactor authentication, backups, and network segmentation reveal how much remediation you are about to inherit.
  • What is the incident and compliance history? Past events, regulatory obligations, and the state of basic documentation, which for a small target is often the first time anyone has asked.
  • What will it cost to fix? The single most useful output is a remediation estimate in dollars and time, so the number can flow straight into your model and your offer.

A scoped assessment like this can be completed in days to a few weeks, which is exactly what a real deal timeline allows.

Turn the Finding Into Deal Terms

Diligence only pays off if it changes what you do. A cyber finding is leverage, and you have several ways to use it:

  • Adjust the price. Verizon took 350 million dollars off Yahoo. Your number will be smaller, but the principle is identical: a known risk should be priced in.
  • Hold money back. An escrow or holdback tied to remediation keeps the seller accountable for fixing what they created.
  • Push it into the reps and warranties. Specific cybersecurity representations, backed by representations and warranties insurance where available, shift defined risk off your balance sheet. Insurers increasingly expect to see real diligence before they will cover it.
  • Make it a condition to close, or walk. Some findings are worth renegotiating. A few are worth walking away from, and knowing the difference before you sign is the entire value of diligence.

After the Deal: Portfolio Company Security

Closing is not the finish line. It is the start of the most dangerous window.

Integration is when environments get connected, staff turn over, and attention drifts, which is precisely when an inherited problem becomes an active incident. Recall that Marriott’s intruders kept operating for two years after the acquisition closed. A focused first 100 day plan, fixing the fundamentals, closing the gaps diligence found, and putting someone in charge of security, prevents the slow motion version of the same mistake.

For private equity buyers, this scales into a portfolio wide concern. A buy and build or rollup strategy aggregates the risk of every company you add, and a single weak portfolio company can become the path into the platform. Handled well, the reverse is also true: improving a portfolio company’s security is a value creation lever that reduces risk, satisfies the next buyer’s diligence, and protects the exit multiple.

And if you are on the other side, a small or midsize company planning to be acquired, the same logic runs in your favor. Getting your security in order before you go to market is sell side readiness that protects your valuation, because the breach the buyer finds is the discount the buyer takes.

The Bottom Line

Every acquisition is a cybersecurity decision, whether or not anyone treats it as one. The headline cases involved giants who could survive the hit. A small or midsize firm usually cannot, which makes proportionate, focused cyber due diligence one of the highest return moves in the entire deal. The cost of looking is a small, scoped engagement inside the diligence window. The cost of not looking is discovering, after the wire clears, that you bought the breach along with the business.

Frequently Asked Questions

What is cyber due diligence in M&A?

Cyber due diligence is a focused assessment of a target company's security posture, breach history, and regulatory exposure before a deal closes. It tells an acquirer what cyber risk and remediation cost they are about to inherit, so it can be priced into the offer or addressed in the deal terms.

Do small and midsize acquisitions really need cyber due diligence?

Yes, arguably more than large ones. Smaller targets are more likely to have weak or unexamined security, and a smaller buyer has far less ability to absorb the cost of an inherited breach. A loss that a global company treats as a line item can erase the value of a smaller deal entirely.

What does cyber due diligence look for?

The target's external attack surface and exposed credentials, signs of an active or past compromise, the health of core controls like identity and email security and backups, incident and compliance history, key vendor risk, and a dollar and time estimate to remediate what it finds.

How long does cyber due diligence take?

A scoped assessment can typically be completed in days to a few weeks, which fits inside a normal deal timeline. The depth scales with the size and risk of the transaction, from a rapid review for a small bolt on to a thorough assessment for a larger or regulated target.

What happens if you skip it?

You inherit whatever you did not check. Verizon cut 350 million dollars from the Yahoo price after breaches surfaced during the deal, and Marriott was fined and faulted for weak due diligence after inheriting an undetected breach from Starwood. For a smaller acquirer, the same kind of surprise can be unrecoverable.

Can cyber findings change the deal?

Yes, and that is the point of doing it before closing. Findings can lower the price, fund an escrow or holdback, shape the representations and warranties and any insurance, become a condition to close, or justify walking away. After closing, the same findings are simply costs you own.

Further Reading

  • Verizon and Yahoo amended merger terms and SEC enforcement action regarding undisclosed breaches (2017 to 2018)
  • UK Information Commissioner's Office penalty notice and 2024 FTC and state settlements in the Marriott and Starwood matter
  • Forescout, research on cybersecurity in mergers and acquisitions
  • IBM, Cost of a Data Breach Report

Post Tags :

Share :

Facebook X-twitter Youtube
Sentry0 is built for real-world security threats.

Contact

Explore

Copyright © 2026 Sentry0

Privacy Policy
Terms & Services