← Back to Blog
Cybersecurity

Cybersecurity Due Diligence: What Buyers Miss Until It's Too Late

By Damani Data Team · December 5, 2024 · 11 min read

According to our research, 23% of acquired companies experience a significant security incident within 18 months of close. The average cost? $4.2M in direct expenses, plus incalculable reputation damage. Most of these incidents were preventable—the vulnerabilities existed pre-acquisition but weren't identified during due diligence.

Why Security Gets Overlooked in M&A

Traditional due diligence focuses on financials, legal, and commercial aspects. Technology due diligence, when it happens, often emphasizes scalability and architecture over security. Security assessment is treated as a checkbox—"Do you have SOC 2?"—rather than a substantive evaluation.

This is a mistake. When you acquire a company, you acquire its security posture, its vulnerabilities, and its exposure. The moment the deal closes, their breach becomes your breach.

The Security Due Diligence Framework

1. Governance and Policy Review

Start with the foundations:

  • Does a formal security program exist?
  • Who is responsible for security? (CISO, CTO, or no one?)
  • Are security policies documented and current?
  • How are security incidents handled?
  • What security training do employees receive?

2. Technical Security Assessment

Evaluate the actual security controls:

  • Perimeter security: Firewalls, WAFs, DDoS protection
  • Access controls: Authentication, authorization, privileged access management
  • Data protection: Encryption at rest and in transit, key management
  • Endpoint security: EDR, patching cadence, mobile device management
  • Network security: Segmentation, monitoring, intrusion detection

3. Vulnerability Assessment

Identify existing weaknesses:

  • External vulnerability scanning of public-facing systems
  • Review of internal vulnerability management program
  • Analysis of patch management practices
  • Assessment of known vulnerability exposure (CVEs)

4. Compliance Review

Verify regulatory and contractual compliance:

  • SOC 2, ISO 27001, or other certifications—verify they're current and scope is appropriate
  • Industry-specific requirements (HIPAA, PCI-DSS, GDPR)
  • Customer contractual security requirements
  • Cyber insurance coverage and requirements

5. Incident History Analysis

Understand past security events:

  • Review of previous security incidents
  • Analysis of incident response effectiveness
  • Assessment of lessons learned and remediation

Critical Red Flags

These findings should trigger serious concern:

  • No dedicated security personnel: Security as a "side job" for IT means it's not being done
  • Outdated certifications: A SOC 2 from three years ago is worthless
  • Unpatched critical vulnerabilities: If they're not patching known critical CVEs, what else are they ignoring?
  • No MFA on critical systems: Basic security hygiene failure
  • Shared credentials: "Everyone uses the same admin password" is more common than you'd think
  • No security logging: If they're not logging, they can't detect or investigate incidents
  • Previous breach not disclosed: Discovery of undisclosed incidents is grounds for serious concern about seller transparency

Quantifying Security Risk

Security risk should be translated into financial terms:

  1. Remediation costs: What will it cost to fix identified vulnerabilities? (Typically $100K-$2M for mid-market companies)
  2. Breach probability: Based on current posture, what's the likelihood of a significant incident? (We use industry benchmarks and vulnerability data)
  3. Breach cost: If a breach occurs, what's the expected cost? (Consider data volume, regulatory exposure, customer concentration)
  4. Expected loss: Probability × Cost = Risk-adjusted exposure

Case Study: The Inherited Breach

A PE firm acquired a healthcare technology company for $28M. Our pre-acquisition security assessment identified several concerns, but the buyer proceeded with a modest escrow holdback for remediation.

Eight months post-close, the company discovered a breach that had actually occurred six months before the acquisition. Patient data for 50,000 individuals had been exfiltrated. The breach was only discovered during a security upgrade project.

The cost:

  • $2.8M in breach response, notification, and credit monitoring
  • $1.2M in legal fees and regulatory fines
  • $4M customer contract lost due to breach disclosure
  • 18 months of management distraction

Total impact: $8M+ on a $28M acquisition—nearly 30% of the purchase price.

The breach was preventable. The vulnerabilities exploited had been present for years. A more thorough security assessment would have identified the exposure and potentially discovered the existing compromise.

Negotiating Security Risk

Options for addressing security findings:

  1. Pre-close remediation: Require seller to fix critical issues before closing
  2. Escrow holdback: Hold funds tied to security remediation milestones
  3. R&W insurance: Ensure cyber representations are covered
  4. Purchase price adjustment: Reduce price based on quantified remediation costs
  5. Walk away: If security posture indicates fundamental problems with management or operations
Key Takeaway: Security due diligence isn't optional—it's essential risk management. The cost of a thorough assessment ($25K-$75K) is trivial compared to the potential exposure from an inherited breach or compromised infrastructure.
Tags: Cybersecurity Security Due Diligence Risk
Related Articles

Continue Reading

Ready for Your Technical Due Diligence?

We've assessed 100+ M&A transactions worth $10B+. Let's discuss how we can help with your deal.

Request Assessment → View Case Studies