Compliance isn't just a checkbox—it's a material business risk. Gaps in regulatory compliance can void customer contracts, trigger penalties, and create ongoing liability. Here's how to assess compliance reality during technical due diligence.
The Compliance Landscape
Depending on the target's industry and customers, relevant frameworks may include:
Industry-Specific Regulations
- HIPAA: Healthcare data protection
- PCI-DSS: Payment card data security
- GLBA: Financial services data protection
- FERPA: Educational records protection
Privacy Regulations
- GDPR: EU data protection
- CCPA/CPRA: California privacy rights
- State privacy laws: Growing patchwork of state requirements
Security Frameworks
- SOC 2: Service organization controls
- ISO 27001: Information security management
- NIST CSF: Cybersecurity framework
- FedRAMP: Federal cloud security
Compliance Assessment Framework
1. Certification Verification
- Request copies of current certifications and audit reports
- Verify scope matches actual operations
- Review any exceptions or qualifications noted
- Confirm certifications are current, not expired
2. Gap Analysis
- What compliance requirements apply based on customers and data?
- Are all applicable requirements addressed?
- Are there aspirational claims without backing certifications?
3. Control Verification
- Are stated controls actually implemented?
- Is there evidence of control effectiveness?
- How are controls monitored and tested?
4. Customer Contract Review
- What compliance representations are in customer contracts?
- Are these representations accurate?
- What are the consequences of non-compliance?
Common Compliance Red Flags
SOC 2 Issues
- Type I report (point-in-time) presented as Type II (period)
- Report scope excludes key systems
- Multiple exceptions in the auditor's report
- Report is more than 12 months old
HIPAA Gaps
- No formal HIPAA security officer
- Missing Business Associate Agreements
- Incomplete risk assessment
- No breach notification procedures
- Inadequate access controls and audit logging
PCI-DSS Concerns
- Self-assessment questionnaire when third-party audit required
- Cardholder data in logs or test systems
- Flat network without proper segmentation
- Quarterly scan requirements not met
Financial Impact of Compliance Gaps
Compliance issues have real financial consequences:
- Remediation costs: Typically $100K-$1M to achieve compliance from a gap position
- Audit costs: $50K-$200K annually for SOC 2, more for other frameworks
- Penalty exposure: HIPAA fines up to $1.5M per violation category; GDPR up to 4% of global revenue
- Contract impact: Non-compliance may void customer contracts or trigger penalties
- Insurance implications: Gaps may void cyber insurance coverage
Case Study: The HIPAA Surprise
A healthcare PE firm acquired a clinical analytics company for $32M. SOC 2 Type II was in place. HIPAA compliance was "in process."
Post-close discovery:
- HIPAA "in process" had been the status for 3 years
- No formal risk assessment had ever been completed
- PHI was being processed by a subcontractor with no BAA
- Audit logging was incomplete—breaches couldn't be properly investigated
- Two customers had HIPAA requirements in contracts that weren't being met
Cost to remediate:
- $180K HIPAA remediation project
- $150K to address subcontractor issues
- $90K for formal risk assessment and documentation
- One customer terminated, citing compliance concerns
Total impact: $500K+ in costs and lost revenue on a $32M deal.
Key Takeaway: "Compliance" is meaningless without verification. Request and review actual audit reports, verify scope and currency, and assess whether compliance claims match technical reality. The cost of thorough compliance diligence is trivial compared to inherited liability.