16 min read Technology Assessment

Security Assessment

Evaluating cybersecurity posture and vulnerability exposure

Security assessment identifies vulnerabilities, compliance gaps, and risk exposure that could impact deal value or create post-acquisition liabilities. With average data breach costs exceeding $4.5 million and regulatory fines reaching into the hundreds of millions, security due diligence is no longer optional.

Security in M&A Context: The Stakes

Security issues discovered post-acquisition have real financial consequences:

Risk CategoryPotential ImpactReal-World Examples
Data Breach$4.5M average cost (IBM 2023)Marriott: $124M fine for acquired Starwood breach
Regulatory FinesUp to 4% of global revenue (GDPR)British Airways: $230M GDPR fine
LawsuitsClass actions, customer claimsEquifax: $700M settlement
Business ImpactCustomer churn, brand damageYahoo: $350M valuation reduction post-breach disclosure

The Verizon-Yahoo Case Study: After Verizon announced its $4.8B acquisition of Yahoo, two massive data breaches were disclosed affecting 3 billion accounts. Verizon negotiated a $350M price reduction—a direct result of inadequate pre-acquisition security diligence.

Security Assessment Framework

1. Security Governance (Organizational)

Evaluate the security program maturity:

ElementMature OrganizationRed Flag
Security LeadershipDedicated CISO reporting to C-suiteSecurity is "IT's job"
PoliciesDocumented, reviewed annually, enforcedPolicies exist but not followed
TrainingRegular security awareness, phishing testsNo training program
Incident ResponseDocumented IR plan, tested regularlyNo IR plan or untested
Third-Party RiskVendor security assessmentsNo visibility into vendor security

2. Application Security

Assess how security is built into the development process:

  • Secure SDLC: Is security considered at design, implementation, and testing phases?
  • Code Review: Are security-focused code reviews conducted?
  • Static Analysis (SAST): Are automated tools scanning for vulnerabilities?
  • Dynamic Analysis (DAST): Is the running application tested for vulnerabilities?
  • Dependency Scanning: Are third-party libraries monitored for vulnerabilities?
  • Secrets Management: How are API keys, passwords, and certificates managed?

3. Infrastructure Security

AreaWhat to AssessCommon Findings
Network SegmentationProduction isolated from dev/corporate?Flat network, everything can talk to everything
Patch ManagementHow quickly are patches applied?>90 day patch windows, unpatched critical CVEs
Access ControlsLeast privilege? MFA everywhere?Shared admin accounts, no MFA
Endpoint SecurityEDR/antivirus deployed?Incomplete coverage, outdated signatures
Cloud ConfigSecurity best practices followed?Public S3 buckets, excessive IAM permissions

4. Data Security

  • Data Classification: Does the company know what sensitive data it has and where?
  • Encryption at Rest: Are databases, file systems, backups encrypted?
  • Encryption in Transit: TLS everywhere? Certificate management?
  • Access Logging: Who accessed what data and when?
  • Data Retention: Is old data properly disposed of?
  • Backup Security: Are backups encrypted and access-controlled?

Vulnerability Assessment Methods

Automated Scanning

Quick, broad coverage but limited depth:

  • Network Scanning: Nessus, Qualys, OpenVAS
  • Web App Scanning: Burp Suite, OWASP ZAP, Acunetix
  • Cloud Config: AWS Inspector, Azure Security Center, Prowler
  • Container Scanning: Trivy, Clair, Anchore

Penetration Testing

Deeper assessment by security experts:

TypeScopeDurationCost Range
External Network PentestInternet-facing systems1-2 weeks$15K - $40K
Web Application PentestSpecific application1-3 weeks$20K - $50K
Internal Network PentestAssume breach scenario1-2 weeks$20K - $40K
Red Team ExerciseFull attack simulation4-8 weeks$75K - $200K

Code Review (Security-Focused)

Expert review of security-critical code paths:

  • Authentication and authorization logic
  • Input validation and sanitization
  • Cryptographic implementations
  • Session management
  • API security

Common Vulnerability Categories (OWASP Top 10 2021)

VulnerabilityRiskRemediation Complexity
Broken Access ControlUnauthorized data accessMedium - requires architecture review
Cryptographic FailuresData exposureMedium - implementation changes
InjectionData breach, system compromiseLow-Medium - code fixes
Insecure DesignFundamental security flawsHigh - may require redesign
Security MisconfigurationVariousLow - configuration changes
Vulnerable ComponentsKnown exploitsLow-Medium - updates
Auth FailuresAccount compromiseMedium - auth redesign
Data Integrity FailuresTampering, malwareMedium - pipeline changes
Logging FailuresUndetected breachesLow - implementation
SSRFInternal system accessMedium - code fixes

Security Red Flags and Cost Estimates

Red FlagRisk LevelRemediation Cost
No security team or CISOHigh$200K-$400K/year (hiring + program)
No penetration testing historyHigh$50K-$150K (initial + remediation)
Critical unpatched vulnerabilitiesCritical$25K-$100K + breach risk
Credentials in source codeCritical$25K-$75K (rotation + secrets mgmt)
No encryption for PII/sensitive dataCritical$100K-$500K
No incident response planHigh$50K-$100K
Failed compliance auditHigh$100K-$1M+ (depends on gap)
Previous unreported breachCriticalLegal exposure + remediation

Compliance Framework Assessment

FrameworkApplies ToKey RequirementsAudit Cost
SOC 2SaaS, service providersSecurity, availability, processing integrity, confidentiality, privacy$30K-$100K
PCI DSSPayment processing12 requirements for cardholder data$50K-$200K
HIPAAHealthcare dataPrivacy, security, breach notification$50K-$150K
GDPREU personal dataConsent, data rights, breach notificationVaries by scope
ISO 27001Any organizationISMS implementation$50K-$150K

Security Due Diligence Checklist

Documents to Request:

  • Security policies and procedures
  • Recent penetration test reports
  • Vulnerability scan results
  • Compliance certifications and audit reports
  • Incident response plan
  • Security architecture documentation
  • Vendor security assessments
  • Security awareness training records
  • Breach history and notification records

Questions for Management:

  • "Have you ever experienced a data breach?" (Watch for hesitation)
  • "When was your last penetration test? Who performed it?"
  • "How do you handle vulnerability disclosure?"
  • "What's your mean time to patch critical vulnerabilities?"
  • "Who has access to production data?"

The Undisclosed Breach: When Security History Surfaces

During TDD of a healthcare SaaS company, our security team discovered something management hadn't disclosed: evidence of a prior breach in server logs. Further investigation revealed that 18 months earlier, an attacker had accessed a database containing 50,000 patient records.

The company had quietly patched the vulnerability but never notified affected patients or the HHS—a clear HIPAA violation. When confronted, leadership claimed they "didn't think it was a reportable incident."

The acquirer renegotiated the deal: $4M price reduction for remediation costs and potential fines, plus a $2M escrow holdback for potential litigation. Six months post-close, HHS did investigate, resulting in a $1.2M fine—covered by the escrow.

Outcome: Without TDD discovery, buyer would have inherited full liability.
Key Takeaway: Security issues are rarely deal-breakers but always require quantification. The goal is to understand: (1) What's the current security posture? (2) What are the gaps? (3) What will remediation cost? (4) What's the residual risk exposure? Factor all of this into deal economics—either as price adjustments, escrow holdbacks, or R&W insurance considerations.
← Previous Architecture Assessment Next → Cloud Infrastructure Assessment