The role of cybersecurity due diligence in Mergers and Acquisitions

The role of cybersecurity in mergers and acquisitions

SHARE

Loading the Elevenlabs Text to Speech AudioNative Player...

Cybersecurity due diligence process in mergers and acquisitions is crucial for identifying potential vulnerabilities, threats, liabilities and cyber risks that may be inherited as part of a merger.  Integrating these assessments early in the M&A process can greatly influence negotiations, reduce unforeseen risks, and support better decision-making. This proactive approach is essential for protecting investments, ensuring they adhere to regulatory compliance practices, and securing sensitive data against breaches and cyber attacks.

In this article, we explain the role and the process of M&A cybersecurity due diligence, and offer insights and advice based on our experience in securing such transactions.

What is cybersecurity due diligence in M&A and divestitures?

Cybersecurity due diligence in M&A is the assessment of a target company’s cyber risk before a transaction closes. It looks for existing compromise, exploitable technical weaknesses, security governance gaps, data protection issues, third-party exposure, and remediation obligations the buyer may inherit.

This process is crucial for identifying potential vulnerabilities, threats, liabilities and cyber risks that may be inherited as part of a merger. It serves as input to understand the cost of remediation and can influence the valuation or even change the course of the deal. Such assessments are crucial to provide additional insights into negotiations and reduce risks that could emerge down the line once the transaction is complete. We can distinguish three main areas in which cybersecurity due diligence assessments are performed:

  • Cybersecurity due diligence of procedures and policies such as risk management, incident response plan, IT asset management, application security posture management, identity threat detection and response, etc.
  • Technical cybersecurity due diligence, including penetration testing, breach assessment, source code review, etc.
  • Cybersecurity awareness and culture in the organization.

When is cybersecurity due diligence performed during the M&A process?

The due diligence process can be implemented at various stages of an M&A deal. According to a 2019 study by Forescout, 38% of respondents (senior manager-level IT and business decision-makers) declared that they started a cybersecurity assessment already at the strategy creation step, the earliest pre-deal phase of the M&A process. 33% did so during the target screening, 22% during the diligence and evaluation stage, and only 6% reported performing a security assessment during the integration phase.

M&A cybersecurity due diligence

How is technical cybersecurity due diligence for M&A performed? 

Many buy-side companies hire an external contractor to execute a technical cybersecurity assessment of their target. This guarantees that the sell-side’s security controls are challenged from an independent perspective, and its cybersecurity risks and data privacy threats can truly be revealed. The security assessment also allows the buyers to integrate the security review results into their risk analysis and even the valuation of the M&A.

A comprehensive technical cybersecurity assessment involves several key actions designed to uncover potential risks and vulnerabilities. These actions ensure that the acquiring company fully understands the target organization’s cybersecurity landscape and risk exposure. The primary components of this assessment include breach assessment, attack surface mapping and discovery, penetration testing, and source code security review.

Technical cybersecurity due diligence for M&A

Key assessments performed during technical cybersecurity due diligence

Breach assessment

A breach assessment aims to identify any indicators of compromise or ongoing security incidents within the target company’s network. This involves examining logs, network traffic, and alerts from security operation centers and their tools, such as EDRs and SIEMs, for any anomalies or known breach patterns to detect signs of unauthorized access, data exfiltration, or other malicious activities.

Discovering a breach before finalizing the transaction allows the acquiring company to address the issue proactively, potentially renegotiate terms, or even reconsider the deal if the risks are too significant.

Attack surface mapping & discovery

Attack surface mapping and discovery in the context of M&A due diligence usually involves identifying all potential entry points for cyber attacks within the target company’s external-facing IT environment, from SaaS-based cloud solutions and on-premise hosted systems to shadow IT.

By understanding the full scope of the attack surface that is exposed externally, the acquiring company can better evaluate the target’s vulnerability to cyber threats. This knowledge is essential for developing a robust post-acquisition cybersecurity strategy.

Penetration testing

Penetration testing is a simulated cyber attack on the target company’s systems to identify vulnerabilities that malicious actors could exploit. This technical assessment evaluates the effectiveness of existing security measures and provides insights into the target company’s ability to detect and respond to real-world threats.

Penetration testing in the context of M&As is very dependent on the target acquisition and its core business, but in our experience, it typically includes a focused product security assessment (especially if it’s a SaaS company), pentesting of external and internal networks, application security testing of business-critical applications, and cloud security assessments.

Source code security review

For technology companies and other businesses heavily reliant on proprietary software, a security-oriented source code review is an essential component of cybersecurity due diligence. This review involves analyzing the target company’s source code to uncover hidden vulnerabilities, backdoors, and other security weaknesses that could be exploited. By ensuring that the software is reasonably secure and less prone to critical flaws, the acquiring company can mitigate the risk of future attacks and protect its intellectual property.

Performing these key actions as part of the cybersecurity due diligence process enables organizations to make informed decisions, minimize risks, and ensure a smoother transition post-transaction. By prioritizing technical cybersecurity assessments, companies can better protect their investments and position themselves for long-term success in their M&A activities.

Cloud and identity security review

Cloud and identity controls are now central to M&A cyber risk. Many serious breaches begin with compromised credentials, weak multifactor authentication, excessive privileges, or misconfigured cloud permissions. Once an attacker has valid access, traditional perimeter controls may matter very little.

A cloud and identity review should assess how users authenticate, how privileged access is granted, whether MFA is enforced consistently, how service accounts are managed, whether cloud roles are over-permissive, whether logging is enabled, and whether sensitive resources are exposed. It should also examine stale accounts, third-party users, SaaS administration rights, and joiner, mover, and leaver processes.

One of the most common diligence problems is overstated MFA coverage. A company may say MFA is enabled, but closer review shows exceptions for administrators, remote access, source code platforms, legacy systems, or third-party portals. From an attacker’s perspective, those exceptions define the real security posture.

Cyber risks in the M&A process

Purchasing a company with a compromised database or active cyber threats can lead to substantial liabilities. Due to undisclosed breaches, companies have faced class-action lawsuits, regulatory fines, and damaged reputations. Additionally, Material Adverse Change/Effect (MAC or MAE) clauses can be triggered, potentially allowing purchasers to exit transactions without further obligation.

In recent years, hackers have specifically targeted companies in the midst of M&A activities, aiming to exploit confidential information and extort ransoms. In 2021, several companies were attacked during the private negotiation stage, with attackers using Trojan malware to scan for keywords indicating M&A intentions, such as “10-Q1,” “Nasdaq,” “Marketwired,” and “Newswire.”

In late 2021, two months after being acquired by a private equity firm, a midsize manufacturer paid $1.2 million to a ransomware group with suspected links to REvil. This incident, reported by the Wall Street Journal, highlights a growing trend where ransomware groups target midmarket acquisition targets, posing risks for private equity and venture capital firms. Midsize companies, often with less robust cybersecurity, attract attackers seeking substantial payouts without the geopolitical risks of larger targets.

Let’s now take a look at specific security risks that organizations involved in mergers, acquisitions or divestitures face.

Data breaches

Unauthorized access and confidential information exposure are among the most serious threats to companies undergoing the M&A process. Attackers may gain access to financial records, intellectual property, customer data, employee information, source code, deal-room contents, or other sensitive material.

This risk applies not only to the target company’s internal systems, but also to the digital data rooms and third-party platforms used during the transaction. If a breach predates the deal and is discovered after close, the buyer may inherit the cost of investigation, remediation, notification, and regulatory response.

Identity and access compromise

Identity systems are one of the highest-risk areas in M&A because they control access to cloud platforms, source code repositories, production systems, email, SaaS tools, and sensitive deal data. Attackers may use stolen credentials, weak MFA, stale accounts, overprivileged users, or poorly monitored third-party access to gain a foothold before or during the transaction.

For buyers, the risk is inheriting an identity environment that cannot be trusted. For sellers, weak identity controls can become a major diligence finding because they affect breach likelihood, integration safety, and post-close access control. Identity review should therefore cover MFA enforcement, privileged access, dormant accounts, service accounts, conditional access, third-party users, and logging

Cloud and SaaS misconfiguration

Cloud platforms and SaaS tools often hold the systems and data that matter most in an acquisition: customer records, source code, financial data, production workloads, backups, analytics, and collaboration spaces. Misconfigured storage, excessive IAM permissions, exposed management interfaces, weak logging, and unmanaged SaaS administrator accounts can create serious inherited risk.

During M&A, these issues are easy to miss because cloud ownership is often distributed across engineering, IT, security, finance, and business teams. A buyer should not assume that a target’s cloud environment is secure because it uses a major provider. The diligence process should validate configuration, permissions, monitoring, backup protection, and exposure across cloud and SaaS environments.

Ransomware attacks

Cybercriminals may deploy ransomware to encrypt vital data, disrupt operations, and pressure the target through data theft or public extortion. This is especially damaging during M&A, when downtime, customer concern, regulatory scrutiny, and uncertainty can directly affect negotiations or integration. Verizon’s 2024 Data Breach Investigations Report found that roughly one-third of breaches involved ransomware or another extortion technique, making ransomware resilience a key diligence area for buyers and sellers.

A recent example is the 2024 ransomware attack on Change Healthcare, which had been acquired by UnitedHealth Group’s Optum unit in 2022. Attackers used stolen credentials to access a Citrix remote access portal that reportedly did not have multifactor authentication enabled. The incident disrupted pharmacy and claims processing across the United States, exposed protected health information at massive scale, and drove response and disruption costs into the billions. The case illustrates a core M&A lesson: when acquiring a company, buyers also acquire the target’s identity controls, remote access exposure, incident history, and unresolved security debt.

Supply chain attacks

Cybercriminals exploit vulnerabilities in third-party vendors, managed service providers, file-transfer platforms, SaaS tools, open-source dependencies, CI/CD pipelines, or software build processes to gain access to broader environments. In M&A, this matters because buyers inherit not only the target’s internal systems, but also its vendor relationships and software supply chain exposure.

The 2023 MOVEit Transfer attacks are a current example. CISA and the FBI warned that the Cl0p ransomware group exploited CVE-2023-34362 in Progress MOVEit Transfer, a widely used managed file-transfer product. A single vendor or software dependency in the target’s stack can therefore create cascading exposure that the buyer inherits with the deal.

Phishing and social engineering

Employees involved in the M&A process can be targeted with sophisticated phishing emails, credential-theft campaigns, help-desk manipulation, or malware designed to steal sensitive information. Cybercriminals may also impersonate executives, advisors, or other key personnel to trick employees into divulging credentials, approving payments, sharing documents, or performing unauthorized actions. The 2023 MGM Resorts incident showed how operationally damaging these attacks can be, with the breach was estimated to cost the company more than $100 million.

Insider threats

During M&A processes, employees, contractors, or partners with access to sensitive information may intentionally or unintentionally leak data. This can happen because of dissatisfaction with the transaction, financial incentives, uncertainty about future roles, or simple mishandling of confidential information under time pressure.

Access to data rooms, source code, customer lists, financial forecasts, integration plans, and privileged systems should therefore be tightly controlled, monitored, and revoked when no longer needed.

How cybersecurity findings affect an M&A deal

Cybersecurity findings matter in M&A when they change what the buyer is willing to pay, what protections the buyer needs, or what must be fixed before the business can be integrated safely.

A missing MFA control, exposed remote access portal, weak cloud IAM, hard-coded secrets, or incomplete logging are not just technical observations. In a transaction, they become commercial questions: how likely is exploitation, what would remediation cost, could sensitive data already be exposed, and who should carry that risk after close?

Finding Potential deal impact
Active compromise May require incident response before close, delay, specific indemnity, or walk-away discussion.
No MFA on remote access May become a closing condition or urgent remediation item, especially if sensitive data or critical operations are involved.
Missing logs or short retention Reduces confidence in breach assessment and increases uncertainty around historical compromise.
Hard-coded secrets in source code Requires credential rotation, repository cleanup, code remediation, and validation.
Weak cloud IAM Creates post-close compromise risk and should feed into Day 1 or first 100-day remediation.
Exposed sensitive data Triggers legal, regulatory, contractual, and notification review.
Weak tenant isolation Can be material in SaaS acquisitions because it may expose customer data across environments.
Unmanaged third-party access Creates inherited supply chain exposure and may require immediate access review.

Lessons learned from cyber disasters in M&A

  • Cybersecurity due diligence needs to be performed early – the integration stage is often too late
  • Target company’s cybersecurity practices, certifications, and processes, especially those related to handling personal data, need to be thoroughly assessed
  • The sell-side’s cybersecurity culture matters – employees’ and the board’s understanding of data security protocols is a good indicator of the company’s security risks

How to choose cybersecurity services to assist with M&A

Choosing a cybersecurity partner for an M&A transaction requires more than finding a standard penetration testing provider. The right firm needs to understand both technical security risk and the deal context: compressed timelines, limited access, confidentiality constraints, integration concerns, and the difference between a routine vulnerability and a finding that can affect valuation or closing conditions.

Start with scope and decision-making needs. Define what the assessment must cover and what decisions it needs to support. The scope may include infrastructure, cloud environments, applications, source code, incident history, compliance posture, data protection, or post-acquisition integration risk. The output should help the deal team decide whether to proceed, renegotiate, require remediation, adjust valuation, or plan Day-1 controls.

Prioritize M&A experience and offensive security expertise. Look for firms with direct M&A due diligence experience, strong technical testing capability, and the ability to produce clear reports for both technical and non-technical stakeholders. Relevant certifications and frameworks can help, including CREST, CISSP, OSCP, SANS, ISO/IEC 27001, NIST, SOC 2, GDPR, HIPAA, and PCI DSS, but credentials alone are not enough. The provider must be able to explain which findings matter to the transaction and why.

Evaluate reporting quality and post-assessment support. A strong cybersecurity partner should offer tailored scoping, practical remediation guidance, transparent pricing, and support beyond the initial assessment where needed, including post-acquisition validation, ongoing monitoring, and incident response readiness. Avoid providers that deliver only automated scan output; M&A teams need evidence, prioritization, and business impact.

How Blaze can bring cybersecurity into your next M&A transaction

Working with Blaze in your next M&A project gives your organization independent technical evidence to negotiate, remediate, and integrate with more confidence. A cybersecurity assessment during due diligence helps your team understand the target company’s real security posture before risks become inherited liabilities.

We are offensive cybersecurity specialists with a strong track record in technical assessments for M&A. Our work helps buyers and sellers identify material cyber risks, validate whether those risks are exploitable, and document the findings clearly enough for deal teams, legal counsel, executives, and technical teams to act on them.

Below are the services we offer depending on the type of transaction and which side your organization is on.

If you’re on the buy side

  • M&A cybersecurity assessment to evaluate the target company’s security maturity, cyber risk profile, and exposure before the transaction closes.
  • External attack surface discovery to identify exposed systems, vulnerable services, shadow IT, and third-party exposure.
  • Penetration testing of external infrastructure, internal networks, web and mobile applications, APIs, cloud environments, and other business-critical systems.
  • Cloud security review to assess cloud configuration, IAM permissions, exposed resources, logging, and security architecture across AWS, Azure, or Google Cloud.
  • Source code security review to identify hard-coded secrets, insecure dependencies, authorization flaws, weak cryptography, and other code-level risks.
  • M&A reporting and remediation guidance to help the deal team understand which findings matter, what should be fixed, and how the risks may affect integration.

If you’re selling or divesting

  • Pre-sale cybersecurity readiness assessment to identify and fix issues before buyer diligence begins.
  • Attack surface review to find exposed assets, abandoned systems, vulnerable services, and shadow IT before they become buyer findings.
  • Penetration testing and remediation support to validate the security of infrastructure, applications, APIs, cloud environments, and critical business systems.
  • Cloud and identity review to assess MFA coverage, privileged access, stale accounts, SaaS administration, cloud permissions, and logging.
  • Source code and product security review to identify hard-coded secrets, vulnerable dependencies, authorization flaws, and other software risks.
  • Divestiture and carve-out security assessment to identify risks from shared systems, shared identity environments, vendor access, orphaned accounts, residual data, and transitional infrastructure.
  • Security evidence preparation to help document findings, remediation actions, and technical controls for buyer review.

FAQ

What is cybersecurity due diligence in M&A?

Cybersecurity due diligence in M&A is the assessment of a target company’s security posture, breach exposure, technical vulnerabilities, governance, data protection practices, third-party risk, and inherited cyber liability before a transaction closes. Its purpose is to help buyers understand what they may inherit and help sellers prepare for scrutiny before the deal process exposes weaknesses.

When should cybersecurity due diligence start?

Cybersecurity due diligence should start as early as the deal process allows. Before LOI, buyers can perform external attack surface review and public exposure analysis. During formal diligence, the work should expand into breach assessment, penetration testing, cloud and identity review, application testing, source code review, and governance analysis.

What should be included in M&A cybersecurity due diligence?

A strong assessment should include breach assessment, attack surface mapping, penetration testing, cloud and identity review, application and API testing, source code review where relevant, governance review, third-party risk analysis, and remediation planning. The exact scope should reflect the target’s business model, technology stack, regulatory exposure, and deal structure.

What are the biggest cybersecurity red flags in M&A?

The biggest red flags include active compromise, no MFA on remote access, weak privileged access controls, missing logs, unknown internet-facing assets, unresolved critical vulnerabilities, exposed sensitive data, hard-coded secrets, weak cloud IAM, poor third-party access controls, and serious source code security flaws

About the author

Picture of Ewelina Baran

Ewelina Baran

Ewelina is a SEO copywriter specialized in technology, more specifically in cybersecurity. She holds a masters degree in English Philology from Jagiellonian University, Krakow.

RELATED POSTS

Ready to take your security
to the next level?

We are! Let’s discuss how we can work together to create strong defenses against real-life cyber threats.

Stay informed, stay secure

Subscribe to our monthly newsletter

Get notified about new articles, industry insights and cybersecurity news