Cybersecurity due diligence is now a standard component of merger and acquisition deal-making — yet it remains poorly executed in the majority of transactions. The consequences of that gap are well-documented. When Verizon acquired Yahoo in 2017, the deal price was cut by $350 million — to $4.48 billion — after Yahoo disclosed two massive data breaches, then known to affect more than 1.5 billion accounts, that it had failed to disclose during negotiations (Verizon–Yahoo amended merger agreement, SEC filing, Feb. 21, 2017). Yahoo later revised the larger breach to all 3 billion of its accounts, but that disclosure came in October 2017, after the deal had closed. When Marriott acquired Starwood in 2016, it inherited a breach of Starwood's reservation system that had been running undetected since 2014, ultimately exposing roughly 339 million guest records and drawing an £18.4 million (about $23.7 million) GDPR fine from the UK ICO (ICO Monetary Penalty Notice, 30 October 2020). Heartland Payment Systems had been compromised for months when it was eventually acquired. In each case, the acquiring entity absorbed the liability, the remediation cost, and the reputational damage of security failures that originated before the transaction closed.
These are not edge cases. A 2022 IBM study found that 83% of organizations had experienced more than one data breach, and a significant percentage of those breaches were never publicly disclosed prior to acquisition. Cyber risk routinely surfaces only after a deal closes: in Forescout's survey of M&A decision-makers, 52% reported that a major undisclosed or undiscovered cybersecurity risk came to light during post-closing integration, and 65% experienced buyer's remorse over a deal's cybersecurity exposure (Forescout, "The Role of Cybersecurity in M&A Diligence," 2019). For any company conducting M&A activity in 2026, cybersecurity due diligence is not optional — it is fiduciary responsibility.
Why Cybersecurity Due Diligence Is Uniquely Difficult
Traditional financial due diligence has decades of standardized methodology behind it. Cybersecurity due diligence does not. Security posture is inherently difficult to assess from the outside: attackers who have already compromised a network leave traces that require deep forensic investigation to find, and many targets will not permit authenticated internal access prior to close. This creates an information asymmetry problem — the seller knows (or should know) the true state of their security, while the acquirer is operating with incomplete information.
Additionally, cybersecurity liability does not always present itself on a balance sheet. A compromised network may show no visible symptoms for months. An unpatched vulnerability in a legacy system may not have been exploited yet but represents real exposure. Regulatory non-compliance — say, a HIPAA violation or a NYDFS 500 deficiency — creates contingent liability that traditional financial due diligence will not surface.
What to Assess: The Due Diligence Domains
Historical Breach Record and Active Incidents
The first question is whether the target has ever experienced a data breach, security incident, or ransomware attack — and if so, what remediation was completed. Representations and warranties in the purchase agreement should explicitly address undisclosed incidents. Engage an external forensics firm to conduct a compromise assessment, particularly looking for indicators of persistence (scheduled tasks, registry run keys, unusual outbound connections, PowerShell execution history). A threat intelligence query against the target's IP ranges and domain names can reveal whether they appear in breach databases, dark web credential markets, or botnet command-and-control logs.
Network Architecture and Segmentation
Flat networks — where any workstation can reach any server — are a structural amplifier for breaches. Assess whether the target has implemented network segmentation between business units, whether production environments are isolated from corporate networks, and whether there is meaningful separation between IT and OT/IoT systems if applicable. A network diagram review paired with a firewall ruleset audit will reveal whether segmentation is genuine or cosmetic.
Credential Hygiene and Identity Management
Review Active Directory configuration: are there excessive domain admin accounts? Are service accounts running with domain admin privileges? Is privileged access management (PAM) in place? Check for password age policies, MFA enforcement rates, and whether single sign-on (SSO) is deployed across SaaS applications or whether employees are managing credentials in spreadsheets. According to the Verizon DBIR (2026), 39% of breaches involve stolen credentials — poor credential hygiene is not a minor finding.
Patch Levels and Vulnerability Exposure
An external attack surface management (ASM) scan of the target's internet-facing assets will surface unpatched vulnerabilities without requiring internal access. Look specifically for critical and high CVEs on internet-facing systems — these represent the attacker's most likely initial access vector. Internally, we hold endpoints to a 95%+ compliance target for critical patches within the one-month window that PCI DSS v4.0.1 Requirement 6.3.3 sets for critical and high-severity updates. Legacy operating systems (Windows Server 2008, Windows 7) are immediate red flags.
Compliance Status
Map the target's regulatory obligations: are they subject to PCI DSS, HIPAA, NYDFS 500, SOC 2, or GDPR? Request the most recent audit reports, penetration test reports, and any regulatory examination findings. Gaps in compliance represent contingent liability — regulators do not care that the acquiring entity did not create the problem, only that the combined entity is now responsible for it.
Third-Party Integrations and Vendor Risk
Modern organizations expose significant attack surface through their vendor ecosystem. Review the target's critical vendor list, their vendor security questionnaire process (if any), and whether any vendors have privileged network access. SolarWinds and Kaseya demonstrated that trusted vendor software can be weaponized — a target with dozens of unvetted vendor integrations is carrying risk that does not appear on any financial statement.
Technical Assessment Methodology
A comprehensive cybersecurity due diligence engagement for a mid-size acquisition target typically involves four components. First, an external attack surface assessment that enumerates internet-facing assets, identifies exposed services, and scores vulnerability exposure using CVSS. Second, a security questionnaire modeled on the CAIQ (Cloud Security Alliance) or SIG frameworks, completed by the target's security team with supporting evidence. Third, if deal structure permits, an authenticated internal assessment covering Active Directory, network architecture, and endpoint configuration. Fourth, a compromise assessment using threat intelligence feeds and log analysis to look for evidence of past or ongoing intrusion.
The output of this work feeds directly into deal negotiations. Material findings — active compromises, critical unpatched vulnerabilities, undisclosed breaches, regulatory non-compliance — may justify price adjustments, escrow arrangements, or representation and warranty insurance claims. Fortress MSSP provides M&A cybersecurity due diligence services that integrate with your deal team's timeline and deliver findings in formats that both technical and legal stakeholders can act on.
Representation and Warranty Insurance
R&W insurance has become standard in private equity M&A transactions, and cybersecurity representations are increasingly a specific carve-out requiring dedicated attention. Underwriters will ask for evidence of a pre-close cybersecurity assessment, and premiums are affected by the quality of the target's security posture. A clean assessment report can meaningfully reduce R&W insurance costs while providing the acquirer with additional protection against post-close breach discovery.
The 100-Day Post-Close Integration Plan
Cybersecurity due diligence does not end at closing. The 100-day post-close period is the highest-risk window: two organizations with different security configurations, different tool sets, and different user populations are being brought together, often under time pressure. Network connectivity is extended, access permissions are replicated, and attackers who were watching the transaction announcement know this is a period of organizational distraction. A structured 100-day security integration plan — covering network isolation policy, credential migration, tool rationalization, and incident response coordination — is essential to managing this transition without creating new exposure. Engaging a virtual CISO to own this process is a cost-effective approach for acquirers who do not have an internal CISO with M&A integration experience.