What is M&A Cyber Due Diligence?

What M&A Cyber Due Diligence Covers

Cyber due diligence is an assessment of the target organization's cybersecurity posture, historical incident activity, regulatory compliance status, and technical security controls. A comprehensive cyber due diligence program evaluates: the attack surface (what external-facing systems exist and what vulnerabilities they carry), identity and access controls (how authentication is managed, whether privileged access is controlled, what the MFA coverage is), endpoint security (EDR deployment, patch currency, device management), cloud environment security (IAM configuration, storage access controls, logging), email security, network architecture and segmentation, incident history and current threat indicators, and the people and processes that make security controls operational.

The Information Access Problem

Cyber due diligence is complicated by information access constraints. Unlike financial due diligence where the target provides documents for review, cyber due diligence ideally involves direct technical access to evaluate controls — read-only access to cloud management consoles, Microsoft 365 security configurations, network diagrams, and system inventory. Pre-letter-of-intent access is limited; post-LOI access varies by seller willingness and deal structure. Independent technical assessment that does not require seller cooperation — external attack surface enumeration, DMARC and DNS analysis, OSINT gathering — provides initial signal regardless of access constraints.

What Cyber Due Diligence Finds

In Cloudskope's experience across hundreds of M&A cyber due diligence engagements, the most common material findings fall into consistent patterns. Credential exposure — executive or privileged account credentials in breach databases accessible to threat actors — appears in a significant majority of engagements. Unpatched critical vulnerabilities in internet-facing systems appear consistently in organizations whose IT teams do not have formal vulnerability management programs. Cloud misconfiguration — publicly accessible storage, administrative accounts without MFA, overly permissive IAM policies — appears in virtually every cloud environment assessment. Historical compromise indicators — evidence of past attacker presence that the organization was not aware of — appear in a meaningful percentage of engagements with organizations that lack mature detection capabilities.

How Cyber Findings Affect Deal Terms

The business impact of cyber due diligence findings depends on the nature of the finding, the target organization's sector, and the deal's specific circumstances. Material findings typically affect deals in several ways. Purchase price adjustment — significant cyber liabilities, remediation costs, or historical breach exposure may reduce the purchase price to account for the risk being acquired. Representations and warranties — the target may be required to provide specific cybersecurity representations and warranties with associated indemnification obligations. Pre-close remediation — specific security improvements may be required as a condition of close. Post-close obligations — escrow arrangements or specific remediation timelines may be established for issues identified that cannot be resolved before close. And in some cases, material findings are go/no-go factors when the exposure is significant enough that the risk cannot be appropriately priced.

Real-World Example: Yahoo and Verizon — The $350M Breach Discount

In 2016, Verizon agreed to acquire Yahoo for $4.83 billion. During due diligence, Yahoo disclosed a breach that exposed 500 million accounts in 2014. Subsequent investigation revealed a second breach — 3 billion accounts in 2013 — that had not been disclosed. Verizon renegotiated the deal, ultimately acquiring Yahoo at a $350 million discount from the original price. The breach disclosure and renegotiation delayed the deal by months and resulted in legal proceedings that continued for years after close. The Yahoo case established the principle that undisclosed cyber incidents are material to deal valuation and that acquirers have recourse when material cyber information is not disclosed in due diligence.