Acquisition Agreements Get Signed on Cyber Reps Nobody Verified. That Becomes the GC's Problem.

In most M&A deals, the acquisition agreement contains representations about the target's cybersecurity: that it complies with applicable data laws, that it has not suffered an undisclosed breach, that it maintains reasonable security controls. These reps are negotiated by lawyers, signed by principals, and relied upon by the buyer. What they almost never are, before signing, is independently verified.

That is the gap. A cyber representation allocates risk on paper. It does not change what is actually true about the target's security. If the company repping no undisclosed breaches is in fact already compromised, the signature does not undo the intrusion; it only decides who absorbs the loss once it surfaces. And because most breaches sit undetected for months, the reps are frequently signed in good faith by a seller who genuinely does not know they are false. We have documented how long intrusions hide in our analysis of the 2026 extortion wave.

What deal counsel should require before signing

The GC's leverage on cyber risk is highest in the window before the agreement is signed and gone the moment it is. Four things belong in that window.

1. A compromise assessment, not just a questionnaire. The single most important cyber fact in a deal is whether the target is already breached. A compromise assessment is the only way to answer it, and it is rarely part of standard diligence. Reps about no known incidents are only as good as the looking that was done.
2. Specific reps, not boilerplate. Generic security language is hard to enforce. Reps tied to concrete facts, such as breach history, regulatory notices, and the existence of third-party risk management, give the buyer something to stand on later.
3. A technical read on the disclosure schedule. What the seller discloses against the reps is where the real risk hides. Someone who understands security, not just contract language, should read those schedules.
4. Clarity on R&W insurance cyber exclusions. Representations and warranties insurance often carves out known issues and sometimes broad cyber categories. If the policy excludes the exact risk the rep was meant to cover, the protection is illusory.

Why the timing is the whole game

After signing, the allocation is fixed and the GC's role shifts from negotiation to enforcement, which is slower, costlier, and adversarial. The day the deal closes, a misstated cyber rep stops being a drafting question and becomes a live liability: indemnification claims, escrow disputes, and, for public acquirers, potential disclosure obligations under the SEC cybersecurity disclosure rule if the inherited incident is material.

None of this argues for more legal language. It argues for verifying the facts the language depends on while there is still time to price them, walk, or shift them back to the seller. The reps are a backstop. They were never meant to be the first time anyone checked whether the target was secure.

The cleanest deals are not the ones with the most airtight cyber reps. They are the ones where someone confirmed the reps were true before everyone signed them.