11. Cybersecurity due diligence: what matters before it is too late

The deal team had already moved from confirmatory diligence to final markups. The synergy case depended on fast access to customer data, shared reporting, and a clean path to connect the target into the buyer’s identity and network environment inside the first 60 days.

Then the buyer’s CISO asked for four pieces of evidence: privileged account MFA coverage, endpoint protection deployment, SIEM log sources, and open high-risk vulnerabilities on internet-facing systems.

The target had policies for all four. It did not have proof. Admin access was still shared in parts of the estate. Endpoint tooling covered corporate laptops, but not all servers or production engineering endpoints. Logs existed in three places with uneven retention. The vulnerability list was owned by infrastructure, security, and an external provider, which meant nobody owned it at deal speed.

No breach had been disclosed. No system was visibly failing. But the buyer could not safely connect environments on the timetable the value plan assumed.

That is how cybersecurity usually changes deal economics. Not through a headline incident during diligence, but through a control gap that blocks connectivity, delays synergy capture, extends TSAs, or forces remediation cash before the buyer can execute the thesis.

The primary decision is this:

Does the target’s cyber posture support Day-1 connectivity and the value timing in the model, or does it require repricing, restructuring, or remediation before the buyer inherits the risk?

Cyber diligence is a deal-clock question

Cybersecurity findings matter when they change one of four deal variables.

• Connectivity: whether the buyer can connect networks, identity tenants, collaboration tools, data platforms, or reporting environments without importing unacceptable risk
• Timing: whether Day-1, Day-100, TSA exit, data migration, or synergy milestones must move
• Cash: whether remediation is mandatory before value work can start
• Terms: whether the buyer needs price protection, escrow, indemnity, closing conditions, or a staged access model

This is why a generic “cyber maturity” score is weak diligence. A target can be average and investable. It can also be average and unconnectable. The answer depends on what the deal needs the technology environment to do in the first 100 days.

For many acquisitions, the first technology gate is not ERP, cloud, or data architecture. It is whether the buyer’s security team will permit access.

The common mistake: asking for policies instead of proof

Targets can usually provide security policies, training records, insurance summaries, and a slide that says MFA, EDR, SIEM, backup, and incident response are in place.

That is not enough.

Cyber diligence should test operating evidence. Can management show who has privileged access today? Which endpoints are actually protected? Which systems produce logs? Which vulnerabilities are open? Which customer data stores are exposed? Which incidents were investigated, and what changed afterward?

The mistake is treating cybersecurity as a compliance section in the diligence report. The better test is operational:

If we had to connect, migrate, share data, or place our brand on this environment within 30-90 days, what would stop us?

If the target cannot answer that with evidence, the buyer is not underwriting a cyber posture. The buyer is underwriting uncertainty.

A deal-team framework: connect, contain, cost

The fastest way to turn cyber diligence into a deal decision is to organize the work around three questions.

1) Connect: what must be true before environments touch?

Connectivity is where cyber risk becomes schedule risk.

What to test:

• MFA coverage for all privileged accounts, remote access, email, cloud consoles, and production administration
• identity hygiene: shared accounts, dormant accounts, joiner/mover/leaver controls, contractor access
• endpoint protection coverage across laptops, servers, virtual machines, and engineering workstations
• segmentation between corporate IT, production, customer-facing systems, and development environments
• logging coverage and retention for crown-jewel systems

What goes wrong:

• the buyer plans early network trust, but the target cannot prove who can administer key systems
• data-sharing starts before logging and access controls can support investigation
• SaaS tenants are connected while legacy admin accounts remain open
• the buyer CISO blocks integration until remediation is complete, but the synergy plan has not moved

The practical question is not “is security perfect?” It is “what is the minimum control baseline before we connect, and how long will it take to reach?“

2) Contain: if something has already happened, would they know?

Most targets will not have buyer-grade detection. That is expected. The question is whether there is enough coverage to find, isolate, and investigate an issue before the buyer expands access.

What to test:

• SIEM or log-management sources by system, not just the tool name
• alert ownership and escalation paths
• incident register for the last 24 months, including near misses and customer-impacting events
• backup and restore evidence for systems that hold revenue, finance, customer, or regulated data
• vulnerability scans and pen test findings with remediation status

What goes wrong:

• a target says there were no incidents because it had no coverage to detect them
• prior incidents were closed by IT operations with no root-cause fix
• backups exist, but restoration was never tested for the systems that matter
• unresolved internet-facing vulnerabilities become the buyer’s first post-close issue

Containment diligence is uncomfortable because it often exposes missing facts. That is exactly the point. Missing evidence is itself a risk signal.

3) Cost: what is mandatory before value work can proceed?

Cyber remediation competes for the same people who must support Day 1, integration, reporting, TSA exit, and value creation. If remediation is not funded and sequenced, it quietly consumes the first 100 days.

What to test:

• cost to close the minimum connectivity baseline
• tooling gaps: EDR, MFA, logging, vulnerability management, privileged access management, backup, email security
• outside support required for incident-response readiness, remediation, or forensic review
• customer or regulatory commitments that create a higher bar than internal policies
• capability gaps in the security, infrastructure, cloud, and application teams

What goes wrong:

• the deal model includes cyber remediation as a small one-time item, but the work blocks all early integration
• the same three infrastructure owners are expected to fix identity, support Day 1, and migrate data
• customer security commitments force controls faster than the integration plan can deliver
• security tooling can be bought quickly, but deployment across the estate takes months

Cyber cost is not only license spend. It is the cost of reaching a control state that permits the buyer to execute.

Evidence asks that create real signal in 48 hours

Do not start with a 200-question cyber questionnaire. Start with artifacts that operating teams should already use.

1) Privileged access and MFA export

Ask for:

• privileged users by system or tenant
• MFA status for privileged and remote-access accounts
• shared, service, and emergency accounts
• dormant accounts and last login dates

Why it matters:

If privileged access is not individually attributable, the buyer cannot safely connect, investigate, or satisfy its own control requirements.

2) Endpoint and server protection coverage

Ask for:

• endpoint security deployment export by device type
• server and cloud workload coverage
• unmanaged or stale devices
• exception list with owner and expiration date

Why it matters:

Corporate laptop coverage is not enough. Many post-close incidents start in unmanaged servers, engineering endpoints, or remote access paths.

3) Logging coverage for crown-jewel systems

Ask for:

• systems sending logs to the SIEM or log platform
• retention period by source
• alert ownership and escalation path
• gaps for ERP, finance, customer data, production, identity, and cloud consoles

Why it matters:

The buyer needs to know whether it can detect and investigate issues during the riskiest period: connection, migration, and control change.

4) Vulnerability and pen test evidence

Ask for:

• latest external vulnerability scan
• latest pen test summary and remediation tracker
• open high and critical findings by owner and age
• internet-facing assets and ownership

Why it matters:

Unresolved exposure on internet-facing assets can force urgent remediation before Day 1 or before any buyer connectivity.

5) Incident, backup, and restore record

Ask for:

• incident register for the last 24 months
• cyber insurance claims and carrier findings
• last backup restore test for core systems
• incident-response tabletop results and open actions

Why it matters:

Policies describe intent. These artifacts show whether the organization can respond when the environment is under stress.

6) Customer and regulated-data control evidence

Ask for:

• where customer PII, payment, health, employee, or regulated data lives
• customer security questionnaire exceptions
• SOC 2, ISO 27001, PCI, HIPAA, SOX, or sector-specific findings where relevant
• contractual security commitments for top customers

Why it matters:

Cyber risk can hit revenue directly when customer commitments are ahead of actual controls.

Decision triggers that should change price, terms, or timing

Not every cyber weakness should change a deal. These triggers should force an explicit call.

Trigger 1: Privileged access is not controlled enough for Day-1 connectivity

If privileged MFA is not effectively complete for critical systems, or if shared admin accounts exist without a 30-60 day remediation path, do not assume Day-1 or Day-30 connectivity.

What it changes:

• move synergy timing tied to network trust, data access, or shared tools
• require segmented access, clean-room data exchange, or a staged connection model
• fund identity cleanup and privileged access remediation as mandatory one-time cash

Trigger 2: Logging does not cover the systems the buyer plans to touch

If logging covers less than roughly 80% of crown-jewel systems, or retention is too short to support investigation, treat early integration as gated.

What it changes:

• delay broad connectivity until minimum monitoring is in place
• add SIEM/log onboarding to the Day-1 readiness plan
• require named security operations ownership before close or immediately after

Trigger 3: Endpoint and server protection has material gaps

If endpoint protection is below roughly 90% across managed devices, or server and production workload coverage is unclear, assume the buyer will inherit detection and containment gaps.

What it changes:

• fund tooling deployment and cleanup before broad access
• isolate unmanaged assets from buyer environments
• avoid counting early IT cost synergies that depend on tool consolidation

Trigger 4: Internet-facing vulnerabilities are old, severe, and ownerless

If high-risk external findings are older than 30-45 days and there is no accountable owner, the issue is not just patching. It is operating discipline.

What it changes:

• require remediation before close for the highest-exposure assets where possible
• add a closing condition, escrow, or specific indemnity for known exposure
• slow any migration or connectivity path that increases blast radius

Trigger 5: Customer or regulatory commitments exceed actual controls

If top customer contracts promise security controls the target cannot evidence, treat the issue as a revenue risk, not only an IT finding.

What it changes:

• stress-test churn, renewal, and customer audit exposure
• prioritize remediation by customer revenue at risk
• structure protection for known exceptions where legal teams can support it

Trigger 6: The security team cannot absorb remediation plus deal execution

If the target has one or two effective security owners, heavy outsourcing, and no buyer support plan, remediation will run on the same clock as Day 1.

What it changes:

• add external capacity before close planning starts
• reduce first-100-day value commitments that depend on the same team
• assign a buyer-side security lead to own the minimum control baseline

What best teams do before signing

Strong teams do not try to solve every cyber issue in diligence. They force enough clarity to choose a deal posture.

1) They define a minimum connectivity baseline

The baseline should be short and non-negotiable:

• named admin accounts with MFA
• endpoint protection on connected assets
• logging for identity, cloud consoles, ERP/finance, customer data, and production systems
• no unresolved high-risk external exposure on assets that will be connected
• incident-response owner and escalation path

This gives the buyer a clear gate: connect, connect with segmentation, or do not connect yet.

2) They convert findings into a value-timing adjustment

A cyber issue is not done when it appears in the report. The useful output is a timing answer:

• which synergies depend on connectivity?
• which data migrations depend on security approval?
• which TSA exits depend on identity, logging, or segmentation?
• which customer commitments require control evidence before expansion?

If a finding moves those dates, the model should move too.

3) They separate remediation into “pre-connect” and “post-close hardening”

Pre-connect items are gates. Post-close hardening items are backlog.

Pre-connect examples:

• privileged MFA
• removal or isolation of shared admin access
• endpoint and server coverage for connected assets
• logging for systems in scope of Day-1 access
• closure of the highest-risk internet-facing vulnerabilities

Post-close examples:

• broader policy cleanup
• tool consolidation
• security awareness refresh
• long-tail vulnerability remediation
• target-state security architecture

Mixing the two creates noise. It also lets mandatory work hide inside a generic cyber roadmap.

4) They put one owner on the cyber deal clock

Cyber findings often sit between the deal team, buyer CISO, infrastructure lead, application owners, legal, and integration management. Without one owner, every issue waits for coordination.

Best teams assign a buyer-side cyber integration lead before signing. That person owns the minimum baseline, the evidence tracker, the Day-1 connection decision, and the escalation path to the deal lead.

Where teams get trapped after close

Three traps appear often.

First, the buyer connects too broadly because the business wants speed. The risk does not show up on Day 1. It appears when an old account, unmanaged endpoint, or unlogged system becomes part of a larger environment that is harder to contain.

Second, the buyer waits for perfect security before any value work starts. That is also wrong. The better answer is segmented connectivity: narrow access, clear logging, temporary data paths, and known owners.

Third, cyber remediation becomes a side workstream with weak links to EBITDA timing. The CISO reports progress on controls while the deal lead still expects synergies on the original clock. That gap becomes value leakage.

The best posture is practical: isolate what cannot yet be trusted, connect only what meets the minimum baseline, and fund the controls that unlock value timing.

Monday-morning actions

If you are in a live diligence window, do this in the next 10 business days.

1. Name the value gates that require cyber approval. Connectivity, data sharing, TSA exit, reporting, customer integration, and product access should each have an owner and target date.
2. Request six evidence packs, not a policy library. Privileged access, endpoint coverage, logging, vulnerability status, incident/restore evidence, and customer/regulatory commitments.
3. Define the minimum connectivity baseline with the buyer CISO. Make it specific enough that the integration lead can plan against it.
4. Classify every cyber finding as pre-connect, post-close hardening, or deal-structure issue. If it blocks connectivity or customer commitments, it is not a generic remediation item.
5. Move the model where the cyber clock moves. If controls delay data access, network trust, or TSA exit, change synergy timing, one-time cash, or terms before signing.

Cyber due diligence is not about proving the target is safe in the abstract. It is about deciding whether the buyer can execute the deal plan without inheriting an unmanaged risk. If the answer is no, the right response is not a longer questionnaire. It is a different price, a different structure, or a different first-100-day plan.