The Acquisition That Came With a Breach
A company acquired a promising startup. Two months after close, they discovered the startup had been breached six months earlier—and didn't know it. Customer data had been exfiltrated. The acquirer now owned the liability, the remediation costs, and the disclosure obligations.
Security due diligence in M&A isn't optional anymore. Acquirers are learning that security problems follow the deal. What you don't find before close, you inherit after.
This guide covers security due diligence from both sides—what acquirers should look for, and how sellers can prepare for scrutiny.
Why Security Due Diligence Matters
For Acquirers
- Liability Transfer — You inherit breaches, compliance gaps, and technical debt
- Hidden Costs — Remediation, integration, and upgrades can be expensive
- Business Continuity — Security issues can disrupt operations post-close
- Reputation Risk — Target's breach becomes your headline
- Valuation Adjustment — Findings may warrant price adjustment or escrow
For Sellers
- Deal Speed — Good security posture accelerates closing
- Valuation Protection — Avoid last-minute price cuts from findings
- Representation Risk — Know what you're representing in the agreement
- Competitive Advantage — Strong security is a differentiator among targets
Security due diligence used to be a checkbox. Now it's a deal term. Acquirers are adding specific security representations, indemnifications for breaches, and escrow holdbacks for remediation. Prepare accordingly.
For Acquirers: What to Assess
1. Security Program Maturity
2. Technical Security Posture
- Vulnerability Assessment — Recent scan results, critical/high findings
- Penetration Test — When was the last test? What was found?
- Access Controls — MFA adoption, privileged access management
- Data Protection — Encryption, backup, data classification
- Cloud Security — Configuration review, IAM posture
- Application Security — Secure development, OWASP top 10 coverage
3. Incident History
- Past Breaches — Any breaches in the past 3-5 years?
- Incident Response — How were incidents handled?
- Ongoing Issues — Any current security investigations?
- Regulatory Actions — Any fines, enforcement actions, consent decrees?
- Litigation — Security-related lawsuits or claims?
"Have you experienced any security incidents or data breaches?" Ask directly. Verify independently. Review breach disclosure history, check breach databases, assess whether they would know if they had been breached (detection capabilities).
4. Third-Party Risk
- Vendor Inventory — Who has access to their data?
- Vendor Assessments — Do they assess vendor security?
- Contracts — Security provisions in vendor agreements?
- Concentration Risk — Dependency on key vendors?
5. Compliance and Legal
- Regulatory Requirements — HIPAA, PCI, GDPR applicability
- Compliance Status — Current compliance or gaps?
- Certifications — SOC 2, ISO 27001, others
- Customer Commitments — Security SLAs, contractual obligations
- Insurance — Cyber insurance coverage and claims history
For Sellers: Preparing for Scrutiny
Before Going to Market
Security Assessment
Conduct your own security assessment. Find issues before acquirers do. Fix what you can.
Documentation
Gather policies, certifications, pentest reports, incident records. Have them ready.
Gap Remediation
Address obvious gaps: MFA deployment, critical vulnerabilities, missing encryption.
Compliance Status
If SOC 2 is expected in your market and you don't have it, consider starting now.
What Acquirers Will Request
Documentation:
- Security policies
- SOC 2 / audit reports
- Penetration test results
- Vulnerability scan reports
- Incident history
- Vendor list
Evidence:
- MFA deployment status
- Access review records
- Training completion
- Backup test results
- Insurance certificates
- Architecture diagrams
What to Disclose
- Past Incidents — Disclose. They will find out. Surprise = distrust.
- Known Gaps — Better to explain with remediation plan than be discovered.
- Compliance Status — Accurate representation of current state.
- Technical Debt — Known security-related technical debt.
Undisclosed issues discovered post-close create legal exposure (breach of representations) and destroy trust. Issues disclosed with remediation plans are negotiated. Hidden issues are liabilities.
Deal Structure Considerations
Security-Related Terms
- Representations — Specific reps on security posture, incident history
- Indemnification — Coverage for undisclosed breaches or compliance issues
- Escrow — Holdback for remediation of identified issues
- Purchase Price Adjustment — Reduction for material findings
- Post-Close Covenants — Requirements to achieve certain security milestones
Common M&A Security Mistakes
Acquirer Mistakes
- Checkbox Diligence — Reviewing documents without technical assessment
- Trusting Certifications — SOC 2 doesn't mean secure; read the report
- Post-Close Surprise — Not integrating security assessment findings into deal terms
- No Integration Plan — Acquiring without plan to address gaps
Seller Mistakes
- Last-Minute Preparation — Starting security cleanup during due diligence
- Hiding Issues — Non-disclosure that becomes breach of reps
- No Documentation — Good security but nothing to show for it
- Overpromising — Representing compliance you don't have
Quick Start: For Sellers
Week 1: Self-Assessment
Conduct internal security review. Identify gaps. Prioritize remediation.
Week 2-3: Documentation
Gather all security documentation. Create what's missing. Organize for data room.
Week 4+: Remediation
Fix high-priority issues: MFA, critical vulns, policy gaps. Document improvements.
Quick Start: For Acquirers
Early Diligence: Request List
Send security due diligence request list. Request SOC 2, pentest, incident history.
Document Review
Review security policies, certifications, and reports. Identify gaps and questions.
Technical Assessment
Conduct or commission technical security assessment. Validate representations.
Findings Integration
Build findings into deal terms: reps, indemnification, remediation requirements.
Next Steps
Security due diligence is now standard in M&A. What was once a checkbox is now a deal term. Acquirers who skip it inherit problems. Sellers who prepare for it close faster at better valuations.
If you're a potential acquisition target, start preparing now. Good security posture isn't just about risk—it's about enterprise value.
Preparing for an exit? vCISO Lite helps you build and document the security program that acquirers expect, with audit-ready evidence and compliance tracking that accelerates due diligence.