When Verizon moved to acquire Yahoo in 2016, the deal looked like a straightforward expansion of its digital media portfolio. Then two previously undisclosed data breaches surfaced — affecting all three billion Yahoo user accounts — and the acquisition price dropped by $350 million overnight. What followed was an SEC investigation, a $35 million settlement for failing to disclose the breaches, an $80 million securities fraud class action, and an £18.4 million fine from the UK’s Information Commissioner’s Office after Marriott later inherited a separate breach through its acquisition of Starwood. These were not edge cases. They are now the standard cautionary tales cited in every boardroom where an acquisition is on the table.

The lesson is deceptively simple: if you don’t know what you’re buying from a cybersecurity standpoint, you don’t know what you’re buying at all.

The Deal Landscape Has Changed — And So Has the Risk

Global M&A activity surged in the second half of 2025 and has carried that momentum into 2026, with megadeals and AI-driven acquisitions reshaping how capital moves across industries. Technology-led transactions dominated deal flow, and cybersecurity has emerged not just as a due diligence checkbox but as a strategic prerequisite for executing deals at scale. Google’s $30 billion acquisition of Wiz and Palo Alto Networks’ $25 billion proposed acquisition of CyberArk signal something the market has quietly accepted: security posture is now a valuation driver, not an afterthought.

Yet for every headline-making deal where cybersecurity is treated as a first-class concern, there are hundreds of middle-market and regulated-industry transactions where it barely makes it past a surface-level questionnaire. The result is predictable. Acquirers close deals and inherit technical debt, unpatched infrastructure, undisclosed incidents, shadow IT ecosystems, and regulatory exposure that no financial model accounted for.

Why Traditional Due Diligence Misses the Mark

Most M&A due diligence processes were built around financial, legal, operational, and human capital risk. Cybersecurity was bolted on late — often as a subset of IT — and conducted with the same tools and frameworks used to evaluate server inventories or software licensing compliance. This approach is fundamentally inadequate for evaluating the risk profile of a modern enterprise.

The problem begins with access. Target companies are often reluctant to grant deep security access during a competitive bidding process, and rightfully so. Exposing internal vulnerability assessments, incident response histories, and network architecture diagrams to a potential acquirer introduces its own risks. But the consequence is that buyers frequently rely on self-reported questionnaires and high-level summaries that obscure the real picture. A target company’s assurance that it has “no material breaches” may be technically accurate while omitting the fact that it has never conducted the kind of assessment that would detect one.

Even when buyers engage security consultants, the scope is often too narrow. A point-in-time penetration test can reveal exploitable vulnerabilities, but it won’t tell you whether the target has an incident response plan that has been tested, whether its employees are trained to recognize social engineering, or whether its email systems are hardened against the kind of business email compromise and impersonation attacks that now represent the leading cause of financial fraud in regulated industries.

The Hidden Liabilities Acquirers Inherit

What makes cybersecurity risk uniquely dangerous in an M&A context is that it transfers silently. Unlike a pending lawsuit or an environmental liability, a latent cyber vulnerability doesn’t appear on a balance sheet. It sits dormant in unpatched systems, in misconfigured cloud environments, in email archives with no retention governance, and in vendor relationships that were never properly vetted.

When the acquiring company integrates the target’s infrastructure — connecting email systems, merging Active Directory environments, granting shared access to customer databases — every inherited weakness becomes an active threat vector inside the acquirer’s own network. The integration phase is, by definition, a period of elevated risk. Firewalls are reconfigured. Access controls are loosened to facilitate migration. IT teams from both organizations are working under pressure to meet aggressive timelines. Attackers know this, and they exploit it.

The Marriott-Starwood breach is the definitive case study. When Marriott acquired Starwood in 2016, it inherited a network compromise that had been active since 2014 and wouldn’t be detected until 2018. Over 500 million guest records were exposed. The breach didn’t originate on Marriott’s systems — it came with the acquisition. Marriott inherited not just Starwood’s hotels and loyalty program, but its entire security posture, including the attackers already inside it.

For firms operating in regulated industries — title, legal, financial services, healthcare — the exposure is compounded by compliance obligations. An acquirer that absorbs a target company’s HIPAA violations, FTC Safeguards Rule deficiencies, or unresolved state data breach notification failures isn’t just taking on financial risk. It’s taking on regulatory scrutiny that can restrict operations, trigger mandatory audits, and damage client relationships that took decades to build.

Cyber Insurance Doesn’t Solve This

It’s tempting to view cyber insurance as a backstop for inherited risk, and many acquirers do exactly that. But underwriters in 2026 are not writing blank checks. Policies increasingly include exclusions for pre-existing conditions — meaning if the breach originated before the policy inception date, coverage may be denied entirely. Representations and warranties insurance, which has become standard in M&A transactions, often carves out cyber-related claims or requires the buyer to demonstrate that reasonable due diligence was performed.

In other words, the insurance market is pricing in the same lesson the deal market is learning: if you didn’t look, you’re not covered.

What Effective Cyber Due Diligence Actually Looks Like

True cybersecurity due diligence is not a single assessment. It is a structured, multi-phase process that aligns with the deal lifecycle and informs decision-making from letter of intent through post-close integration. At a minimum, it should include the following dimensions.

First, a comprehensive threat and vulnerability assessment that goes beyond automated scanning. This means evaluating the target’s external attack surface, identifying exposed credentials on the dark web, reviewing historical breach data, and assessing the maturity of endpoint protection and email security controls. Organizations that lack advanced threat protection or rely solely on native platform security — a pattern well-documented in Microsoft 365 environments — present materially higher risk than those with layered, defense-in-depth architectures.

Second, a governance and policy review. This includes incident response plans, data classification frameworks, access control policies, employee training programs, and vendor risk management documentation. The absence of these artifacts is itself a finding. A company that cannot produce a current incident response plan has, in practical terms, told you that it has never seriously prepared for a breach — and in the current threat environment, that’s a guarantee of exposure, not a matter of probability.

Third, a regulatory compliance gap analysis. For transactions involving healthcare entities, financial institutions, or any organization handling consumer data, the acquirer must understand the target’s compliance posture under applicable frameworks — HIPAA, GLBA, FTC Safeguards Rule, state-level data privacy laws, and increasingly, SEC disclosure requirements that now extend cybersecurity governance obligations to boards and senior management.

Fourth, an integration risk assessment. This is where many deals go wrong even after thorough pre-close diligence. The act of combining two IT environments creates new attack surfaces that didn’t exist in either organization independently. Insider threat dynamics shift as employees from both companies navigate role changes, access provisioning, and cultural integration. Without a deliberate, security-first integration plan, the acquirer may inadvertently create the very conditions that lead to a breach.

The Boardroom Must Own This

Cybersecurity due diligence cannot be delegated exclusively to IT or to outside consultants and then forgotten. The board and executive leadership must be directly engaged in understanding what the assessment reveals and what it means for deal structure, pricing, and post-close priorities. The question is no longer whether cybersecurity should be part of M&A — it is whether leadership is prepared to act on what it finds.

For organizations that lack internal expertise to conduct this level of evaluation, the answer is not to skip it. It is to engage partners who specialize in cyber due diligence for mergers and acquisitions and who understand the intersection of security, compliance, and deal strategy in regulated environments. The cost of a thorough assessment is a fraction of what a single inherited breach will demand in remediation, regulatory response, legal exposure, and reputational repair.

The deals are getting bigger. The threats are getting faster. And the margin for what you don’t know is getting thinner every quarter.

By Thomas McDonald