Uncover Hidden Breaches Before Your M&A Deal Closes.

Written By Joanna Woon SC.

Written By: AKATI Sekurity Insights Team | Cybersecurity Consulting & MSSP Experts

Reading Time: 4 minutes

The Untold Story: Verizon bought Yahoo for $4.48 billion in 2017. Then discovered Yahoo had hidden two massive data breaches affecting 3 billion user accounts. Verizon renegotiated, slashing $350 million off the purchase price. Marriott acquired Starwood Hotels for $13.6 billion in 2016. Four years later, they're still paying for Starwood's pre-acquisition breach—$123 million in fines, hundreds of millions in remediation, and immeasurable reputation damage.

These aren't isolated incidents. They're warnings about the cybersecurity blind spot in mergers and acquisitions that's costing companies billions. This investigation reveals the 12 red flags that should stop deals cold, and what smart acquirers actually check before signing.

The Secret Everyone Knows (But Nobody Talks About Until It's Too Late)

Conference room. Top floor. Mahogany table. Your company is about to acquire a competitor for $200 million. Lawyers reviewed contracts for months. Accountants audited every line item. HR assessed the workforce. Marketing evaluated brand value. Everyone's excited. The deal closes Friday.

Monday morning, your CISO walks into the CEO's office with news: the acquired company's customer database has been exposed on the dark web for six months. Nobody knew. More accurately, nobody checked. The company you just bought is sitting on an undisclosed breach that's about to become your breach, complete with regulatory fines, customer lawsuits, and headlines.

Here's what happens in most acquisitions: Financial due diligence gets 90 days and unlimited budget. Technology review gets two weeks focused on "do the systems work?" Cybersecurity gets a questionnaire sent to the target company's IT manager, who fills it out optimistically because his job depends on the deal closing.

Three months after acquisition, you discover their systems run on hope and default passwords. By then, you've wired the money. Research from IBM shows that 60% of acquired companies have undisclosed security incidents at acquisition. The average cost of these hidden breaches exceeds $4 million post-discovery. Yet cybersecurity due diligence typically receives 1-5% of the attention financial reviews get.

Red Flag #1: The "We Haven't Been Breached" Company

Target company's security questionnaire says they've never experienced a security incident. Not once. Ever. Your team marks this positive and moves on. Stop. This is the biggest red flag because it's almost certainly false.

IBM's research shows the average organization takes 204 days to detect a breach. Mandiant's data indicates sophisticated attackers remain undetected for weeks or months. Translation: most companies have been breached and don't know it yet. When targets claim zero security incidents, they either lack monitoring capabilities to detect breaches, or they're lying. Both are problems.

What to look for instead: Companies with mature security acknowledge incidents because they have detection capabilities. Ask specifically: "What security incidents have you detected and remediated in the past 24 months?" If the answer is "none," either walk away or budget for a comprehensive compromise assessment post-acquisition.

Red Flag #2: The Technology Leader Who Can't Answer Basic Security Questions

During technical due diligence, you meet the target company's CTO or IT Director. Smart person. Knows the business. You ask three questions: "What's your process for security patch management?" "How do you monitor for security incidents?" "What happens if you're hit with ransomware?"

They can't answer with specifics. They pivot to generalities about "taking security seriously" and "having measures in place." This person either doesn't know the answers (meaning nobody's doing security), or they're deliberately vague (meaning they know it's bad). Either way, security is nobody's explicit responsibility.

In organizations with functional security, technical leaders answer immediately with specifics: "We patch critical vulnerabilities within 30 days using [specific tools]. We monitor through our SIEM with 24/7 SOC coverage. Our ransomware plan includes offline backups tested quarterly." The difference between vague platitudes and specific answers tells you everything.

Red Flag #3: The Ancient Systems Running Critical Operations

You're touring the target company's data center or reviewing their technology infrastructure. Ask: "What operating systems run your critical applications?" If you hear "Windows Server 2003," "Windows XP," or anything unsupported for years, alarm bells should ring.

Legacy systems aren't just old—they're security catastrophes. No patches. No updates. Known vulnerabilities that will never be fixed. When you acquire a company running unsupported systems, you inherit guaranteed security problems and massive replacement costs.

Specific questions for technical due diligence: "What's your oldest production system?" "Which systems can't be patched without breaking operations?" "What's your plan and budget for replacing end-of-life systems?" If they're running critical operations on ancient technology with no replacement plan, add $500,000-$5 million to acquisition costs for emergency modernization.

Red Flag #4: The Missing (Or Fake) Incident Response Plan

Ask to see their cybersecurity incident response plan. Mature organizations immediately provide a documented, tested plan with contact lists, decision trees, and evidence of tabletop exercises.

Red flags appear when they can't produce a plan (doesn't exist), provide a generic template downloaded from the internet (never used), or have a plan but no evidence of testing in the past year (nobody knows if it works).

Here's why this matters: when the inevitable security incident occurs after you own the company, you need rapid, coordinated response. If no tested plan exists, you're improvising during a crisis—the most expensive approach. Ask: "When was your plan last tested, and what did you learn?" The answers reveal whether you're acquiring a company prepared for incidents or one that will panic during the first crisis.

Red Flag #5: The Third-Party Vendor Chaos (The Unknown Unknowns)

Ask for a list of all vendors with system access or data access. Mature organizations produce a comprehensive vendor inventory with security assessments, access levels, and contract terms.

Red flag companies either can't provide this list (don't know who has access), provide an obviously incomplete list (missing cloud providers or SaaS applications), or provide a list without vendor security assessments (granted access without vetting).

Post-acquisition, their vendors become your vendors, and their vendor security problems become yours. The SolarWinds attack proved that vendor compromises cascade to customers. Ask: "Which vendors have network access?" "Which vendors process customer data?" "What security requirements must vendors meet?" If they can't answer comprehensively, you're acquiring unknown third-party risks.

Red Flag #6: The Compliance Claim Without Evidence (The Paper Tiger)

Target company's materials claim they're "PCI DSS compliant," "SOC 2 certified," or "ISO 27001 certified." During due diligence, ask for evidence: actual compliance reports, certificates, or audit results.

Red flags appear when they can't produce documentation (compliance claim is false), produce outdated reports from years ago (compliance lapsed), or reports contain significant exceptions (barely compliant). False compliance claims are common, especially among smaller companies where marketing made claims IT couldn't support.

Request actual compliance reports, verify they're current (within 12 months), review any exceptions noted, and confirm compliance scope covers relevant systems. If claims don't match evidence, either negotiate price reduction to cover remediation costs or reconsider the deal.

What Smart Acquirers Actually Do (The Playbook That Works)

Organizations that avoid M&A cybersecurity disasters treat security due diligence as seriously as financial review. They engage cybersecurity specialists during the letter of intent phase, not after. They conduct comprehensive security assessments including vulnerability scanning, policy reviews, technical staff interviews, and compromise assessments to detect undisclosed breaches.

They model security remediation costs explicitly in acquisition financial models, typically 5-15% of purchase price for companies with weak security. They negotiate representation and warranty insurance specifically covering cybersecurity issues. They build security integration into day-one planning, ensuring acquired systems don't create gaps.

AKATI Sekurity: M&A Cybersecurity Due Diligence That Protects Your Investment

Mergers and acquisitions require specialized cybersecurity expertise most organizations don't maintain internally. AKATI Sekurity's Cybersecurity Consulting services include M&A security due diligence for acquirers—comprehensive security assessments of target companies, identification of undisclosed breaches or vulnerabilities, quantification of security remediation costs for financial modeling, and risk-based recommendations to proceed, renegotiate, or walk away.

For sellers preparing for acquisition, we provide pre-sale security assessments identifying and remediating issues before due diligence, documentation of security controls for buyer review, and preparation of security teams for questioning. Our Digital Forensics and Incident Response services include compromise assessments for M&A—forensic investigation determining whether target companies have undisclosed breaches before deals close.

For ASEAN organizations involved in regional M&A activity, we understand local regulatory requirements and security maturity levels affecting valuation. For US organizations, we align M&A security due diligence with SEC disclosure requirements and industry-specific regulations affecting deal structures.

Protect your investment before you wire the money. Contact AKATI Sekurity at hello@akati.com for more information.

About the Author: This article was written by AKATI Sekurity's M&A cybersecurity specialists who conduct security due diligence for private equity firms, corporate development teams, and strategic acquirers across financial services, healthcare, technology, and manufacturing sectors in ASEAN and North America.

Related Services: Cybersecurity Consulting | Security Posture Assessment | Digital Forensics & Incident Response | Penetration Testing

Key Terms Explained:

  • M&A Due Diligence: Investigation of a target company before acquisition to identify risks and validate claims

  • Compromise Assessment: Forensic investigation to determine if an organization has been breached

  • Legacy Systems: Outdated technology still in production that no longer receives security updates

  • Incident Response Plan: Documented procedures for detecting, responding to, and recovering from security incidents

  • Vendor Security Assessment: Evaluation of third-party vendors' security practices before granting access

References:

  • IBM Cost of a Data Breach Report 2024

  • Mandiant M-Trends Report 2024

  • Verizon Yahoo Acquisition Case Study

  • Marriott-Starwood Data Breach Regulatory Fines

Joanna Woon SC.
Next

They Hacked Your Supplier To Own Your Network.