M&A Cybersecurity Red Flags: A practical checklist for deal teams

Hidden liabilities can kill deals or cause post-acquisition breaches, costing participants millions and leading to untold reputational harm.

In M&A, cyber risk rarely shows up neatly in the financials. But a single, hidden weakness can derail a transaction, trigger post-close disruption, or turn an acquired business into a launchpad for broader compromise. 

People, processes and technology should always be under the microscope when assessing deal cybersecurity. Investors and advisors must ask better questions, validate what they’re told, and prioritise remediation before value is compromised (even under tight diligence timelines).

We’ve drawn up a list of key cybersecurity red flags for dealmakers to look out for:

People 

People form the foundation of an organisation, a quick risk assessment is usually all that’s possible, but an organisation’s personnel should be a key consideration for investors.

Firms must ask "can we do business with these people?" and "can we trust them to protect our investment?"

Leadership

Dealmakers often only have access to a small number of senior people - but it’s important to understand if these individuals have an adequate understanding of cyber risk, and if certain other considerations have been delegated to individuals outside of the deal parameter. 

Do these leaders have any interest in and knowledge of deal cybersecurity and is there a cyber roadmap in place? This can undermine the value of the cybersecurity narrative within the business.

Honesty

The CTO of a private equity firm we work with once said “I’m more worried when a firm says everything is fine, as opposed to when they’re honest about any issues and can demonstrate a detailed cyber roadmap that demonstrates their diligence.” 

Issues can only be effectively mitigated if deal teams are honest about their existence. A lack of honesty can undermine trust in the leadership of a company; any lack of confidence is likely to be reflected in a risk adjusted price.

Processes

Dealmakers must ask themselves whether practices are being executed in a consistent way - and can the business respond quickly to address risks and threats?

There are a number of operational processes that need to be scrutinised:

• Patching cadence is a key challenge for organisations, but must be a baseline expectation. This requires knowledge of assets, engagement with asset owners, and centralised/consistent procurement. 
• Incident response: Being able to respond and reduce blast radius, act at speed and with confidence, makes a huge difference in mitigating cyber compromise. It requires expertise, experience, and knowledge of a business and stakeholders. 
• Specific processes related to core business competence, e.g. developer org, and secure developer processes must be carefully assessed.  
• Testing and assurance: Penetration testing (expect to see evidence of continuous layer testing). 
• Trust but verify external assessments, with regular reviews, KPIs, and reporting. 

Previous incidents

Previous cyber breaches can undermine the value of an organisation. It’s common for firms that have been impacted by incidents to experience both short and long-term fallout, with some examples leading to multiple years of court cases and regulatory investigations.

A number of critical questions must be answered:

• Has an earlier incident occurred that could impact the value of the investment?
• Is there evidence that an earlier breach or threat actor presence has exposed credentials on dark web forums (this can be mitigated by threat hunts and dark web monitoring)?
• Were all issues addressed and closed to prevent a similar incident from occurring?

Additional forensics, a deeper exploration, and legal advice on regulatory exposure, can potentially lead to a deal being delayed.

Technology

Technology and its appropriate use and configuration is vital: an appropriate technology tool set is necessary to deliver effective security, but it shouldn’t be seen as a magic bullet for all cybersecurity issues.

M&A professionals should be aware of a number of key issues around technology.

• Firstly, have the appropriate investments been made to protect and monitor assets across the business? Budget for new tooling and for possible threat hunts.
• Harden attitudes around the corporate use of applications and technology. Look at centralised assets, appropriate spend, and management of broader technologies.
• Authentication (SSO, MFA, privileged accounts): This is complex and challenging, but it addresses key risks. Single sign-on accounts should be centralised, while multi-factor authentication can face external attacks, and PA high-risk accounts are frequently targeted by threat actors. 
• Backups should be segregated and isolated to provide a fall back or safety net.
• Secure gateways, in and out; emails should be secured and controlled. Understand where access to assets in-house (typically legacy) is really required.
• AV and EDR solutions used should be comparable to the size of the firm (to effectively detect and alert to malicious activities). 

AI use by advisors

Speaking of technology, the issue currently on everyone’s lips is artificial intelligence – and AI use by advisors is an increasing area of concern. 

It has been widely reported recently that Wall Street law firm Sullivan & Cromwell told a court that a major filing it made in a high-profile bankruptcy case contained errors resulting from “AI hallucinations”. The firm apologised, saying that it maintains “comprehensive policies and training requirements governing the use of AI tools in legal work” designed to identify potential errors. However, they also said those AI policies weren’t followed and that a secondary review process “did not identify the inaccurate citations generated by AI”.

Examples like this illustrate that AI usage from advisors, and commercial due diligence analysts using AI without guardrails can cause significant reputational damage.

Wider company context

Dealmakers must also understand how companies involved in mergers and acquisitions present themselves to the outside world and to all those involved in the deal.

• Gain an understanding of the critical crown jewels of a company and establish appropriate security measures to guard them.
• How does the organisation present itself externally through its people?
• Be aware of the wider industry a company operates in and how they engage (including peer benchmarking and the threat landscape). 
• As mentioned, there’s often a lack of consideration of AI risk across businesses. Cyber M&A must incorporate AI resiliency and consider multi-model situations.

Cybersecurity is an essential M&A guardrail

Cybersecurity due diligence is an activity that, when conducted effectively, allows an investor to determine the effectiveness of management, the culture of the business, and the ability of the organisation to invest in critical and complex businesses. Typically, the red flags in this document will be confirmed or uncovered by a thorough due diligence exercise, assessing implications for the deal and outlining a set of recommendations.

Finally, it’s important to look at cybersecurity integration within a business and ask whether the cybersecurity team is giving the business value for money; is the level of cybersecurity being employed consistent with the threats they face and is it sufficiently targeted?