Mergers and acquisitions are already complicated. Security adds another layer that many deal teams underestimate until it's too late. Acquiring a company means acquiring its security posture — including the breaches that haven't been discovered yet, the technical debt that's never been addressed, and the compliance obligations that haven't been fulfilled.
Security due diligence in M&A is the discipline of finding these issues before closing, when you have negotiating leverage. After closing, they're your problem entirely.
The Business Case for Security DD
The Marriott-Starwood merger is the canonical cautionary tale: after acquiring Starwood, Marriott discovered that the reservation database had been compromised for approximately four years — a breach that occurred before the acquisition but became Marriott's problem. The total cost: over $100 million in breach response, fines, and legal settlements, plus reputational damage.
Security due diligence doesn't guarantee you'll find everything, but it:
- Identifies known security issues and technical debt
- Surfaces compliance gaps and potential regulatory exposure
- Provides data for representations and warranties (R&W) insurance
- Informs deal structure (price adjustments, escrows, contractual security improvement commitments)
- Gives you a head start on post-close integration planning
What Security DD Covers
Technical environment review. What systems, infrastructure, and cloud environments does the target operate? What's the basic security architecture — segmentation, access controls, monitoring? This typically requires interviews with IT leadership and technical review of available documentation.
Vulnerability assessment. External attack surface scanning to identify externally visible vulnerabilities and misconfigurations. For larger deals, an internal assessment or penetration test may be warranted.
Third-party risk. Who are their significant vendors? Are appropriate agreements in place (BAAs for healthcare data, DPAs for personal data, other contractual security requirements)? What's the quality of their vendor assessment program?
Compliance posture. What regulatory obligations does the target have (HIPAA, PCI DSS, GDPR, state privacy laws)? Are they meeting them? What's the documented evidence of compliance?
Incident history. Have they had material security incidents in the past three to five years? How were they handled? Are there ongoing regulatory investigations? Disclosed breach notifications in public records or regulatory filings?
Security program maturity. Do they have documented security policies? A risk assessment program? Security awareness training? Penetration testing history? An incident response plan? A dedicated security function?
Contracts and representations. What security representations have they made to customers? What customer contracts include security commitments they may not be meeting? What indemnification exposure exists from security incidents?
The Timeline Challenge
M&A timelines are often compressed, and security due diligence competes for time with financial, legal, and operational reviews. In practice, you often get two to four weeks.
Prioritize based on risk:
- External vulnerability assessment (fast, automated, reveals obvious issues)
- Incident history and regulatory exposure (documentation review)
- Compliance gap assessment against applicable frameworks
- Security program maturity interviews
- Internal technical assessment (if time and access permit)
A targeted assessment focused on highest-risk areas is more valuable than a comprehensive assessment that can't be completed in the available time.
Using Findings in Negotiations
Security findings can be used to:
Adjust purchase price. Quantified remediation cost or regulatory exposure can be negotiated into the deal price.
Create escrows. Seller-funded escrow accounts address contingent security liabilities (ongoing regulatory investigation, known unremediated vulnerabilities).
Require pre-close remediation. Specific security issues can be conditions of closing.
Structure representations and warranties. Sellers can make specific security representations, and R&W insurance can cover them.
Inform integration planning. Security issues that won't be resolved pre-close need a post-close remediation plan with timeline and resources.
Post-Close Integration
Acquiring a company doesn't mean absorbing its security posture — it means either integrating it into yours or running a separate environment with defined interconnections and controls.
Security integration planning should start during due diligence. Know in advance: which systems will be integrated and when, what the access boundaries are during the integration period, how acquired employees will be onboarded into your identity infrastructure, and what the target state looks like.
Security incidents during the integration period are common. Having an IR plan that covers the combined entity — before integration is complete — reduces the risk of a messy incident during an already complex period.