The uncomfortable truth in any merger or acquisition (M&A) is that you are not just buying an organisation’s future cash flows; you are buying its history. That includes the risks it has recorded, the risks it has ignored, and, most dangerously, the risks it doesn’t even know it is carrying, says Richard Ford, Group CTO, Integrity360.
In the UK, due diligence is a multi-disciplinary exercise that local boards take seriously. Yet, a critical component is frequently treated as an afterthought: cyber due diligence.
Governance, solvency, and operational controls have rightly become non-negotiables for UK investors and boards. However, cyber risk does not present itself like a debt schedule or a disputed contract. It hides in the shadows of an organisation’s infrastructure – in loose identity controls, forgotten administrator accounts, unsupported software, and unmanaged endpoints. For acquirers, the danger is that traditional financial and legal due diligence often fails to uncover these toxic assets until the deal is signed and the networks are connected.
The visibility deficit
The primary challenge is a lack of visibility. Many organisations simply do not have a reliable, current picture of what they own, what is exposed, and what is vulnerable. This is particularly acute where IT and operational technology (OT) environments intersect, such as in manufacturing and logistics sectors. If an organisation cannot see it, they cannot secure it. And if they cannot secure it, a potential buyer cannot accurately value it.
When an acquirer inherits a target’s network, they inherit its compromises. If a threat actor has been lurking in a target’s system for six months – which is not uncommon given the average breach lifecycle – that dormant threat becomes the acquirer’s crisis on day one. The “synergies” promised in the deal presentation quickly evaporate when faced with the costs of remediation, regulatory fines and reputational damage.
Cyber risk is a valuation lever
It is time to stop viewing cybersecurity solely as an IT hygiene issue and start treating it as a valuation lever. If a target organisation has significant technical debt – such as legacy systems that cannot be patched or a flat network architecture that allows ransomware to spread unchecked – that is a financial liability. It represents a future cost that must be factored into the purchase price.
Consider the cost of a data breach. Research shows that the average cost of a data breach in the UK has risen to more than £3 million. For a mid-market acquisition, absorbing a hidden breach could wipe out a significant proportion of the projected value of the deal.
One hidden liability example might be a company that processes large volumes of personal information, but can’t demonstrate a clear data inventory, lawful processing basis, retention controls, or consistent access management. A breach may have taken place years ago and been investigated informally. Post-acquisition, there’s evidence of historic unauthorised access, which then becomes a board-level risk that wasn’t taken into account at the right time.
Far from being theoretical, there are numerous examples globally where cyber issues have directly affected M&A outcomes. A cautionary tale is Marriott’s acquisition of Starwood. The UK Information Commissioner’s Office (ICO) stated that Marriott “failed to undertake sufficient due diligence” when it bought Starwood, and that the underlying cyber incident dated back years before the breach was publicly disclosed. Over and above risk mitigation, though, accurate cyber due diligence can be a powerful negotiation tool. Discovering that a target requires a million-pound security overhaul to meet the acquirer’s compliance standards provides legitimate grounds to renegotiate the purchase price or structure the deal with specific warranties and indemnities.
Red flags in the data room
How can boards and dealmakers identify these risks before it is too late? It requires the asking of unfamiliar probing questions about the target’s security maturity.
One major red flag is the separation of duties. In many smaller, high-growth organisations, the “IT guy” holds the keys to the kingdom – managing firewalls, endpoints, and backups, often with unrestricted administrative access. If that individual is compromised (or goes rogue), the damage can be total. Another critical indicator is vulnerability management. Is there a measurable, consistent programme with executive visibility, or is the target relying on a cycle of reactive fixes?
The same scrutiny must apply to third parties. Supply chains are often the widest and least controlled route into sensitive systems. An acquirer needs to know not just who the target does business with, but how those vendors connect to the target’s network. Finally, compliance maturity needs to be demonstrable. It is easy to write a policy; it is much harder to prove that the policy is tested and enforced in practice.
Integration: moment of maximum risk
M&A activity creates the perfect conditions for attackers. The chaos of integration – connecting new networks, migrating data, merging email systems – creates noise that masks malicious activity. Attackers know that during a merger, employees are expecting unusual emails from HR or IT about “new systems” or “payroll changes”. This makes them prime targets for social engineering and phishing attacks.
Making it a day-one priority
In the same way a board would not sign on the dotted line without clarity on an organisation’s tax affairs, a deal should not proceed without a realistic view of security posture. This must include a clear plan – and budget – for bringing the acquired environment up to the standard regulators, customers, and insurers expect. By making cyber due diligence a day-one priority, UK organisations can ensure that their next acquisition brings growth and innovation, rather than a hidden legacy of risk.
