When one company acquires another, due diligence examines financial statements, legal obligations, and operational capabilities in exhaustive detail. Cybersecurity assessment, if it happens at all, typically amounts to a questionnaire that the target company self-completes. The acquiring organisation has no independent verification that the answers reflect reality.
The consequences of inadequate cyber due diligence are well documented. Several high-profile acquisitions have resulted in massive breach disclosures within months of completion, with the acquiring company inheriting both the compromised systems and the regulatory liability. The purchase price reflected a healthy business. The reality included a network already compromised by attackers who had been inside for years.
What Standard Due Diligence Misses
Self-assessment questionnaires capture what the target company believes about its own security posture. They do not capture what is actually true. An organisation may report that it patches systems monthly, but that claim might apply only to servers whilst hundreds of workstations run outdated software. It might state that MFA is deployed, when in reality exceptions exist for senior executives and legacy applications.
Technical debt accumulates invisibly. Legacy systems, abandoned applications, and unmanaged cloud instances do not appear on spreadsheets. Shadow IT adopted by teams within the target company creates attack surface that nobody in the organisation even knows about, let alone disclosed during negotiations.
Network integration during mergers creates particularly dangerous moments. Connecting two previously separate networks without thorough security assessment of both sides opens pathways that attackers in either environment can exploit. A compromised system in the acquired company’s network gains immediate access to the acquirer’s infrastructure the moment the connection goes live.
William Fieldhouse, Director of Aardwolf Security Ltd, comments: “We recommend that acquiring organisations commission independent security assessments before finalising any acquisition. A pre-completion external vulnerability scan and targeted penetration test costs a fraction of the deal value but reveals the security reality behind the questionnaire answers. The findings either confirm the target’s claims or expose risks that should influence the purchase price and integration timeline.”
Securing the Acquisition Process
Commission vulnerability scanning services against the target company’s internet-facing infrastructure as a standard due diligence step. External scanning requires no access to internal systems and reveals exposed services, missing patches, and misconfigured security controls that contradict self-reported security postures.
Request a penetration test quote that covers pre-acquisition security assessment. Include external infrastructure testing, a review of the target’s cloud environment, and an assessment of their Active Directory configuration. These are the areas where hidden risk most commonly lurks and where the cost of discovery after completion far exceeds the cost of assessment beforehand.
Cyber risk does not appear on a balance sheet, but it can wipe significant value from an acquisition overnight. Treat security assessment with the same rigour you apply to financial and legal due diligence. The cost of getting it wrong is too high to leave to self-reported questionnaires.
