Cybersecurity Due Diligence: The M&A Risk That's Repricing Deals

Cybersecurity used to be a post-close problem. A buyer would complete a transaction, begin integration, and only then discover that the acquired company had unpatched vulnerabilities, inadequate access controls, or a history of data incidents that hadn't made it into the due diligence materials. The cost of remediating these issues — or of a breach during the vulnerable integration period — would quietly erode deal value long after the ink was dry.

That model is changing fast. EY's cybersecurity due diligence advisory practice notes that cybersecurity has moved to the front of the board agenda for M&A, and research consistently supports the concern: 65 percent of companies report experiencing regret in an M&A deal due to cybersecurity concerns discovered either during or after the transaction. The head of the Information Security Forum stated that by 2025, cybersecurity would be a primary deciding factor in M&A due diligence — a prediction that has largely been borne out.

Why cyber risk is a valuation issue, not just a risk issue

The shift in how sophisticated buyers treat cybersecurity due diligence is fundamentally about valuation, not just risk management. When a buyer's technical diligence team identifies significant cyber vulnerabilities in a target — legacy systems with known exploits, inadequate identity management, unencrypted customer data — that finding translates directly into a remediation cost estimate. That estimate becomes a price chip.

EY's framework for cybersecurity in M&A explicitly quantifies cyber risk as a valuation consideration: estimated one-time and recurring costs to remediate vulnerabilities, regulatory compliance gaps, and potential liability for prior incidents. For sellers and their advisors, this means that targets entering a sale process with unaddressed cyber vulnerabilities are not just carrying operational risk — they are carrying identifiable value dilution that a prepared buyer will price into their offer.

What boutique advisory firms need to flag early

For sell-side advisors, the most actionable shift is to treat basic cybersecurity posture as part of pre-process preparation — alongside financial normalisation and management presentation preparation. A vendor cyber assessment that identifies and addresses significant vulnerabilities before the data room opens is not a luxury; it's deal preparation that protects against last-minute price reduction or buyer withdrawal.

The key areas that consistently generate buyer concern are: data classification and protection (does the company know where its sensitive data is?), access management (who can access what, and is it properly controlled?), and incident history (has the company experienced breaches, and how were they handled?).

A vendor cyber assessment before the data room opens is cheaper than a post-LOI price chip driven by buyer technical diligence.

The data room dimension

Beyond the target company's own cyber posture, boutique advisory firms have a direct operational responsibility: the security of the deal process itself. VDRs with robust access controls, watermarked documents, and full audit trails are the standard for protecting sensitive information shared in a competitive sale process. Firms still sharing CIMs over email or using consumer-grade cloud storage for deal documents are creating cyber exposure for themselves and their clients that is both unnecessary and professionally indefensible.

As regulatory expectations around data protection in financial services continue to tighten, the quality of a firm's document management and process security will increasingly be scrutinised by institutional clients as part of their advisory firm selection criteria.

Source: Cybersecurity Due Diligence in M&A and Divestitures — EY.