The $350 Million Wake-Up Call Nobody Expected

When Verizon acquired Yahoo in 2017, a previously undisclosed breach affecting 3 billion accounts forced the deal price down by $350 million. That single failure of cybersecurity due diligence became the most expensive cautionary tale in M&A history — and it permanently changed how acquirers evaluate targets.

But cybersecurity due diligence isn't just for billion-dollar mergers. Every time your organization onboards a vendor, partners with a third party, or evaluates a new technology platform, you're making a bet. The question is whether you're making an informed one.

I've spent years reviewing security postures during acquisitions, vendor assessments, and partnership evaluations. Here's what I can tell you: most organizations think they're doing due diligence when they're really just checking boxes. This post breaks down what a rigorous process actually looks like, where the blind spots are, and how to build a repeatable framework that catches what checklists miss.

What Is Cybersecurity Due Diligence, Really?

Cybersecurity due diligence is the systematic evaluation of an organization's security posture, policies, and risk exposure before entering a business relationship. That relationship might be an acquisition, a vendor contract, a joint venture, or even a significant technology integration.

The goal isn't to find perfection. It's to find material risk — the kind that changes the economics of a deal, exposes your organization to regulatory liability, or opens a pathway for a threat actor to reach your data through someone else's weaknesses.

According to the Verizon 2024 Data Breach Investigations Report, 15% of breaches involved a third party — a 68% increase from the prior year. That number alone should tell you that your security perimeter now extends well beyond your own infrastructure.

The M&A Trap: Why Post-Close Discovery Is Too Late

In my experience, the most catastrophic due diligence failures happen during mergers and acquisitions. The urgency to close a deal creates enormous pressure to move fast and overlook technical details.

Consider what happened with Marriott. After acquiring Starwood Hotels in 2016, Marriott discovered in 2018 that Starwood's reservation system had been compromised since 2014. The breach exposed 500 million guest records and eventually led to a £18.4 million fine from the UK's Information Commissioner's Office.

The breach existed before the acquisition. Marriott inherited it. That's the M&A trap: you don't just acquire assets and revenue — you acquire every vulnerability, every misconfiguration, and every compromised credential the target has accumulated.

What Acquirers Should Actually Evaluate

Beyond the standard SOC 2 reports and policy documents, a thorough cybersecurity due diligence review in an M&A context should include:

  • Historical incident review: Not just disclosed breaches, but internal incident logs, security tickets, and any evidence of prior compromise that was handled quietly.
  • Active threat hunting: Engage a team to look for indicators of compromise in the target's environment before you close. Dormant malware, unauthorized access, and data exfiltration often go undetected for months.
  • Credential exposure analysis: Check dark web marketplaces and breach databases for leaked credentials tied to the target's domains. Credential theft is the top initial access vector in most breaches.
  • Regulatory exposure mapping: Identify every jurisdiction and regulation that applies to the target's data. GDPR, CCPA, HIPAA, PCI DSS — each carries its own penalties and notification requirements.
  • Technical debt assessment: Outdated operating systems, unpatched software, end-of-life hardware. This isn't glamorous, but it tells you what you'll spend post-close just to reach baseline security.

Vendor Risk: The Quiet Threat Multiplier

You don't need to acquire a company to inherit its problems. Every vendor with access to your systems or data is an extension of your attack surface.

The 2020 SolarWinds attack proved this at scale. A compromised software update from a single vendor gave threat actors access to roughly 18,000 organizations, including multiple U.S. federal agencies. That's the power of supply chain compromise — one weak link propagates everywhere.

Building a Vendor Due Diligence Framework

I've helped organizations build vendor assessment programs that go beyond the typical security questionnaire. Here's the framework that actually works:

Tier your vendors by risk. Not every vendor needs the same scrutiny. A vendor processing your customer payment data needs a fundamentally different evaluation than a vendor providing office supplies. Categorize by data access, system integration depth, and business criticality.

Verify, don't trust. This is the zero trust principle applied to business relationships. When a vendor claims they encrypt data at rest, ask for evidence. Request penetration test summaries. Review their incident response plan — and ask when they last tested it.

Assess their people, not just their technology. Social engineering remains the most effective attack vector. A vendor might have world-class firewalls and still fall to a well-crafted phishing email. Ask about their security awareness training program. Do they run phishing simulations? How often? What's their click rate?

If your own organization needs to strengthen this area, our phishing awareness training for organizations provides exactly the kind of simulation-based program that demonstrates measurable improvement to auditors and partners alike.

Review their subprocessors. Your vendor's vendors matter. The GDPR explicitly requires this. Ask for a list of subprocessors and understand how data flows through the chain.

The $4.88M Lesson Most Small Businesses Learn Too Late

According to IBM's 2024 Cost of a Data Breach Report, the global average cost of a data breach reached $4.88 million. For smaller organizations, even a fraction of that can be existential.

Small and mid-sized businesses often skip cybersecurity due diligence because they believe they're too small to be targets or too resource-constrained to conduct proper assessments. Both assumptions are wrong.

The FBI's Internet Crime Complaint Center (IC3) consistently reports that small businesses suffer disproportionate losses from business email compromise, ransomware, and credential theft attacks. Many of these attacks originate through trusted third parties — the exact scenario that due diligence is designed to catch.

A Practical Starting Point for Smaller Teams

You don't need a dedicated GRC team to start. Here's a minimal viable due diligence process:

  • Maintain a current inventory of every vendor with access to your data or systems.
  • Require evidence of multi-factor authentication for any vendor accessing your environment.
  • Review the vendor's public breach history and check for exposed credentials on sites like Have I Been Pwned.
  • Include security requirements and breach notification clauses in every vendor contract.
  • Reassess annually — or whenever the vendor experiences a significant change like an acquisition or leadership transition.

Pairing this process with ongoing cybersecurity awareness training for your team ensures that the humans in the loop can recognize and escalate the warning signs that automated tools miss.

What a Cybersecurity Due Diligence Checklist Should Include

This section is designed to give you a concrete reference. Whether you're evaluating an acquisition target, a critical vendor, or a technology partner, these categories should be part of your assessment:

Governance and Policy

  • Written information security policy, reviewed and updated within the past 12 months
  • Defined roles and responsibilities for security leadership (CISO, security team, or equivalent)
  • Board-level or executive oversight of cybersecurity risk
  • Documented acceptable use, data classification, and access control policies

Technical Controls

  • Endpoint detection and response (EDR) deployed across all endpoints
  • Multi-factor authentication enforced for all remote access and privileged accounts
  • Network segmentation separating critical systems from general-purpose networks
  • Patch management program with defined SLAs for critical vulnerabilities
  • Encryption for data at rest and in transit

Incident Response

  • Documented incident response plan
  • Evidence of tabletop exercises or simulations within the past year
  • Defined breach notification procedures and timelines
  • Relationship with a third-party forensics firm (retainer preferred)

Human Factors

  • Security awareness training program with documented participation rates
  • Regular phishing simulation campaigns with tracked metrics
  • Background checks for employees with access to sensitive data or systems
  • Offboarding procedures that include immediate credential revocation
  • Current compliance certifications (SOC 2, ISO 27001, HITRUST, etc.)
  • Data processing agreements aligned with applicable regulations
  • Cyber insurance coverage with appropriate limits
  • History of regulatory actions, fines, or consent decrees

NIST provides an excellent foundation for structuring these assessments. The NIST Cybersecurity Framework maps directly to the categories above and gives you a common language for communicating findings to non-technical stakeholders.

Red Flags That Should Stop a Deal — or a Contract

In my experience, certain findings during cybersecurity due diligence should trigger immediate escalation. These aren't just weaknesses. They're indicators of systemic risk:

  • No incident response plan exists. If an organization hasn't planned for a breach, they won't respond effectively when one happens. Period.
  • Admin credentials are shared or lack MFA. This tells you the organization hasn't implemented basic access controls. If a threat actor compromises one account, they likely get the keys to everything.
  • They can't produce a current asset inventory. You can't protect what you don't know exists. An organization that can't tell you what's in their environment definitely can't tell you what's exposed.
  • No evidence of security training or phishing simulations. Human error drives the majority of breaches. An organization that doesn't invest in security awareness is betting that their people will never make a mistake.
  • Previous breaches were handled without disclosure. This isn't just a security red flag — it's a legal and ethical one. Undisclosed breaches suggest a culture that prioritizes concealment over accountability.

Making Cybersecurity Due Diligence Continuous

The biggest mistake I see is treating due diligence as a one-time event. You assess a vendor before signing the contract, file the report, and never look again.

Threat landscapes change. Vendors get acquired. Key security personnel leave. New vulnerabilities emerge. A vendor that passed your assessment 18 months ago may look very different today.

Build reassessment triggers into your program:

  • Annual reassessment for all critical and high-risk vendors
  • Immediate reassessment after a vendor discloses a breach
  • Reassessment when a vendor undergoes a merger, acquisition, or major leadership change
  • Reassessment when you expand the scope of data or system access you grant to the vendor

This continuous approach aligns with zero trust principles — never assume that yesterday's trust decision still holds today.

Your Due Diligence Is Only as Strong as Your Own Posture

Here's the uncomfortable truth: if you're demanding rigorous security from your vendors and partners but your own house isn't in order, you have a credibility problem — and a risk problem.

Cybersecurity due diligence is bidirectional. Your customers and partners are evaluating you with the same scrutiny. Can your organization answer the questions on your own vendor assessment? Could you survive a security audit from your largest customer?

Start with the fundamentals. Train your people. Run phishing simulations. Implement multi-factor authentication everywhere. Document your policies and actually follow them.

If you need a starting point, our cybersecurity awareness training program covers the foundational knowledge every employee needs, from recognizing social engineering tactics to understanding data handling responsibilities. Pair it with our phishing simulation platform to measure your organization's real-world resilience.

Because when the due diligence spotlight turns on you — and it will — the worst thing you can find is that you've been holding others to standards you can't meet yourself.