The $350 Million Typo in Verizon's Yahoo Deal

When Verizon acquired Yahoo in 2017, the discovery of two massive data breaches — affecting all 3 billion Yahoo accounts — knocked $350 million off the purchase price. That's not a rounding error. That's what happens when cybersecurity due diligence reveals what leadership tried to bury.

I've been on both sides of these assessments. I've watched deals collapse, seen vendors lose contracts worth millions, and helped organizations discover that their most trusted partner was running unpatched Windows Server 2008 in production. The pattern is always the same: someone skipped the hard questions.

This post is your field guide to what cybersecurity due diligence actually looks like in 2026 — not the sanitized checklist version, but the real work that separates protected organizations from tomorrow's breach headlines.

What Is Cybersecurity Due Diligence?

Cybersecurity due diligence is the systematic evaluation of an organization's security posture, typically performed before a merger, acquisition, vendor engagement, or major partnership. It examines technical controls, policies, incident history, compliance status, and the human factors that often determine whether those controls actually work.

Think of it as a deep background check — but for an organization's entire digital infrastructure, culture, and risk exposure. It goes far beyond asking "Do you have a firewall?" and into territory like "Show me your incident response logs from the last 18 months."

The Three Scenarios That Demand It

Mergers and Acquisitions

The Yahoo-Verizon deal wasn't an outlier. According to a 2023 study by Forescout, 73% of M&A professionals said cybersecurity concerns contributed to deal regret. Hidden liabilities like unreported breaches, regulatory non-compliance, or legacy systems riddled with vulnerabilities can crater valuation overnight.

I've personally seen an acquisition paused for six months because the target company had no centralized asset inventory. They literally couldn't tell us how many servers they operated. That's not a technology problem — it's a governance failure that cybersecurity due diligence is designed to catch.

Third-Party Vendor Onboarding

Your vendor's weakness is your weakness. The 2023 MOVEit Transfer breach demonstrated this at massive scale, impacting over 2,600 organizations through a single file transfer tool vulnerability. Supply chain attacks are now the preferred entry point for sophisticated threat actors.

Before you grant any vendor access to your environment, you need to evaluate their security controls with the same rigor you apply to your own. That means penetration test results, SOC 2 reports, evidence of employee cybersecurity awareness training, and proof that they actually enforce multi-factor authentication — not just that they purchased licenses for it.

Board-Level Governance Reviews

The SEC's 2023 cybersecurity disclosure rules changed everything. Public companies must now report material cybersecurity incidents within four business days and describe their risk management processes annually. Boards that aren't conducting regular cybersecurity due diligence on their own organizations are operating blind — and potentially in violation of federal requirements.

The 7-Point Framework I Actually Use

Forget generic questionnaires with 200 yes/no questions. Here's the framework that reveals real risk.

1. Asset Discovery and Classification

You can't protect what you don't know exists. I start every engagement by mapping the target's attack surface — external-facing assets, cloud instances, shadow IT, IoT devices, everything. If they can't produce an accurate asset inventory within 48 hours, that tells me more than any policy document ever could.

2. Incident History and Response Capability

I ask for incident response logs, not just the incident response plan. A beautifully formatted IR plan that's never been tested is wallpaper. I want to see tabletop exercise results, mean time to detect, and mean time to contain. The CISA Cyber Threats and Advisories page provides useful benchmarks for what organizations should be detecting.

3. Identity and Access Management

This is where most organizations fall apart. I look for enforced multi-factor authentication across all privileged accounts, evidence of regular access reviews, and a zero trust architecture — or at least a credible roadmap toward one. Credential theft remains the number one initial attack vector according to the Verizon Data Breach Investigations Report.

4. Vulnerability Management Maturity

Not "do you scan?" but "what's your average time to remediate a critical vulnerability?" I've seen organizations with robust scanning programs that still had six-month-old critical CVEs sitting unpatched in production. Scanning without remediation is just documentation of negligence.

5. Employee Security Culture

This is the one that separates serious cybersecurity due diligence from theater. I evaluate phishing simulation results, training completion rates, and how the organization handles social engineering attempts. An organization that runs quarterly phishing awareness training with tracked metrics signals a mature security culture. An organization that does annual compliance-checkbox training signals the opposite.

6. Data Protection and Privacy Compliance

Where does sensitive data live? Who has access? Is it encrypted at rest and in transit? What's the data retention policy, and do they actually follow it? With state privacy laws multiplying every year, non-compliance isn't just a security risk — it's a financial one.

7. Third-Party and Supply Chain Risk

Yes, you need to evaluate how your target evaluates their vendors. Risk is transitive. If you're acquiring a company that relies on a vendor with terrible security, you're inheriting that exposure. Ask for their vendor risk management program documentation and evidence of ongoing monitoring.

Red Flags That Should Stop Any Deal

In my experience, certain findings during cybersecurity due diligence should trigger immediate escalation — if not a full stop.

  • Unreported breach history. If they had an incident and didn't disclose it during the due diligence process, everything else they've told you is suspect.
  • No MFA on privileged accounts. In 2026, this is indefensible. Period.
  • Flat network architecture. No segmentation means a single compromised endpoint gives a threat actor the keys to the kingdom. Ransomware operators love flat networks.
  • No dedicated security personnel. If the IT manager is also the CISO, the security program is aspirational at best.
  • Zero employee training evidence. Social engineering drives the majority of breaches. An untrained workforce is an open door.

How Long Does Cybersecurity Due Diligence Take?

For a mid-market acquisition, expect 4 to 8 weeks for a thorough assessment. Vendor onboarding evaluations can be completed in 1 to 3 weeks depending on scope. Rushing this process is how you end up inheriting someone else's breach.

Budget matters too. According to NIST's Cybersecurity Framework, risk assessment is a core function — not an optional add-on. Organizations that treat due diligence as a cost center rather than a risk reduction investment consistently pay more in the long run through incident response, regulatory fines, and reputational damage.

The Human Factor Everyone Underestimates

I've audited organizations with enterprise-grade firewalls, endpoint detection and response on every device, and perfectly configured SIEMs — that still got breached because an employee clicked a phishing link and entered their credentials on a fake login page.

Technology is necessary but insufficient. The human layer is where most data breach incidents begin, and it's the layer that most due diligence frameworks gloss over. When I evaluate an organization, I weigh their investment in ongoing security awareness training just as heavily as their technical stack.

If you're building or improving your organization's training program, platforms like ComputerSecurity.us offer structured cybersecurity awareness curricula, while Phishing.ComputerSecurity.us focuses specifically on phishing simulation and response training for teams.

Making Due Diligence a Continuous Practice

Here's what most organizations get wrong: they treat cybersecurity due diligence as a one-time event. Run the assessment, check the box, move on. But security postures change constantly. A vendor that passed your evaluation 18 months ago might have undergone a leadership change, lost key security staff, or adopted new cloud services without proper controls.

Build continuous monitoring into your program. Require annual reassessments for critical vendors. Mandate breach notification clauses in every contract. And run your own internal due diligence annually — because the risks your board needs to understand evolve faster than most governance cycles.

The Bottom Line for 2026

Cybersecurity due diligence isn't just a pre-deal formality. It's the discipline that determines whether your next partnership, acquisition, or vendor relationship strengthens your security posture or introduces risk that takes years to unwind.

Do the hard work upfront. Ask the uncomfortable questions. Demand evidence, not assurances. Your organization's security — and potentially its survival — depends on what you uncover before the ink dries.