The $350 Million Acquisition That Fell Apart Over a Data Breach

When Verizon moved to acquire Yahoo in 2017, the deal was nearly complete. Then Yahoo disclosed two massive data breaches affecting all three billion user accounts. Verizon knocked $350 million off the purchase price. That single failure in cybersecurity due diligence — Yahoo's failure to discover and disclose, and Verizon's initial failure to uncover — became the textbook example of what happens when security assessment takes a back seat to deal momentum.

If you're involved in mergers and acquisitions, vendor selection, partnership agreements, or even internal compliance reviews, cybersecurity due diligence is the process that determines whether you're buying a business or inheriting a catastrophe. This post covers what most organizations actually get wrong, what the process should look like in 2025, and the specific steps I've seen separate companies that survive breaches from those that don't.

What Is Cybersecurity Due Diligence?

Cybersecurity due diligence is the systematic evaluation of an organization's security posture, policies, incident history, and risk exposure — typically conducted before a merger, acquisition, vendor engagement, or major partnership. It answers one fundamental question: what cyber risk am I inheriting or accepting by doing business with this entity?

It's not a penetration test. It's not a compliance checkbox. It's a deep investigation into how an organization actually protects data, responds to threats, and manages risk over time. And in my experience, the companies that treat it as a formality are the ones that end up on the wrong side of an FTC enforcement action.

Why 2025 Made This Non-Negotiable

The SEC's cybersecurity disclosure rules, which took effect in late 2023 and are now fully enforced, require public companies to disclose material cybersecurity incidents within four business days. That changes the due diligence game entirely. You can no longer assume a target company's clean public record means a clean security history — you have to verify it.

The 2024 Verizon Data Breach Investigations Report found that 15% of breaches involved a third party — a 68% increase from the prior year. That means your vendor's weak security posture is your breach waiting to happen. Third-party risk isn't theoretical. It's the fastest-growing attack surface most organizations still underestimate. You can review the full findings at Verizon's DBIR page.

Meanwhile, ransomware payments exceeded $1.1 billion globally in 2023 according to Chainalysis, and threat actors increasingly target smaller firms specifically because they know those organizations skip due diligence on their own defenses. If you're acquiring a company that paid a ransom and never told anyone, you now own that liability.

The 7-Point Cybersecurity Due Diligence Framework

I've led and advised on due diligence efforts for organizations ranging from 50-person startups to Fortune 500 subsidiaries. Here's the framework that actually works.

1. Incident History and Disclosure Review

Start here. Request a complete history of security incidents, breaches, and near-misses for the past five years. Cross-reference against public breach notification databases, state attorney general filings, and HHS breach reports if healthcare data is involved.

Don't just ask "have you been breached?" Ask for incident response reports, forensic investigation summaries, and remediation timelines. A company that experienced a breach and handled it well might actually be a stronger partner than one that claims zero incidents — because zero incidents in five years often means zero detection capability.

2. Security Governance and Policy Assessment

Review the organization's information security policies, acceptable use policies, data classification standards, and incident response plans. But don't stop at whether they exist. Ask when they were last updated. Ask who approved them. Ask for evidence they're enforced.

I've reviewed organizations with beautifully written security policies dated 2019 that no employee had ever read. Policy without enforcement is decoration. Look for evidence of regular policy reviews, employee acknowledgment records, and disciplinary actions for violations.

3. Technical Controls Inventory

Request documentation on endpoint protection, network segmentation, encryption standards, multi-factor authentication deployment, backup procedures, and patch management cycles. Specifically ask about:

  • MFA coverage — is it enforced on all accounts, or just some?
  • Endpoint detection and response (EDR) deployment percentage
  • Mean time to patch critical vulnerabilities
  • Backup testing frequency and recovery time objectives
  • Network segmentation between IT and OT environments

If the target organization can't produce this documentation quickly, that's your first red flag. Mature security programs maintain this inventory as a matter of course.

4. Third-Party and Supply Chain Risk

This is where due diligence gets recursive — and where most companies give up. You need to understand not just the target's security posture, but the security posture of their critical vendors. The SolarWinds attack in 2020 proved that a single compromised vendor can cascade into thousands of breached organizations.

Ask for a list of critical third-party vendors, their access levels, and any vendor risk assessments conducted. Look for evidence of contractual security requirements, right-to-audit clauses, and ongoing monitoring. CISA's guidance on supply chain risk management at cisa.gov/supply-chain provides an excellent baseline framework.

Map the target's regulatory obligations — HIPAA, PCI DSS, GDPR, state privacy laws, SEC disclosure requirements — and verify compliance status. Request the most recent audit reports, penetration test results, and any regulatory correspondence including warning letters or consent decrees.

The FTC has been increasingly aggressive in pursuing companies for inadequate data security. If the target has ever been subject to an FTC complaint or state attorney general investigation, you need to know before the deal closes, not after. Check the FTC's enforcement database at ftc.gov/legal-library for any prior actions.

6. Security Culture and Awareness Training

This one gets overlooked constantly, and it shouldn't. The strongest firewall in the world doesn't help when an employee clicks a credential theft phishing link because they've never received proper training.

Ask for documentation of the organization's security awareness training program. How often is it conducted? Is it role-based? Does it include phishing simulation exercises? What are the click rates on simulated attacks, and how have they trended over time?

If the target has no formal training program, that's a significant risk factor — and also a quick win you can address post-acquisition. Organizations looking to build or strengthen their training programs can start with comprehensive cybersecurity awareness training that covers social engineering, credential theft, and safe data handling. For targeted phishing defense, phishing awareness training designed for organizations provides the hands-on simulation experience that actually changes employee behavior.

7. Zero Trust Architecture Readiness

Zero trust isn't a product you buy — it's an architecture philosophy where no user, device, or network segment is trusted by default. In 2025, asking about zero trust readiness during due diligence tells you a lot about where an organization sits on the security maturity curve.

Ask about identity and access management practices, least-privilege enforcement, microsegmentation progress, and continuous verification mechanisms. You don't need full zero trust maturity from every target or vendor. But you need to understand how far they are from it and what bridging that gap will cost you.

The M&A-Specific Mistakes I Keep Seeing

Cybersecurity due diligence in mergers and acquisitions has unique failure modes. Here are the ones I encounter most.

Treating Security as a Post-Close Problem

The most expensive mistake is pushing security assessment to the integration phase. By then, you've already agreed to a price. You've already assumed the liability. Any undisclosed breach, any regulatory non-compliance, any unpatched critical vulnerability — it's yours now. The Marriott acquisition of Starwood in 2016 is the classic cautionary tale. The Starwood breach had been ongoing since 2014, but Marriott didn't discover it until 2018, two years after closing. The UK's ICO initially proposed a £99 million fine.

Relying Solely on Questionnaires

Security questionnaires are a starting point, not an endpoint. I've seen organizations check every box on a SOC 2 questionnaire and still have domain admin credentials stored in a shared spreadsheet. Verify claims through documentation review, technical assessment, and where possible, independent testing.

Ignoring Shadow IT and Technical Debt

Ask specifically about unsanctioned applications, legacy systems running end-of-life software, and any systems excluded from the standard patch management process. Technical debt is security debt. And acquiring a company with extensive technical debt means you're acquiring their vulnerabilities along with their revenue.

Vendor Due Diligence: The Ongoing Version

M&A due diligence has a defined endpoint. Vendor cybersecurity due diligence doesn't — or at least it shouldn't. Every vendor with access to your data, your network, or your customers represents ongoing risk that needs ongoing assessment.

Build a tiered vendor risk framework. Your payment processor and cloud infrastructure provider need deep, annual assessments. Your office supply vendor probably doesn't. But you'd be surprised how many organizations apply the same lightweight assessment to every vendor regardless of access level and data sensitivity.

At minimum, critical vendors should provide updated SOC 2 Type II reports annually, demonstrate security awareness training for their staff, and agree to notification requirements for any security incident that could affect your data. Contract language matters here — vague "reasonable security" clauses won't protect you when a vendor's breach becomes your headline.

How to Score and Prioritize Findings

Not every finding is a deal-breaker. But you need a consistent scoring methodology to distinguish between a missing patch on a test server and the complete absence of an incident response plan.

I use a three-tier approach:

  • Critical: Findings that indicate active compromise, unreported breaches, regulatory violations, or fundamental absence of security controls. These are deal-breakers or price-adjustment triggers.
  • High: Significant gaps that create material risk but can be remediated within 90 days post-close. Examples include no MFA on privileged accounts, no endpoint detection, or no backup testing.
  • Moderate: Deficiencies that increase risk but have compensating controls or can be addressed during normal integration. Examples include outdated policies, incomplete asset inventories, or inconsistent logging.

Document everything. Your due diligence report should give leadership enough information to make an informed risk decision — not just a green or red light, but a detailed cost estimate of what remediation will require.

Building Due Diligence Into Your Security Program

The best organizations don't treat cybersecurity due diligence as a special event. They build the muscles for it into their daily operations. If your own security program is well-documented, regularly assessed, and continuously improved, you already know what to look for in someone else's.

That starts with your own people. Organizations that invest in cybersecurity awareness training build teams that understand risk instinctively — people who ask the right questions during vendor evaluations and flag security concerns before they become audit findings.

It also means running your own phishing awareness exercises regularly. If you understand your own organization's susceptibility to social engineering attacks, you'll know exactly what to assess in a target or vendor. You'll know which metrics matter and which ones are theater.

The Bottom Line on Cybersecurity Due Diligence in 2025

The threat landscape this year is more complex than ever. Threat actors are more sophisticated, supply chains are more interconnected, and regulators have less patience for organizations that claim ignorance after a breach. Cybersecurity due diligence is the process that protects you from inheriting someone else's worst day.

Do it before the deal closes. Do it before the vendor contract is signed. Do it with the same rigor you apply to financial due diligence. And staff it with people who know what they're looking at — because a security questionnaire filled out by a sales team isn't due diligence. It's marketing.

Your organization's next acquisition, partnership, or vendor decision will carry cyber risk. The only question is whether you'll quantify that risk before you accept it, or discover it after it's already cost you.