The $350 Million Oversight Nobody Saw Coming

When Verizon acquired Yahoo in 2017, two previously undisclosed breaches affecting all 3 billion Yahoo accounts forced a $350 million price reduction. That's what happens when cybersecurity due diligence fails at the highest level. The breaches had already happened. The data was already gone. But nobody asked the right questions until it was too late.

I've seen the same pattern play out at every scale — from billion-dollar acquisitions to small businesses onboarding a new cloud vendor. Organizations treat cybersecurity due diligence as a checkbox exercise. They ask if the other party has a firewall. They collect a SOC 2 report. They move on. And then, six months later, they're dealing with a data breach that originated from exactly the gap they never examined.

This post is for security leaders, executives, and anyone involved in evaluating the cyber risk posture of a partner, acquisition target, or vendor. I'll walk you through what thorough cybersecurity due diligence actually looks like — and the specific areas where I see teams cut corners every single time.

What Is Cybersecurity Due Diligence?

Cybersecurity due diligence is the systematic evaluation of an organization's security posture, controls, vulnerabilities, and incident history before entering into a business relationship, merger, acquisition, or partnership. It goes beyond compliance checkboxes to assess real-world risk exposure — including threat actor access, credential theft history, unpatched systems, and cultural attitudes toward security awareness.

It's not a one-time audit. It's a risk evaluation framework that should inform the deal terms, integration plan, and ongoing monitoring strategy.

The Five Layers Most Teams Evaluate (And the Three They Don't)

What Usually Gets Checked

Most due diligence processes cover the obvious bases. Teams typically request compliance certifications (SOC 2, ISO 27001, HIPAA attestations), review the target's security policies, scan for known vulnerabilities, confirm the existence of an incident response plan, and verify that data encryption is in place. These are table stakes. They matter, but they're insufficient.

What Actually Gets Missed

In my experience, three critical layers are consistently skipped or underweighted:

  • Human risk posture. What does the organization's security awareness training program actually look like? Is it a once-a-year compliance video, or does it include regular phishing simulations, social engineering testing, and measurable behavior change? The 2024 Verizon Data Breach Investigations Report found that 68% of breaches involved a human element. If you're not evaluating the human layer, you're ignoring the majority of the attack surface.
  • Dark web exposure and credential theft history. Has the organization's employee credentials appeared in known breaches or dark web markets? Threat actors routinely purchase stolen credentials to gain initial access. A quick dark web scan can reveal active exposure that a SOC 2 report will never mention.
  • Actual incident history vs. reported incident history. Many organizations have experienced security incidents they never formally classified as breaches. During due diligence, I always push beyond "Have you had a breach?" and ask about anomalous events, near-misses, ransomware negotiations, and insurance claims. The answers are often illuminating.

The M&A Cybersecurity Gap Is Wider Than You Think

Mergers and acquisitions create unique cybersecurity due diligence challenges. You're inheriting an entire technology stack, workforce, and risk profile. I've worked engagements where the acquiring company discovered post-close that the target was running end-of-life operating systems across 40% of their infrastructure. In another case, the target had no multi-factor authentication on their VPN — the exact vector a threat actor exploited three weeks after the deal closed.

The FBI's Internet Crime Complaint Center (IC3) has repeatedly highlighted business email compromise as one of the costliest cybercrime categories. During M&A transitions, when communication channels are chaotic and new contacts are being established, BEC attacks spike. Your due diligence process should explicitly model this threat.

NIST provides a solid framework for thinking about organizational cybersecurity assessment through their Cybersecurity Framework (CSF). If you're building a due diligence methodology from scratch, start there.

Vendor and Third-Party Due Diligence: Where the Real Risk Lives

You don't have to be doing an acquisition. Every vendor relationship requires some level of cybersecurity due diligence. The SolarWinds supply chain attack in 2020 proved that a single compromised vendor can cascade into thousands of organizations, including federal agencies.

What to Demand From Every Critical Vendor

  • Evidence of regular penetration testing — not just vulnerability scans.
  • Their incident response plan, including notification timelines to customers.
  • Details on their employee security training program. Do they conduct phishing simulations? How often? What's their click-through rate trend?
  • Proof that they enforce multi-factor authentication across all administrative access.
  • A zero trust architecture roadmap or current implementation evidence.
  • Data handling and retention policies that align with your compliance obligations.

If a vendor can't provide these, that's a finding — not a footnote.

Building a Cybersecurity Due Diligence Checklist That Actually Works

I've reviewed dozens of due diligence checklists over the years. The worst ones are 200-line spreadsheets filled with yes/no questions that nobody verifies. The best ones are tiered by risk level, require evidence, and are backed by follow-up testing.

Tier the Assessment by Business Impact

Not every vendor or acquisition target requires the same depth of review. A SaaS tool that handles no customer data gets a lighter touch than a cloud provider hosting your entire production environment. Establish tiers — critical, high, medium, low — and map your due diligence depth accordingly.

Require Evidence, Not Attestation

"Do you have an incident response plan?" is a bad question. "Provide your incident response plan, the date of your last tabletop exercise, and the after-action report" is a good one. Every answer should be backed by documentation. Policy documents, training completion records, penetration test executive summaries, and audit reports are the minimum.

Evaluate the Human Factor

This is where I see the biggest gap, and it's the area I care most about. An organization can have a world-class technology stack and still get compromised because an employee fell for a social engineering attack. Ask about their phishing awareness training program — not whether it exists, but how it performs. What percentage of employees click simulated phishing links? What's the reporting rate? How has it trended over the last 12 months?

If the organization you're evaluating doesn't have a structured cybersecurity awareness training program, treat that as a material risk finding. It belongs in your deal memo, your vendor risk register, or your board-level risk report.

Post-Close: Due Diligence Doesn't End at Signing

One of the most dangerous assumptions is that cybersecurity due diligence is a pre-deal activity. In reality, the highest-risk period is the 90-180 days after a deal closes or a vendor is onboarded. Systems are being integrated. Access is being provisioned. People are distracted.

Build a post-close cybersecurity integration plan that includes:

  • Immediate credential audits and forced password resets for all acquired employees.
  • Deployment of your organization's MFA and endpoint detection tools on Day 1.
  • Enrollment of all new personnel in your security awareness training program within the first two weeks.
  • Continuous monitoring of dark web forums for any newly exposed credentials tied to the acquired domain.
  • A 90-day vulnerability remediation sprint targeting all critical and high findings from the due diligence assessment.

The Regulatory Pressure Is Real — and Growing

The SEC's 2023 cybersecurity disclosure rules now require public companies to report material cybersecurity incidents within four business days. The FTC has taken enforcement action against companies that misrepresented their security practices, including cases where poor due diligence on acquired companies led to consumer harm.

If your organization acquires a company with undisclosed security deficiencies, those deficiencies become your regulatory liability on Day 1. Cybersecurity due diligence isn't just good practice — it's a legal and fiduciary obligation.

The Bottom Line: Ask Better Questions, Demand Better Evidence

Every organization I work with thinks their due diligence process is thorough until I show them the gaps. The pattern is always the same — too much reliance on self-attestation, too little attention to the human layer, and almost no post-close monitoring.

Start by auditing your own due diligence process against the framework above. Tier your assessments by risk. Require evidence for every claim. Evaluate security culture, not just security technology. And treat the integration period with the same urgency as the pre-deal evaluation.

Your next acquisition, partnership, or vendor onboarding is a risk decision. Treat it like one.