The $350 Million Checkbox That Wasn't Checked
When Verizon acquired Yahoo in 2017, two massive data breaches — affecting all three billion Yahoo accounts — knocked $350 million off the purchase price. The breaches had happened years earlier, but inadequate cybersecurity due diligence meant the full scope wasn't understood until after the deal was announced. That's not a cautionary tale from ancient history. It's the blueprint for how companies still lose money today.
Whether you're acquiring a company, onboarding a critical vendor, or sitting on a board reviewing your own security posture, cybersecurity due diligence is the process that separates informed risk from blind trust. And in my experience, most organizations treat it like a formality instead of the financial survival exercise it actually is.
This post breaks down where due diligence actually fails, what a rigorous process looks like, and the specific steps you can take to stop inheriting someone else's security debt.
What Is Cybersecurity Due Diligence?
Cybersecurity due diligence is the systematic evaluation of an organization's security posture, policies, incident history, and technical controls — typically performed before a merger, acquisition, partnership, or vendor engagement. The goal is to identify hidden risks, quantify exposure, and determine whether the target organization's cybersecurity practices meet your standards.
It goes far beyond asking "Do you have a firewall?" Real due diligence examines everything from how a company handles credential theft to whether employees can recognize a phishing email. It's the difference between reading a security policy and testing whether anyone actually follows it.
Why the Standard M&A Checklist Falls Short
I've reviewed due diligence questionnaires from some well-known firms. Most of them are checkbox exercises. "Do you have an incident response plan? Yes/No." "Do you encrypt data at rest? Yes/No." That tells you almost nothing.
Here's what actually happens: the target company checks "Yes" on everything, the acquiring company's legal team files it away, and nobody verifies a single claim until something breaks. The 2024 Verizon Data Breach Investigations Report found that 68% of breaches involved a human element — social engineering, errors, misuse. No checkbox catches that.
The checklist approach also misses systemic issues: shadow IT, unpatched legacy systems, third-party access sprawl, and a workforce that has never been through a phishing simulation. These are the risks that explode post-acquisition.
The Marriott-Starwood Wake-Up Call
When Marriott acquired Starwood in 2016, threat actors had already been inside Starwood's reservation system for two years. Marriott inherited that breach along with the hotel chain. The result: 500 million guest records exposed and a £18.4 million fine from the UK's ICO. The lesson? You don't just acquire a company's assets. You acquire its vulnerabilities.
The Five Pillars of Real Cybersecurity Due Diligence
After years of consulting on acquisitions and vendor assessments, I've found that effective cybersecurity due diligence rests on five pillars. Skip any one of them, and you're flying partially blind.
1. Technical Assessment Beyond the Surface
Don't just ask about controls — test them. This means vulnerability scanning, penetration testing, and reviewing actual configurations. Look at patch management cadence. Check whether multi-factor authentication is enforced across all critical systems or just the ones facing customers. Review network segmentation. If the target company operates on a flat network, you're looking at a ransomware dream scenario.
2. Incident History and Response Capability
Request a full accounting of security incidents over the past five years. Not just the ones that made the news — all of them. Then evaluate the incident response plan. Has it been tested? When was the last tabletop exercise? A plan that sits in a SharePoint folder and has never been rehearsed is decoration, not defense.
3. People and Security Culture
This is where most due diligence processes fall apart completely. You can have world-class tools and still get compromised because an employee clicked a credential-harvesting link. Ask for security awareness training records. Find out if the organization runs regular phishing simulations. If they don't, that's a red flag the size of a billboard.
Organizations serious about building a security-first culture should explore structured cybersecurity awareness training programs that go beyond annual compliance videos. The human layer is your largest attack surface — treat it that way during due diligence.
4. Third-Party and Supply Chain Risk
The target company's security is only as strong as its weakest vendor. CISA has repeatedly warned about supply chain compromise as a top threat vector. During due diligence, map the target's critical third-party relationships. Who has access to their environment? What data do they share? What contractual security obligations exist — and are they enforced?
5. Regulatory and Compliance Exposure
Identify every regulatory framework the target falls under: HIPAA, PCI DSS, GDPR, state privacy laws, SEC disclosure rules. Then determine whether they're actually compliant or just claim to be. Check for past FTC actions, state attorney general investigations, or regulatory warnings. Inheriting a compliance violation is just as expensive as inheriting a breach.
Cybersecurity Due Diligence for Vendor Relationships
Mergers and acquisitions get the headlines, but vendor onboarding is where most organizations face due diligence failures on a daily basis. Every SaaS platform, cloud provider, and managed service partner you connect to your environment extends your attack surface.
I've seen companies grant vendors VPN access with standing credentials and no monitoring. That's not a partnership — it's an open door. The NIST Cybersecurity Framework provides clear guidance on supply chain risk management that should be part of every vendor assessment.
At a minimum, your vendor due diligence should include: security questionnaire verification, proof of penetration testing, SOC 2 or equivalent audit reports, data handling and retention policies, and breach notification commitments. If a vendor can't produce these, that tells you everything you need to know.
The Role of Zero Trust in Due Diligence
One concept that has fundamentally changed how I evaluate organizations during due diligence is zero trust. If the target company still operates on an implicit-trust model — where anything inside the network perimeter is considered safe — that's a material risk.
Zero trust architectures assume compromise and verify every access request. During due diligence, I look for evidence of least-privilege access controls, microsegmentation, continuous authentication, and endpoint detection and response. These aren't buzzwords. They're the structural indicators that tell you whether an organization is built to withstand modern threat actors or still defending a perimeter that dissolved years ago.
Building Due Diligence Into Your Own Organization
Here's something most articles on this topic won't tell you: the best time to prepare for cybersecurity due diligence is before anyone asks. If your own house isn't in order, you're either going to fail someone else's assessment or — worse — never know how exposed you actually are.
Start with your people. Run phishing simulations quarterly. Organizations that want to operationalize this should implement phishing awareness training for their teams as a baseline. Simulated attacks reveal who clicks, who reports, and where your training gaps live. That data is gold during any due diligence review — both as a target and as an acquirer.
Document everything. Maintain a current asset inventory, an updated incident response plan, and evidence of regular security testing. When a potential acquirer or partner asks for proof, you want to hand them a portfolio — not scramble to build one.
What Boards and Executives Need to Ask
If you're a board member or executive approving an acquisition or major vendor contract, here are the questions that actually matter:
- When was the last independent penetration test, and what were the critical findings?
- How many security incidents occurred in the past 24 months, and how were they resolved?
- What percentage of employees completed security awareness training this year?
- Is multi-factor authentication enforced on all administrative and remote access?
- What third parties have direct access to the network or sensitive data?
- Has the organization ever been subject to a regulatory action related to data security?
- What is the mean time to detect and respond to a security incident?
If the answers are vague, that's your answer.
Cybersecurity Due Diligence Is a Business Decision
Every data breach has a price tag. IBM's 2024 Cost of a Data Breach Report put the global average at $4.88 million. When you acquire a company, onboard a vendor, or ignore your own gaps, you're making a bet — either informed or uninformed.
Cybersecurity due diligence doesn't eliminate risk. Nothing does. But it transforms unknown risk into quantified, manageable risk. It gives you the information to negotiate better terms, demand remediation before closing, or walk away entirely.
The organizations that treat due diligence as a strategic function — not a legal checkbox — are the ones that avoid becoming the next cautionary tale. The question isn't whether you can afford to do it thoroughly. It's whether you can afford not to.