When Marriott acquired Starwood Hotels in 2016, the deal looked solid on paper. Two years later, Marriott disclosed that hackers had been inside Starwood's reservation system since 2014 — exposing the personal data of up to 500 million guests. The breach predated the acquisition. The liability didn't. That's what happens when cybersecurity due diligence gets treated as a checkbox instead of a discipline.

This post is a field guide to what real cybersecurity due diligence looks like — in M&A transactions, vendor relationships, and ongoing operations. I've seen organizations lose millions because they skipped steps that would have taken weeks to complete. I'll walk you through the specific failures, the frameworks that actually work, and the practical steps your organization can implement starting today.

The Marriott Lesson: Why Cybersecurity Due Diligence Isn't Optional

The Marriott-Starwood breach is the textbook case, but it's far from the only one. The UK's Information Commissioner's Office fined Marriott £18.4 million in 2020 for the incident, noting specifically that Marriott failed to conduct sufficient due diligence when it bought Starwood. They inherited a compromised network and didn't know it for years.

Here's the pattern I see repeated across industries: an acquiring company evaluates financials, legal exposure, and market position with surgical precision. Then someone sends a questionnaire to IT, gets back a spreadsheet of antivirus licenses and firewall models, and calls it cybersecurity due diligence. That's not diligence. That's theater.

According to the FBI's Internet Crime Complaint Center, reported losses from cybercrime exceeded $4.2 billion in 2020 alone. A significant portion of those losses trace back to compromised third parties, inherited vulnerabilities, and security gaps that nobody bothered to investigate before signing the contract.

What Cybersecurity Due Diligence Actually Covers

Real cybersecurity due diligence isn't a single audit. It's a structured investigation across multiple domains. Here's what should be on the table — whether you're acquiring a company, onboarding a critical vendor, or evaluating your own posture.

1. Network and Infrastructure Assessment

You need to know what's actually running on the target's network. Not what they tell you is running — what's actually there. This means vulnerability scanning, penetration testing, and a review of network architecture. I've personally seen environments where decommissioned servers were still live, unpatched, and internet-facing. Nobody knew because nobody looked.

Active Directory configurations, firewall rule sets, patch management cadence, endpoint detection coverage — these aren't nice-to-haves. They're the minimum.

2. Data Inventory and Classification

You can't protect what you don't know exists. A thorough data inventory identifies what sensitive data the organization holds, where it lives, who has access, and how it's protected. This is where most credential theft and data breach risks hide — in unclassified data stores with overly permissive access controls.

3. Incident History and Response Capability

Ask for the last three years of security incident logs. If they can't produce them, that tells you everything you need to know. Review how incidents were detected, how long containment took, and whether root cause analysis was completed. An organization that's never had a security incident either has world-class defenses or terrible detection. Bet on the latter.

Review compliance with applicable frameworks — HIPAA, PCI DSS, GDPR, CCPA, SOX, whatever applies. But don't stop at certifications. A SOC 2 Type II report tells you what an auditor found during a specific window. It doesn't tell you what happened last Tuesday. Cross-reference compliance documentation with actual security controls.

5. Human Factor: Security Awareness and Culture

This is the one that gets skipped most often, and it's the one that matters most. The 2021 Verizon Data Breach Investigations Report found that 85% of breaches involved a human element. Social engineering, phishing, misuse — people are the attack surface that no firewall covers.

Evaluate the target's security awareness training program. When was the last phishing simulation? What were the click rates? Do employees know how to report suspicious emails? If the answer is "we send a training video once a year," you're looking at a significant risk. Organizations serious about this invest in structured programs like phishing awareness training for their teams and measure results continuously.

Cybersecurity Due Diligence in Mergers and Acquisitions

M&A is where the stakes are highest and the scrutiny is often weakest. The deal team is focused on valuation, synergies, and regulatory approval. Security gets bolted on at the end — if it's included at all.

Here's what I recommend as a minimum M&A cybersecurity due diligence framework:

  • Pre-LOI: Open-source intelligence (OSINT) review. Check for leaked credentials on dark web marketplaces, exposed assets on Shodan, and any history of publicly disclosed breaches.
  • Post-LOI / Pre-Close: Full technical assessment — vulnerability scans, penetration testing, configuration reviews. Review all third-party vendor contracts with security implications. Evaluate insurance coverage for cyber incidents.
  • Integration Planning: Map out how networks will merge. Identify conflicting security policies. Plan identity and access management consolidation. This is where inherited threat actors get discovered — or don't.
  • Post-Close (First 90 Days): Deploy unified monitoring. Force password resets across all acquired accounts. Implement multi-factor authentication everywhere it doesn't already exist. Conduct a baseline phishing simulation.

The SolarWinds supply chain attack, disclosed in December 2020, showed how a single compromised vendor could cascade across thousands of organizations — including multiple U.S. government agencies. If your M&A target uses a compromised supplier, you're acquiring that exposure. Cybersecurity due diligence has to extend to the target's supply chain.

Vendor and Third-Party Due Diligence

You don't have to buy a company to inherit its security problems. Every vendor with access to your data or network is an extension of your attack surface. The 2013 Target breach — 40 million payment card numbers stolen — started through an HVAC contractor's compromised credentials.

Building a Vendor Risk Program That Works

Static questionnaires are a starting point, not an endpoint. Here's what a functional vendor cybersecurity due diligence program includes:

  • Tiered risk classification: Not every vendor gets the same scrutiny. Categorize by data access, network access, and business criticality. Your cloud infrastructure provider gets a deeper review than your office supply vendor.
  • Continuous monitoring: Use threat intelligence feeds and external attack surface monitoring to track changes in vendor security posture between review cycles.
  • Contractual requirements: Mandate breach notification timelines, right-to-audit clauses, and specific security controls. If they won't agree, that's a red flag.
  • Evidence-based validation: Don't just ask if they encrypt data at rest. Ask for the configuration. Don't ask if they train employees. Ask for completion rates and phishing simulation results.

NIST's SP 800-161 provides a comprehensive framework for supply chain risk management that maps directly to cybersecurity due diligence requirements. If you're building a program from scratch, start there.

What Does Cybersecurity Due Diligence Mean?

Cybersecurity due diligence is the process of systematically evaluating an organization's security posture, practices, and risk exposure before entering into a business relationship — whether through acquisition, partnership, or vendor engagement. It includes technical assessments, policy reviews, incident history analysis, regulatory compliance verification, and evaluation of the human security culture. The goal is to identify hidden risks, quantify potential liabilities, and make informed decisions based on actual security conditions rather than assumptions.

The $4.88M Lesson Most Organizations Learn Too Late

IBM's 2021 Cost of a Data Breach Report pegged the average cost of a data breach at $4.24 million — the highest in the report's 17-year history. Organizations with mature security postures, including strong incident response teams and extensive use of zero trust architecture, cut that cost significantly. Those without? They paid more, and they paid longer.

The math isn't complicated. A thorough cybersecurity due diligence assessment before a deal or vendor engagement costs a fraction of what a breach costs after. I've watched leadership teams balk at a six-figure security assessment, then absorb an eight-figure breach remediation. The numbers don't lie.

Building Cybersecurity Due Diligence Into Daily Operations

Due diligence isn't just for deal teams. Every organization should run continuous self-assessments as if they were about to be acquired. Here's the operational framework I recommend:

Quarterly Self-Assessment

Run vulnerability scans across all external and internal assets. Review access controls — especially for privileged accounts. Check that terminated employee accounts are actually disabled. I've found active accounts for employees who left over a year ago in more organizations than I'd like to admit.

Monthly Phishing Simulations

Test your employees regularly with realistic phishing scenarios. Track click rates, report rates, and repeat offenders. Organizations that run consistent phishing simulations see measurable improvement over time. If you need to build or strengthen this capability, platforms like phishing awareness training programs provide structured simulation and education tools that go beyond annual compliance training.

Annual Penetration Testing

Hire an external team to try to break in. Internal assessments have blind spots. An external penetration test reveals what a real threat actor would find — and exploit. Pair this with a red team exercise if your budget allows.

Continuous Security Education

Your employees are making security decisions every day — clicking links, opening attachments, sharing credentials, connecting to networks. Continuous cybersecurity awareness training transforms your workforce from your biggest vulnerability into an active detection layer. This isn't about scaring people with horror stories. It's about building pattern recognition and muscle memory for secure behavior.

The Ransomware Factor

Ransomware has changed the cybersecurity due diligence equation entirely. The Colonial Pipeline attack in May 2021 shut down fuel distribution across the U.S. East Coast. JBS Foods paid $11 million in ransom the same month. These weren't small businesses with outdated firewalls — they were critical infrastructure operators.

When you evaluate a potential acquisition, vendor, or even your own organization, ransomware readiness has to be on the checklist. That means verified, tested backups stored offline. It means network segmentation that limits lateral movement. It means endpoint detection and response tools that catch ransomware behavior, not just known signatures.

And it means asking the uncomfortable question: if this organization got hit with ransomware tomorrow, would they survive? If the answer isn't a confident yes, you've found your next priority.

Turning Due Diligence Into a Competitive Advantage

Here's the perspective shift that separates mature organizations from the rest: cybersecurity due diligence isn't just risk mitigation. It's a differentiator. When your organization can demonstrate a rigorous, documented security posture, you close deals faster. You pass vendor assessments without scrambling. You negotiate better cyber insurance premiums. You attract partners who take security seriously — and those are the partners worth having.

I've seen companies win contracts specifically because they could produce penetration test reports, phishing simulation data, and incident response plans on demand. Their competitors couldn't. In a market where data breaches make front-page news every week, proving that you take cybersecurity due diligence seriously is a business advantage, not just a security requirement.

Start with an honest assessment of where your organization stands today. Identify the gaps. Build the program. The threat actors aren't waiting for your next board meeting — and your cybersecurity due diligence practice shouldn't wait either.