Is Cybersecurity Risk the M&A Blindspot?

By Ryan Sheldrake, Field CTO – EMEA, Lacework

Global M&A activity is still well down from its historic peak in 2021, however many analysts are predicting a return to healthy levels in the coming year. 

Accurately assessing the value and risks around any target company lies at the core of the mergers and acquisitions (M&A) process. While a large part of companies’ value now typically depends on their underlying technology and IT systems, cybersecurity is commonly overlooked as a part of the due diligence process.

Analyst research has highlighted companies’ concerns about facing risks. In fact, security has become so critical that surveys now find more than half of acquiring companies expressing regret about their purchase based on cybersecurity issues they inherit. 

Despite these concerns, too large a percentage of acquiring companies still wait until after due diligence is completed to perform detailed cybersecurity and cloud security assessments.

The source of the problems

cyber risk M&A
Photo by Miguel Á. Padriñán on

Most M&A cyber disasters share two common threads: lack of visibility into complex IT environments during the acquisition process and a failure to securely integrate afterward. Thoroughly assessing cyber risk can be challenging under normal circumstances, but an M&A transaction adds a few more wrinkles…

Compound complexity 

Alongside dealing with the intricacies of their own IT environment, the acquirer is also reviewing the unfamiliar environment of the target company. This includes their security protocols, compliance frameworks, applications, and security tools, all of which are likely to differ substantially from their own. All too often, this leaves acquiring companies reliant on the target company to mark their own homework and deliver a self-evaluation of their security posture.

Heightened Risk

In addition, the cyber risk of any new combined entity will almost always be more than the sum of their individual cyber risks. Combining networks and systems provides a larger attack surface and more opportunity for attackers. This larger, more complex attack surface often hosts the combined digital assets of both companies providing a tempting opportunity for any attacker to steal far more value through a single exploit. 

Time is of the essence 

black and white photo of clocks
Photo by Andrey Grushnikov on

Once negotiations begin, there is a huge incentive to complete the transaction as quickly as possible. M&As are often competitive situations, and disclosure of M&A activity can affect business and valuations. In short, there’s not much time for detailed security audits before closing on the deal.

Lack of clear visibility across Cloud environments 

Even if you know what to look for, finding it is another matter. This is especially true if you are acquiring a business that uses different, or multiple, cloud service providers. Multi-cloud and hybrid environments are challenging because they are constantly changing, and the acquiring business rarely has tools that provide visibility into all those environments. 

Hidden Historic Breaches

And another layer of cyber risk lurks within an M&A transaction–the possibility that a compromise has already occurred, but it goes unseen until after the deal closes. For many reasons, hackers may quietly hold-on to their cyber-booty long after the initial attack. In addition, compromised systems often retain dormant backdoors and exploits that cybercriminals leave in place for follow-up attacks. These risks are real and have serious business consequences.

Clearing the Clouds

Recent surveys suggest that 94% of companies now use cloud services. This means that for many acquisition targets, a significant portion of their technology value and recent innovation is now found in cloud-based applications. And, perhaps nowhere is this more true, than In FinTech. However, assuming that one company’s cloud/platform security team can instantly assess that of a potential target could be a costly mistake.

view of cityscape
Photo by Aleksandar Pasaric on

Cloud native computing does offer a degree of cross-platform uniformity for developers but for platform engineers and security teams, the devil lies in the detail. The different possible combinations of cloud providers, platforms, architectures, and solutions present a vast, dizzying array of often subtle and hard-to-find configuration differences. Failure to account for any of these differences could result in concealing, or worse still creating, a system vulnerability. 

To get accurate cyber risk assessments in the midst of an active M&A situation, it is vital to make security assessments fast and easy. In the cloud, companies need a single source of truth in the form of a cloud security platform.


A strong, dedicated cloud security platform should provide visibility into complex cloud environments through a single, unified interface with minimal setup or ongoing configuration. Users can quickly evaluate configurations, identify misconfigurations and vulnerabilities, and should be able to deliver compliance reports that are pre-formatted to appropriate regulatory frameworks. The right platform enables companies to demonstrate their security posture and answer audit questions up to 300 times faster than with first-generation cloud security posture management tools.


During the due diligence process, a cloud security platform looks deeply across a target company’s entire cloud infrastructure, not only to identify vulnerabilities and misconfigurations, but also to better understand the environment for purposes of scoping subsequent integration. 


Once the M&A is complete, the platform’s cloud visibility expedites the process of identifying, integrating, and consolidating technologies, and it manages controls to conform to the buyer’s compliance mandates. This is especially powerful when merging companies with different regional and regulatory compliance requirements.

Ongoing, a good unified cloud security platform should also improve security management efficiencies and lower security operations costs across the newly merged companies. Applying technologies such as machine learning analytics to all cloud activity, including workloads and containers can vastly reduce the amount of data that needs to be processed by other security tools such as SIEM. This helps cut tool costs up to 35% through security tool consolidation, reduces false positives, and provides high fidelity alert data that shrinks time spent on investigation and research by up to 90%.

Finally, with a unified cloud security platform in place there is one other big advantage: once you begin using it, you are all set to assess and minimise the cyber risk of your next M&A transaction.