Mergers and acquisitions (M&A) are exciting, urgent, and fast-paced. Amid tight timelines, organizations might see cybersecurity in mergers and acquisitions as a secondary, "tick-the-box" exercise — but this perilous shortcut may cost organizations an average of $5 million¹ in damages.

Imagine buying a house and rushing through a home inspection. Surface-level attributes like size and location might look good, but what about the structural integrity, door locks, insurance coverage, alarm systems, and neighbourhood crime rate? You wouldn’t overlook these deeper security concerns for your home; and you shouldn’t overlook them in a business acquisition, either.

We’ll cover the case for cybersecurity due diligence (cyber DD) in M&A, and a few steps you can take to protect your next “digital house.”

Cybersecurity plans in M&A: Why you need one

Organizations undergoing M&A are hot targets for hackers and bad actors. In fact, 53% of organizations² encountered a critical cybersecurity issue after announcing a merger or acquisition. On top of that, one organization’s idea of cybersecurity might be completely different from another’s. A disconnect here could even put your deal in jeopardy, as over 60% of organizations would consider cybersecurity³ before engaging with other companies.

Imagine submitting a formal offer to acquire a company, and then finding out after the deal closed that they’ve been hacked multiple times. Of course, this could alter your original stance on that company’s valuation. We’ve seen company valuations depress materially when there is a history of a breach or incident.

Bottom line? Organizations must consider cybersecurity in M&A to protect themselves. Here’s how to get started.

How to secure your next digital house in M&A: Inside-out and outside-in

When you secure a physical house, you’ll look at your property’s internal measures like locks, fences, and alarm systems. On top of that, you’ll consider external risks and vulnerabilities, like neighbourhood crime, extreme weather events, or faulty windows.

Similarly, cybersecurity due diligence (Cyber DD) requires preparation from two angles: inside-out, and outside-in.

An Inside-Out Maturity Assessment assesses an existing cybersecurity program and essential elements such as tools and internal controls. An Outside-In Threat Assessment identifies external vulnerabilities and risks that may be unknown to the organization, and helps create a more robust strategy to mitigate them.

Inside-out assessment: NIST framework

An Inside-Out Maturity Assessment looks at a target company’s existing cybersecurity program.

Consider a homeowners association’s (HOA) rules and building codes established to protect residents, like visitor screenings, camera policies, or rules for outdoor lighting.

Similarly, companies have their own building codes and HOA rules in the form of:

• Governance structures
• Regulatory processes
• Compliance measures
• Industry standards
• Laws and requirements around cybersecurity

We typically leverage the NIST Cybersecurity Framework (CSF) to conduct an inside-out assessment to understand the target company’s baseline set of security processes and controls:

The NIST CSF considers how the target company:

• Governs cybersecurity with policies and procedures, compliance processes, and regulatory adherence to frameworks such as ISO 27001 or NIST SP 800-53
• Identifies critical assets and cybersecurity roles and responsibilities
• Protects infrastructure with tools like network and perimeter security, endpoint protection, access control mechanisms, and data loss prevention (DLP)
• Detects security threats through Intrusion Detection Systems (IDS), continuous monitoring, and anomaly detection tools
• Responds to threats and cybersecurity incidents with incident response plans
• Recovers from damage resulting from a cybersecurity incident

Think of this assessment as checking a home’s locks, alarms, emergency plans, and security cameras — ensuring internal safeguards such as strong door locks (access controls), robust alarm systems (IDS, SIEM), continuous surveillance (monitoring and threat hunting), and emergency procedures (incident response and recovery plans) are in place. These examples highlight the depth of capabilities necessary to effectively protect critical assets and minimize impacts from cyber incidents.

Maturity levels (initial to optimized) reveal how effectively and completely these capabilities are implemented within the existing cybersecurity program. But even the best internal safeguards aren’t enough if external threats remain unknown or unaddressed —much like how a well-secured home still needs awareness of neighborhood crime rates and nearby hazards to stay fully protected.

The more clearly you understand your external threats — like knowing the specific local crime patterns or common methods intruders use to break into homes in your area — the more proactively you can strengthen your defenses, respond swiftly, and recover effectively from incidents.

Outside-in assessment: Threats and vulnerabilities

You’ve assessed your home’s interior, but your due diligence isn’t complete. Just like homeowners look for external risks like crime rate or weather notices, organizations must identify and protect themselves from vulnerabilities in their cybersecurity ecosystem. This could take the form of:

• Digital footprint assessment
• Attack surface analysis
• Threat intelligence
• Cyber insurance

Step one is to assess the target company’s digital footprint: How much of the target organization is out there for the world to see?

This goes far beyond a Google search, or, in the house analogy, curb appeal. Consider a company’s data across the entire online sphere, including data lost in breaches or carelessly shared online. For example, publicly available sensitive information about security vulnerabilities acts like an unlocked door, providing attackers direct access or clear entry points into your systems. You’ll also assess an organization’s history of cyber incidents, access and permissions for sensitive documents, and all areas of vulnerability that might not be immediately visible.

Unfortunately, vulnerabilities exist internally as well, not just outside. Your organization’s attack surface functions like a house’s entry points, which aren’t always visible. For example, windows and fences are the obvious entry points — but have you considered your pipes, vents, and utility lines? All of these represent potential vulnerabilities in an attack. An attack surface analysis identifies vulnerabilities by looking at:

• IP address inventory
• Open ports
• Cloud assets
• Shadow IT

Would you move into a home in a neighbourhood with high crime rates? Even if you would — the price (valuation) would have to match that risk. The same goes for a target company. Threat intelligence resembles neighbourhood safety trends and crime statistics, identifying potential threats and even valuation indicators from:

• Global threat feeds
• Risk profiles
• Dark web forums
• Known exploit databases

But even if you conduct immense research on your home and purchase the most high-tech alarm system, there’s one thing you simply won’t go without: insurance. Cyber insurance is a critical policy and something that all target companies should have in place.

How we can help: The Deloitte difference

Our assessments aren’t just theoretical best practices. We’ve used them to assess and protect our clients from reputational and financial threats during M&A deals. Backed by specialist cybersecurity experts and industry-specific professionals in the field, Deloitte offers a robust cybersecurity service to help organizations successfully (and safely) close deals.

Cybersecurity M&A case study

Deloitte supported a strategic buyer who wanted to acquire an organization in the supply chain and logistics field. With knowledge that the target had been the victim of several security breaches, our client needed a full picture of vulnerabilities and risks to inform the deal.

Our team helped paint that picture by:

• Sourcing and analyzing the target company’s incident reports, including historical breach data, leaked information, and cyber incident timelines
• Analyzing existing cybersecurity processes and controls
• Gathering intelligence about the company’s digital footprint, including company exposure on the dark web, data leakages, compromised credentials, and publicly available sensitive information
• Testing target company vulnerabilities externally, identifying gaps through attack surface mapping, external penetration testing, open ports scanning, and cloud asset reviews.
• Analyzing the target company’s remediation efforts
• Identifying outstanding gaps and risks for our client

We equipped our client with a comprehensive cyber risk profile of the target company to help them better understand the cybersecurity risks, potential impacts, and implications for valuation. On top of that, our analysis identified key risk sources that informed our client’s next steps upon acquisition.

Secure your next M&A target today

Even the most highly valued target company can destroy your organization’s financial outlook with an unchecked cybersecurity program.

Deloitte supports acquirers with the knowledge and tools to make informed decisions, mitigate hidden risks, and safeguard long-term value.

If you’re headed toward a merger or acquisition, don’t forget to secure your next digital house first. We can help.

Contributing authors

Steven Ma | Director, Tech M&A and Value Creation, Deloitte Canada

Valentyn Sysoiev | Director, Cyber M&A and Incident Management, Deloitte Canada