In January 2025, Insight Partners, one of the world’s most active tech investors, admitted it had fallen victim to a social engineering attack (Cybersecurity Dive). The breach exposed internal systems, leading Insight Partners to bring in forensic teams and alert law enforcement. If even a firm with stakes in companies like Wiz and Kaseya can get breached, what does that mean for private equity groups (PEGs) in the middle of a deal?
IBM’s 2024 Cost of a Data Breach Report puts the global average price tag of a breach at $4.88 million. McKinsey’s 2024 M&A Report goes a step further, revealing that deals lacking strong risk management, like cybersecurity, end up realizing 10–20% less value compared to those that tackle risks head-on. Cybersecurity due diligence helps protect returns, makes integration easier, and stays on top of stricter state regulations, like New York’s NYDFS Cybersecurity Rules.
Aligning Cybersecurity with Deal Value
How does security fit into why we’re buying this company?
Security adds value to the transaction by safeguarding the core components of the business, such as its technology, client information, or seamless platform integration.
Technology-Driven Acquisitions
The security of codebases, APIs, and data models is prioritized when a transaction is driven by proprietary software or advanced platforms. Weak encryption or unpatched systems aren’t just technical issues; they can lead to regulatory fines and mandatory fixes under New York’s NYDFS Cybersecurity Rules (23 NYCRR 500).
Market Share or IP Focus
If a target is mainly valued for its customer data or intellectual property, it’s crucial to have strong protections in place to prevent leaks and theft. The very assets that are driving the deal can quickly become liabilities if robust data-loss prevention measures are not in place.
Integration Strategy
When integrating a target into an existing business, it is essential that the security standards of the acquirer be met. When systems don’t match up and controls are inconsistent, it slows down integration, holds back synergies, and drives up costs.
Smart investors commission targeted assessments that connect security risks to the deal thesis, preserving core assets while keeping everything in line with regulatory requirements.
Driving Integration ROI
What does this mean for time, cost, and benefits after the deal is done?
Cybersecurity due diligence goes beyond just identifying risks before closing the deal. It also establishes the foundation for how quickly value can be realized and how smoothly the target integrates. Integration times can stretch, and costs can rise if you don’t have a clear understanding of the gaps, fixes that need to be made, and legal requirements.
Security Gaps and Remediation Costs
Most breaches are caused by patchable vulnerabilities. If a target enters the agreement with out-of-date systems or poor zero-trust measures, or even incompatible identity platforms, those flaws must be addressed immediately. The acquirer is commonly responsible for bearing the cost of filling in those gaps on their balance sheet.
State Regulatory and Compliance Risks
Along with the technology challenges, investors also take on the target’s regulatory stance. State-level rules, such as the NYDFS Cybersecurity Regulations, along with sector-specific requirements, bring in extra layers of scrutiny. Non-compliance can mean fines, audits, or even restrictions on how you operate. New York isn’t the only state taking action. Texas and Massachusetts are also stepping up, with Texas’s HB 4 requiring annual cybersecurity audits and breach notifications within 60 days. These rules definitely impact the ROI of integration.
Investors can keep integration on track and protect projected returns by fixing immediate security gaps, planning upgrades for the near future, and making sure that long-term compliance strategies are aligned. Cybersecurity accelerates deal value, not just defense.
Uncovering Hidden Liabilities
What risks could be hiding in the shadows?
You can often learn a lot about a target’s cybersecurity history, even beyond what management shares during the due diligence process. When breaches go undisclosed, incident response processes are weak, or vendor relationships are insecure, these issues can come back to haunt you after a deal closes.
Incident History and Liabilities
Past breaches, even if they were downplayed or kept under wraps, can signal lingering vulnerabilities. Advanced persistent threats (APTs) may remain hidden inside a network post-acquisition, inflating costs for the acquirer.
Prevention and Response Capabilities
For investors, a target’s ability to detect and respond to threats directly affects post-close costs. Companies that have strong monitoring and incident response systems can keep disruptions under control, helping to maintain their value and stick to integration schedules. When companies lack strong capabilities, they can often pass hidden liabilities to the acquirer, leading to unexpected costs for fixing and upgrading things.
Third-Party and Supply Chain Risks
Vendors, cloud services, and software suppliers often create major blind spots. Compromised partners can open doors into otherwise secure environments, and state regulators increasingly require third-party risk assessments as part of compliance. According to Accenture’s 2024 Risk Study, 40% of utility executives view third-party risk as the fastest-growing issue since 2021, demonstrating its severity and prevalence. Regulators are doing the same thing, like making the NYDFS require third-party risk reviews that include SOC 2 reports. High-profile incidents like the MOVEit breach highlight how one vulnerable supplier can set off a chain reaction that impacts an entire portfolio.
Investors can find hidden risks by investigating event history, response readiness, and vendor relationships. Not only do these insights prevent unpleasant surprises, but they also safeguard long-term portfolio value and provide leverage in negotiations.
Why It Matters for Investors
Why should you care at a strategic level?
Cyber incidents aren’t just an IT issue; they really hit at the core of deal value. Just one breach can wipe out millions, slow down integration, and bring on regulatory scrutiny. The following case shows how quickly weak cybersecurity can turn an acquisition into an expensive lesson.
Case Study: Navigating Ransomware Risks in Acquisition
Just two months after a $150 million acquisition, a midsize manufacturer faced a ransomware attack. The new PE owner spent $1.2 million to unlock the systems and ended up losing millions more due to downtime and remediation (WSJ). The breach stemmed from outdated IT infrastructure that was ignored during the diligence process.
What Investors Should Keep in Mind
Many of those costs could have been avoided. Before closing the deal, cyber assessments could have pointed out the gaps, influenced the deal terms, and highlighted the fixes needed right from Day 1. For investors, weak cybersecurity isn’t just a call for attacks; it also chips away at valuation, slows down integration, and creates liabilities that can affect the entire portfolio.
Investor’s Cybersecurity Checklist
- Pre-LOI: Identify previous incidents and breaches and conduct dark web scanning using publicly available sources.
- Conduct a Cybersecurity Program Assessment and evaluate the target’s efforts to adopt and integrate a cybersecurity framework for the organization and it’s regulatory and customer compliance requirements.
- Valuation Impact: Quantify remediation costs and potential liabilities to adjust purchase price.
- Integration Plan: Develop a Strategic Roadmap and create a 12-month plan to align target security with portfolio requirements. Conduct penetration testing to validate program implementation is working. Consider external Attack Surface Monitoring for ongoing monitoring of externally accessible technologies.
- Expert Engagement: Hire cybersecurity specialists to conduct code audits and third-party risk assessments.
Ready to Protect Your Next Deal?
Cybersecurity due diligence isn’t just a nice-to-have anymore; it can make or break a deal. LBMC’s Security Consulting team partners with private equity groups and investors to spot vulnerabilities, boost compliance, and protect portfolio value.
Contact LBMC’s Cybersecurity team to make sure your next acquisition is built on a secure foundation.
Content provided by LBMC Cybersecurity experts Adam Nunn and Kurt Faires.