Cybersecurity Red Flags in Target Companies

A cybersecurity breach can destroy deal value overnight. We've seen acquisitions delayed by 12+ months, valuations slashed by 30%, and in extreme cases, deals killed entirely due to security issues discovered during due diligence.

Here are the red flags PE firms must look for when evaluating cyber risk in target companies—and what to do when you find them.

Deal-Killer Red Flags: Stop and Remediate

These issues are serious enough to pause a transaction until resolved:

1. Active or Recent Breach with Customer Data Exposure

If a target company has experienced a data breach in the past 24 months involving customer PII, payment data, or health information—especially if not properly disclosed and remediated—you have potential regulatory, legal, and reputational landmines.

What to Do: Demand full forensic analysis, remediation plan, customer notification records, and legal/regulatory status. Budget for post-acquisition incident response and customer notification costs. Consider insurance coverage gaps.

2. No Multi-Factor Authentication (MFA) on Critical Systems

If administrators can access production databases, financial systems, or customer data with just username/password, you're one phishing email away from a catastrophic breach.

This is especially concerning for SaaS companies where a single compromised admin account can expose all customer data.

3. Missing or Expired Compliance Certifications

If enterprise customers require SOC 2, ISO 27001, HIPAA, or PCI compliance and the target company:

Never achieved certification
Let certifications lapse
Failed recent audits

...they likely can't sell to enterprise customers until remediated. This directly impacts revenue projections and growth plans.

Serious Concerns: Price Adjustments Required

These issues won't kill a deal but should significantly impact valuation:

4. Unpatched Critical Vulnerabilities

Run a vulnerability scan. If you find critical or high-severity vulnerabilities that have patches available but haven't been applied in 90+ days, the company has poor security hygiene.

This suggests:

No formal patch management process
Insufficient IT resources
Lack of awareness of security risks

5. No Backup and Disaster Recovery Plan

Ask to see documentation of:

Automated backup schedules
Successful restore tests (in the past 6 months)
RTO (Recovery Time Objective) and RPO (Recovery Point Objective) targets
DR runbooks and procedures

If these don't exist or haven't been tested, one ransomware attack could destroy the business.

                Real Example: A $30M ARR SaaS company we evaluated had backups running—but no one had tested restores in 18 months. When we asked them to demonstrate a restore, it failed. Their backups were corrupted and useless. This required immediate remediation and a valuation adjustment.
            

6. Excessive Admin Privileges

If developers have production database admin access, if junior staff have access to financial systems, or if terminated employees still have active accounts, access controls are broken.

Review:

Principle of least privilege implementation
Privileged access management (PAM) tools
Quarterly access reviews
Offboarding procedures

Warning Signs: Monitor and Remediate Post-Close

These issues are common and fixable but indicate areas needing investment:

7. Security as an Afterthought, Not a Culture

Ask about:

Security awareness training frequency
Phishing simulation programs
Incident response playbooks
Security champions or committees

If security is "handled by IT" with no board-level visibility, no employee training, and no documented procedures, you'll need to build a security culture from scratch.

8. Third-Party Vendor Risk Blindspot

Modern companies use 50-200+ third-party services. Does the target company:

Maintain a vendor inventory?
Conduct vendor security assessments?
Review vendor SOC 2 reports?
Have vendor contract terms addressing data security?

If not, they have unknown risk exposure through their supply chain.

9. Shadow IT and Unmanaged Devices

Employees using personal Dropbox for customer data. Unmanaged laptops accessing corporate systems. Marketing teams signing up for random SaaS tools with company credit cards.

This creates data leakage risks and compliance gaps that must be addressed.

How to Conduct Security Due Diligence

Phase 1: Documentation Review

Information security policies and procedures
Compliance certifications (SOC 2, ISO, etc.)
Cyber insurance policies and claims history
Incident response plans and past incident reports
Penetration test and vulnerability scan results

Phase 2: Technical Assessment

External vulnerability scanning
Architecture review (network diagrams, data flows)
Access control audit
Backup and DR testing
Code security review (for software companies)

Phase 3: Interviews

CISO or security lead (if exists)
IT director or VP Engineering
Compliance officer
Key application owners

Remediation Cost Expectations

Budget for these investments post-acquisition:

Basic security hygiene: $100K-$250K (MFA, patching, access controls)
SOC 2 certification: $150K-$300K first year (audit + remediation)
Penetration testing remediation: $50K-$200K depending on findings
Security team hiring: $150K-$300K/year for security engineer or CISO
Security tooling: $50K-$150K/year (SIEM, EDR, vulnerability management)

                Bottom Line: Cybersecurity due diligence isn't optional anymore. One missed red flag can cost you millions in breach response, regulatory fines, customer churn, and reputational damage. Budget 2-4 weeks and $50K-$150K for proper security assessment during due diligence. It's the best insurance policy you can buy.
            

The companies that get security right early accelerate growth, win enterprise contracts, and command premium exit multiples. The ones that ignore security end up fighting fires instead of building value.