Cyber Liability in M&A: The Risk Nobody Talks About Until It Is Too Late

Sentry Technology Solutions | M&A Advisory | June 18, 2026

Quick answer: Cyber liability in M&A is the financial, legal, and reputational exposure a buyer inherits when they acquire a target with undisclosed or unremediated cybersecurity issues. It surfaces as regulatory fines, breach remediation, litigation, and deal value erosion. The only reliable defense is dedicated cyber due diligence before the deal closes.

What Is Cyber Liability in an M&A Deal?

Every acquisition transfers more than revenue, customers, and contracts. It transfers security posture. That includes undisclosed breaches, dormant malware, weak access controls, aging systems, stale credentials, and the full history of every compliance gap the target never fixed.

When a buyer writes the check, they also sign themselves into the story of every cyber skeleton in that closet.

Ask Verizon. In 2017, the company reduced its purchase price for Yahoo by $350 million after Yahoo disclosed two breaches affecting more than 1.5 billion user accounts.¹

That is what cyber liability looks like with a dollar sign in front of it.

Why Do Cyber Issues Slip Through Traditional Due Diligence?

Financial diligence reads balance sheets. Legal diligence reads contracts. Operational diligence reads org charts. Cyber threats rarely leave their footprints in any of those places.

A Forescout study of more than 2,700 IT and business decision makers found that 53 percent had encountered a critical cybersecurity issue during an M&A transaction that jeopardized the deal, and 65 percent experienced buyer's remorse after closing due to cyber concerns discovered later.²

IBM research echoes the pattern: more than one in three organizations have experienced a data breach attributable to M&A activity during integration.³

These numbers are not a warning about exotic threats. They describe the default state of modern deals where cyber diligence is delegated to a checklist rather than a qualified technical evaluation.

The Marriott and Starwood case is the cleanest illustration. Starwood was breached in 2014. Marriott acquired Starwood in 2016. The breach went undetected until 2018. When it surfaced, Marriott inherited a UK GDPR penalty that settled at £18.4 million and, later, a $52 million multistate settlement in the United States.⁴

The UK Information Commissioner's Office specifically cited Marriott's failure to conduct proper due diligence on Starwood's IT infrastructure as a basis for the penalty.⁵

What Does Real Cyber Diligence Look Like Before Close?

A defensible pre-close cyber assessment covers four domains that cannot be reduced to a questionnaire.

1. Breach history and active exposure. Has the target been compromised? Is there evidence of dormant access, exposed credentials on the dark web, or unreported incidents? Public breach disclosures are the tip of the iceberg.
2. Technical security posture. Endpoint protection, identity and access management, patching cadence, network segmentation, privileged account hygiene, and backup integrity. Outdated systems are liability magnets.
3. Data governance and regulatory exposure. What personal, financial, or health data does the target collect? Where is it stored? Which regulatory frameworks apply, and what is the gap to compliance today?
4. Third-party and supply chain risk. Which vendors touch the target's environment? What contractual protections exist? Supply chain compromises are now among the most common paths into a business.

The objective is not a 200-page report. It is to give the buyer a clear-eyed picture of what they are acquiring so they can price the deal accurately, negotiate appropriate protections, and plan integration without surprises.

What Protections Can Buyers Negotiate Into the Deal?

Pre-close findings drive post-close value. When a buyer understands a target's real cyber posture before signing, they have leverage.

• Purchase price adjustments for remediation costs that should not be inherited.
• Reps and warranties specifically addressing prior breaches, active incidents, regulatory investigations, and compliance status.
• Escrow holdbacks for identified cyber risks that may crystallize in the first 12 to 24 months post-close.
• Targeted indemnification for known exposures, rather than relying on general reps alone.
• Cyber insurance requirements covering the tail risk of undiscovered incidents.

Buyers who skip cyber diligence forfeit every one of those levers. They close the deal, integrate the systems, and only then learn what they bought.

The Bottom Line: Cyber Diligence Is Deal Value Protection

Cyber liability is not a niche risk. It is a line item that can quietly consume the entire expected return of a transaction. The IBM Cost of a Data Breach Report 2025 put the average cost of a United States breach at $10.22 million, with regulatory fines, remediation, litigation, and reputational fallout driving the total.⁶

The deals that survive first contact with reality are the ones where the buyer understood the target's real cyber posture before signing, priced it into the terms, and structured integration around closing the gaps.

Cyber diligence is not about finding a reason to walk away from a deal. It is about walking in with both eyes open.

Frequently Asked Questions

Is cyber due diligence only for large M&A deals?

No. Smaller deals often carry disproportionate cyber risk because target companies typically have thinner security teams and less mature programs. The dollar cost of a breach does not scale down with deal size.

How long does pre-close cyber diligence take?

A focused technical assessment can typically be completed in two to four weeks, depending on the target's size and complexity. Aligning scope to the deal timeline matters more than duration.

Will cyber insurance cover risks uncovered after close?

Coverage varies widely. Most policies exclude known prior incidents and limit coverage for pre-existing vulnerabilities. Cyber insurance is a complement to diligence, not a replacement.

What if the target pushes back on deep cyber diligence?

Resistance is itself a signal. Tighten the reps and warranties, expand indemnification, and widen the escrow. Position cyber diligence as standard buyer practice, not distrust.

Ready to de-risk your next deal? Sentry Technology Solutions partners with buyers, deal teams, and integration leaders to run focused pre-close cyber assessments and post-close integration planning. Visit sentryitsolutions.com to start the conversation.

References

¹ TechCrunch, "After data breaches, Verizon knocks $350M off Yahoo sale, now valued at $4.48B," February 21, 2017.

² Forescout Technologies, "The Role of Cybersecurity in M&A Diligence," 2019 survey of 2,779 IT and business decision makers across the United States, France, United Kingdom, Germany, Australia, Singapore, and India.

³ Ponemon Institute / IBM, "Assessing Cyber Risk in M&A: Unearth hidden costs before you pay them," IBM Institute for Business Value.

⁴ UK Information Commissioner's Office, Monetary Penalty Notice issued to Marriott International, Inc., October 30, 2020 (£18.4 million); Office of the New York State Attorney General, multistate Marriott settlement announcement, October 2024 ($52 million).

⁵ Debevoise & Plimpton, "Proposed £99 Million Marriott GDPR Data Breach Fine Underscores Importance of Cybersecurity in M&A," July 2019.

⁶ IBM, "Cost of a Data Breach Report 2025," published July 2025.