Compromise assessments – actively hunting for evidence that attackers may already be inside
Over the last few years, I’ve seen something shift dramatically in the clients I work with.
The pace of innovation has exploded. The democratisation of technology, especially with the acceleration of AI, means individuals and small, skilled teams can now build products and services at a speed that was unimaginable even 10 years ago.
And that’s a good thing.
I’ve worked with incredibly talented professionals who’ve taken advantage of AI to make more out of their expertise, creating businesses that grow fast and attract serious acquisition interest. In a lot of cases, founders are choosing to go down this route instead of traditional corporate growth, to avoid internal constraints such as locked budgets and organisational politics.
The result has been a big surge in merger and acquisition activity across industries and geographies.
But there’s a catch.
What I’m seeing more and more is that the same speed and urgency to ‘be the first’ is also exposing these companies to cyber risk.
Security often follows behind innovation.
Not because people don’t care, but because in the race to build and launch, it’s easy for resilience to fall down the priority list.
And this is where many acquiring organisations underestimate the risk.
Because when you acquire a company, you’re not just buying its product, its revenue, or its talent.
You’re buying its vulnerabilities too.
This isn’t theoretical. The market has already been reshaped by high-profile cases.
The Marriott-Starwood data breach exposed a long-running compromise that only came to light after the deal closed, leading to regulatory scrutiny, massive remediation effort, and significant reputational damage.
During the Verizon-Yahoo acquisition renegotiation, the discovery of major breaches resulted in a $350 million reduction in the purchase price. Cyber directly impacted the valuation.
More recently, the Change Healthcare ransomware attack showed how post-acquisition vulnerabilities can result in national-level disruption. This affected over 100 million people.
These aren’t edge cases anymore. They’ve become reference points. And they all reinforce the same lesson: Cyber risk can redefine the deal.
When I speak to global clients, I urge them to integrate cyber due diligence into their M&A strategy. Not as a checkbox, but as a core decision-making input.
Because even if your organisation has a strong cyber resilient culture, robust processes, and mature controls…
One acquisition can weaken your entire ecosystem.
You’re connecting networks.
Integrating systems.
Extending trust boundaries.
If the target organisation has hidden vulnerabilities, legacy issues, or even an active compromise, you’re inheriting all of it.
What many people still underestimate is how much this space has evolved.
This is no longer about running a checklist or reviewing policies.
All of the ’Big Four’ and major strategy firms have dedicated Cyber M&A practices. And what they’re doing now is far more proactive:
Compromise assessments – actively hunting for evidence that attackers may already be inside
Dark web reconnaissance – checking if credentials or company IP are already being sold on the dark web
Regulatory and data risk analysis – understanding compliance with GDPR, CCPA, or industry-specific rules (HIPAA, PCI-DSS).
Technical debt evaluation – estimating the cost and effort to bring any ‘patchwork’ security up to standard
And critically, doing this at speed, aligned to the deal lifecycle:
I strongly believe in prevention.
Because I’ve seen the alternative.
A focused cyber due diligence exercise is a relatively small investment in the context of a deal.
But the cost of getting it wrong?
The gap between those two is not even close.
Prevention is negligible compared to breach impact.
If you’re involved in acquisitions, whether you’re in strategy, investment, technology, or risk, this is the point where cyber needs to move up your agenda.
At Resillion, we bring experience from real-world cases across industries and geographies, helping organisations not just identify risk, but navigate it in the context of a live deal.
Because in today’s market, success in M&A isn’t just about what you acquire.
It’s about what you avoid inheriting.