What Cyber Security Checks Should I Do After an Acquisition?

Why This Matters

You inherit everything:

• Their vulnerabilities
• Their technical debt
• Their compliance gaps
• Their unknown exposures
• Their user credentials

Real examples:

• Marriott breach via Starwood acquisition (500M records)
• Verizon discovered Yahoo breaches post-acquisition
• Countless smaller breaches via acquired company access

Attackers know: Acquisition integration is chaotic. Security often slips. It's a prime attack window.

Immediate Actions (Day 1-30)

1. Inventory their attack surface

What have you acquired?

• Domains and websites
• Cloud services
• External-facing systems
• Third-party connections
• Data stores

2. Understand their current security

• What security tools are in place?
• Who manages their IT/security?
• What incidents have they had?
• What certifications do they hold?
• What are their security policies?

3. Identify critical gaps

Quick assessment of:

• MFA status (enabled everywhere?)
• Endpoint protection (what's deployed?)
• Patching status (how current?)
• Admin access (who has it?)
• Backup status (tested?)

4. Don't connect immediately

Do not rush network integration. Their vulnerability becomes your vulnerability the moment you connect.

Security Assessment Phase (Day 30-90)

Full security assessment

• Vulnerability scanning (internal and external)
• Configuration review
• Policy review
• Access audit
• Third-party risk review

Identity and access

• Who has access to what?
• How many admin accounts?
• Are credentials shared?
• MFA status across all systems

Data discovery

• What sensitive data do they have?
• Where is it stored?
• Who has access?
• Is it properly classified?

Compliance status

• What regulations apply to them?
• Are they compliant?
• What's their certification status?
• What are their contractual obligations?

Integration Planning (Day 60-180)

Prioritise remediation

Fix critical issues before integration:

• Enable MFA everywhere
• Patch critical vulnerabilities
• Remove excessive access
• Address compliance gaps

Plan integration carefully

• Network segmentation during transition
• Phased integration approach
• Monitoring during integration
• Rollback capability

Consolidate security tools

• Which tools continue, which retire?
• How to maintain visibility during transition?
• Training for acquired staff?

Address culture

• Their security culture vs yours
• Policy alignment
• Training requirements
• Communication

What Can Go Wrong

Rushing integration Pressure to show synergies leads to connecting networks before assessment. Vulnerability spreads.

Ignoring legacy systems Acquired company has old systems "that still work." Those systems have old vulnerabilities.

Assuming their compliance is valid Certificates exist but controls lapsed. Verify, don't assume.

Overlooking third parties They have vendors with access. Those vendors now have access to you.

Not communicating Acquired staff don't know new policies. Shadow IT proliferates.

Due Diligence Checklist

Before close:

• [ ] Security questionnaire completed
• [ ] Known incidents disclosed
• [ ] Certification status verified
• [ ] Insurance coverage reviewed
• [ ] Major vulnerabilities identified

Post close:

• [ ] Full asset inventory
• [ ] Vulnerability assessment
• [ ] Access audit
• [ ] Policy gap analysis
• [ ] Third-party review
• [ ] Integration risk assessment

Our Role

We support M&A security:

Pre-acquisition:

• Due diligence assessments
• Risk identification
• Deal support

Post-acquisition:

• Comprehensive security assessment
• Remediation planning and execution
• Secure integration
• Ongoing management

Acquisitions are exciting but risky. Security shouldn't be an afterthought.