Cybersecurity Due Diligence in M&A: What PE Firms Miss Before Close
Cybersecurity due diligence in M&A transactions has matured significantly over the past decade. Most PE deal teams now include some form of cyber assessment in their process. The problem isn't whether it gets done; it's how.
Key Takeaways
- Self-reported questionnaires cannot surface vulnerabilities the target is unaware of, legacy system exposure, or credentials already circulating from prior breaches
- External intelligence, requiring no target access, consistently identifies material issues that traditional reviews miss until post-close
- In competitive processes where system access is restricted or unavailable, an external-first approach is the only viable option from day one
- March 2026: a US federal court (N.D. Cal.) let negligence and aiding-and-abetting claims against Bain Capital proceed in the PowerSchool breach litigation — the first time a PE sponsor faces direct, sponsor-level liability for a portfolio company's cyber failure, not just deal-value impairment
Why This Just Got More Personal
For most of the last decade, weak cyber DD was a deal-value problem: post-close write-downs, indemnity claims under the SPA, occasional litigation against the target's directors and officers. The PowerSchool ruling changes the calculus. On March 18, 2026, Judge Vince Chhabria allowed plaintiffs' negligence and aiding-and-abetting claims to proceed against Bain Capital itself — not just PowerSchool — over the 2024 breach that exposed records on tens of millions of US students.
The court's reasoning is the part deal teams should read carefully: a sponsor that exercises operational control over a portfolio company's risk decisions cannot fully isolate itself from those decisions when they go wrong. The implication for pre-close diligence is direct. Cyber findings that get acknowledged but not remediated, or accepted as "we'll fix it post-close" without a documented plan and budget, now sit on the sponsor's desk, not just the portfolio company's.
This is not yet a final ruling — the case proceeds. But the precedent that it can proceed at all is the material development. The cost of weak diligence used to be a write-down. The new floor is a sponsor named in the suit.
For the operational defense — the five-layer playbook for limiting sponsor-level exposure — see our practitioner's defense playbook after Bain/PowerSchool.
The questionnaire trap
The default approach relies on target-completed questionnaires and a limited number of stakeholder interviews. This has a structural flaw: the information is entirely self-reported, and limited to what the target knows about itself.
Most organizations have significant blind spots in their own security posture. Legacy systems accumulate vulnerabilities that were never catalogued. Integrations added outside formal IT processes go undocumented. Credentials remain active long after employees leave. These don't appear in a well-formatted response to a 200-question spreadsheet, not because they are withheld, but because the target often isn't aware of them either.
What external intelligence reveals
A properly structured external assessment, conducted without any target access, can identify issues that self-reported questionnaires systematically miss:
| Assessment area | What questionnaires miss | What external intelligence finds |
|---|---|---|
| Infrastructure vulnerabilities | Self-reported; depends on target's own awareness | Open ports, misconfigured cloud storage, and unpatched systems via passive scanning |
| Credential exposure | Not visible to the target; cannot be self-reported | Email and password combinations from prior breaches circulating on dark web forums |
| Third-party dependencies | Incomplete; limited to what target actively tracks | Vendors and integrations mapped externally, including untracked or shadow IT |
| Historical incidents | Limited to what the target has formally recorded | Public breach disclosures, regulatory filings, and litigation records |
| Technology stack | Claimed by target | Independently verified against job postings, DNS records, and open-source signals |
| Access required | Yes, limiting competitive processes | No, assessment runs from day one without notifying the company |
This isn't theoretical. In transaction after transaction, external intelligence surfaces material issues that traditional access-based reviews miss until post-close, when remediation costs have already been absorbed by the acquirer.
The access problem
Traditional due diligence requires the target to grant meaningful system access. In competitive processes, this is often unavailable or restricted. In add-on acquisitions, the access request itself signals sensitivity that deal teams prefer to avoid.
An external-first approach removes this constraint entirely. Assessment begins the moment a target is identified, without notifying the company, without requesting access, and without consuming management bandwidth.
What to look for in a cyber DD provider
| Capability | Why it matters for deal teams |
|---|---|
| Initial risk profile before first target conversation | Enables early go/no-go signalling before committing full DD resources |
| Independent technology stack verification | Validates what the target claims is actually in production |
| Full audit trail on all findings | Defensible to co-investors, LPs, and regulatory scrutiny under DORA and NIS2 |
| Findings translated to financial exposure | Connects technical risk to deal economics and SPA representations |
For the complete assessment methodology, see our practitioner's framework for M&A cybersecurity due diligence. For how findings translate into deal economics, see how cybersecurity due diligence protects deal value. For rapid assessment in competitive processes, see digital due diligence in 24-72 hours.
The checklist covers the key assessment domains we apply across every transaction, from initial screening through binding offer.
Download the Cybersecurity Due Diligence Checklist
Reach out and we'll send the M&A Cyber Due Diligence Checklist directly to your inbox.
Request M&A Cyber Due Diligence ChecklistFrequently Asked Questions
Why do standard cybersecurity questionnaires fail in M&A due diligence?
Self-reported questionnaires are limited to what a target organization knows about itself - and most organizations have significant blind spots in their own security posture. Legacy systems accumulate vulnerabilities that were never catalogued, integrations added outside formal IT processes go undocumented, and credentials can remain active long after employees leave. These gaps do not appear in questionnaire responses not because they are withheld, but because the target is often unaware of them.
What does external-only cybersecurity assessment reveal that questionnaires miss?
External assessment without any target access identifies open ports and misconfigured cloud storage via passive scanning, email and password combinations from prior breaches circulating on dark web forums, vendors and integrations (including shadow IT) mapped from external signals, public breach disclosures and regulatory filing history, and independently verified technology stack details - all of which self-reporting systematically cannot surface.
How can PE deal teams assess cybersecurity risk before gaining access to target systems?
External-first assessment draws on 500+ data sources covering cybersecurity, technology stack, and regulatory history without requiring system access, management cooperation, or even notifying the target. Assessment begins from the moment a target is identified - in competitive processes, this means having independent technical intelligence before management representations are made, without consuming deal timeline.
Related Insights
Sources
- OWASP - Web Security Testing Guide
- Have I Been Pwned - Breach Database and Credential Exposure
- NIST. National Vulnerability Database. nist.gov. 2025.
- Womble Bond Dickinson — Unprecedented: PE Firm Potentially on the Hook for Portfolio Company's Data Breach (Bain / PowerSchool). 2026.
- Bloomberg Law — Bain Struggles to Dismiss PowerSchool Data Breach Claims. March 2026.