Acquiring a business? BlackFlag Advisory conducts passive cyber due diligence on target companies before completion.

Request an Assessment →
Home / Intelligence / Due Diligence
M&A & Due Diligence Risk

What Cyber Due Diligence Actually Looks Like — And What Acquirers Consistently Miss

Cluny Archibald
Founder, BlackFlag Advisory
May 2026
10 min read

The cyber security liabilities embedded in an acquisition target are rarely visible in the information memorandum. They do not appear in the audited accounts. They are not disclosed in the vendor due diligence questionnaire — because the vendor completing the questionnaire either does not know about them or has chosen to describe their security posture in the most favourable terms available. They surface post-completion, when they become the acquirer’s problem.

Australian M&A activity has produced a growing body of post-acquisition cyber incidents in which the acquirer discovered, months or years after completion, that they had assumed responsibility for an unresolved data breach, an active ransomware infection in a dormant system, compliance failures under the Privacy Act, or security vulnerabilities that were being actively exploited at the time the deal closed. In some cases, the incident that revealed the problem was the culmination of a breach that had been ongoing for months before the acquisition completed.

The due diligence process that is supposed to identify these risks is almost universally inadequate for the purpose. Not because acquirers are careless, but because the standard approach to cyber due diligence — a questionnaire sent to the vendor, completed by the vendor, and reviewed by a team without deep cyber security expertise — is structurally incapable of finding what is actually there.

Key Points

  • Cyber security liabilities acquired through M&A are frequently not visible in financial statements or disclosed in vendor due diligence responses — they surface post-completion
  • A target company’s unresolved data breaches, compliance failures, and security vulnerabilities transfer with the acquisition — including the regulatory and legal consequences of incidents that occurred before completion
  • Most Australian M&A due diligence processes rely on questionnaire-based cyber assessment that is structurally incapable of identifying what is actually present
  • Pre-acquisition passive assessment can surface the target’s external security posture, breach exposure, and observable compliance gaps without requiring access to their systems or alerting them to scrutiny
  • Warranty and indemnity insurance for cyber liabilities is an increasingly common but imperfect solution — understanding what is being covered before the policy is placed is essential

What Questionnaire-Based Due Diligence Cannot See

The cyber security questionnaire sent to an acquisition target is a document about intentions, policies, and self-assessment. It asks questions like: do you have an information security policy? Do you conduct regular security awareness training? Have you experienced a data breach in the past three years? The responses are provided by the vendor, typically under time pressure, and reviewed by legal advisers who are not equipped to interrogate technical claims.

What the questionnaire cannot reveal: whether the systems described in the policy actually behave the way the policy says they do. Whether the data breaches that occurred were identified, assessed, and notified appropriately — or whether they occurred without detection. Whether staff credentials have appeared in breach intelligence databases. Whether the technology stack contains known vulnerabilities that have not been patched. Whether the email configuration allows domain spoofing. Whether the privacy policy accurately reflects data handling practices. All of these are knowable. None of them appear in a vendor-completed questionnaire.

The Inherited Breach Problem The Notifiable Data Breaches scheme imposes notification obligations on entities that experience eligible data breaches. When an acquisition completes and the target entity is absorbed into the acquiring group, the acquirer inherits not just the assets and liabilities on the balance sheet, but the regulatory obligations that attach to any unresolved breach that occurred in the target. An eligible breach that occurred in the target before acquisition, was not identified or notified, and is subsequently discovered post-completion creates notification obligations for the acquirer — and potential findings of non-compliance for a breach that predated their ownership. This is not a theoretical scenario. It is a documented pattern in Australian M&A.

What Passive Pre-Acquisition Assessment Surfaces

A passive assessment of an acquisition target’s external security posture can be conducted before completion, without accessing the target’s systems, and without alerting the target to the scrutiny. It surfaces the information that vendor-completed questionnaires structurally cannot provide: the external footprint, the observable security hygiene, the breach intelligence, the technology stack vulnerabilities, and the privacy compliance posture as it appears to anyone with the knowledge to look.

This intelligence serves several distinct purposes in an M&A context. It provides a basis for informed negotiation of cyber-specific warranties and indemnities. It identifies risks that should be conditions of completion or specific disclosure items. It informs the pricing of any warranty and indemnity insurance being placed on the transaction. And it gives the acquirer’s integration team a clear picture of the work required to bring the target’s security posture to an acceptable level post-completion.

The Warranty Gap

Warranty and indemnity insurance has become a standard feature of Australian M&A transactions above a certain value threshold. Cyber-specific warranties — assurances that the target has not experienced undisclosed breaches, that its security posture meets certain standards, and that it is compliant with applicable privacy legislation — are increasingly included. But these warranties are only as valuable as the information behind them.

A warranty given by a vendor who does not actually know the state of their security posture is not a meaningful assurance. It is a legal document that shifts liability but does not reduce risk. The acquirer who relies on a cyber warranty without conducting independent assessment to validate it has transferred the financial risk but not the operational or reputational consequence of discovering a problem post-completion. By that point, the business is theirs, the clients are theirs, the regulatory obligations are theirs, and the problem is theirs to resolve.

Know What You Are Actually Acquiring

A BlackFlag Advisory pre-acquisition assessment surfaces the cyber security and compliance posture of your target before completion — giving you the information to price the risk, negotiate warranties, or walk away. No access to the target’s systems required. Delivered within 5 business days.

Request an Assessment →
What the Assessment Covers

Complete external footprint assessment of the target company. Breach and credential exposure intelligence. Email authentication and domain security posture. Technology stack and known vulnerability exposure. Privacy compliance gaps visible from public-facing presence. All conducted passively — no target system access required.