Cybersecurity is changing how financial markets work but not in the way people think
Looking at how VCs, PE firms, and acquirers are rethinking cybersecurity and what this means for the future of our industry
People like to say that public markets don’t really care about security and that the impact of security incidents on company value over a long period of time is basically non-existent. I know about this because I am one of the people who said that. While I continue to believe that to be true (look at the Crowdstrike stock, which is now at an all-time high), there are cases when security does matter because it does impact the value of the company. In this piece, I am going to discuss how VCs, PE firms, and acquirers are rethinking cybersecurity, and in which ways cyber does have the ability to impact capital markets.
Navigating M&A: What every security leader needs to know
M&A is exciting – new products, new colleagues, new possibilities. Often overlooked, cybersecurity can make or break the success of the entire deal. Acquirers often face fragmented systems, different security policies, and new vulnerabilities. These issues introduce real security risks.
Join 1Password & Canva security leaders Dave Lewis, Wendy Nather, and Kane Narraway on July 17th at 12:30PM PT / 3:30PM ET as they draw on the collective experience of 30+ M&As to examine the security implications of M&A, outline strategies for mitigating risk, and demonstrate why security architecture must be embedded in the due diligence period.
Why venture capital doesn’t prioritize cybersecurity
It makes sense to start the discussion by looking at how venture capital treats security because VCs are the very first representatives of institutional capital that get to interact with the startups.
The truth is that in the world of venture capital, cybersecurity risk has been and continues to remain an afterthought in most (realistically, all) investment decisions. While VCs spend a lot of effort on legal and financial due diligence, very few take cybersecurity posture seriously when making early-stage investments. That’s not because they’re unaware of the risks, but because, so far, those risks haven’t consistently impacted the one thing that VCs care about: returns.
Startups face a never-ending list of threats to their survival, but bad security posture is rarely one of them. Most startups fail due to well-known and well-documented reasons: lack of product-market fit, running out of money, poor execution, etc. Here is the list of the top 20 reasons, and as you can see, a breach or cyber incident is not there.
Source: CB Insights
Contrary to what many in our industry would assume, a security incident has very, very low probability and impact for early-stage companies, especially in the early years when the company hasn’t yet accumulated significant data, infrastructure, or brand value worth stealing, destroying, or frankly protecting.
The reality is that every startup is insecure by default. Founders are racing to ship products, win customers, and raise funding. Security, like compliance or scalability, is typically delayed until it becomes a barrier to growth or until a customer demands it. Cutting corners is not a bug; it’s part of the startup playbook. There’s so much founders “need” to do that if they can’t effectively prioritize what is absolutely essential and non-negotiable, they’ll never get anything new off the ground. From a VC’s perspective, demanding best-in-class security practices at pre-seed or Series A would be like asking a newborn to get a full-time job (premature and frankly, kind of absurd).
If you read the news, it’s hard not to notice that companies that make headlines for big breaches (think Target, Equifax, or Colonial Pipeline) are all mature, large enterprises. These are not the kinds of companies VCs back in the early stages, and as a result, the fear of cybersecurity risk hasn’t yet become something VCs think they should be paying attention to. Until a VC fund sees a potential billion-dollar exit collapse because of a breach, security is not going to become a major diligence item, but as soon as it happens, I am sure the attitudes will change pretty quickly.
Let me be clear: I am not saying that VCs ignore cyber risk. It’s really the opposite - venture is fundamentally about managing risk and reward, but not all risks are treated equally. Legal and regulatory risks, for example, are taken seriously because there’s a well-established history of them tanking deals and killing companies. Legal due diligence is a standardized, critical part of the investment process, not because it’s exciting, but because stuff like intellectual property issues have burned investors before. The moment cybersecurity creates similar pain, like when a breach derails a billion-dollar IPO or acquisition, cyber due diligence will quickly become a part of the process, likely starting with later rounds.
When that shift happens, I think VCs will start hiring third parties to evaluate startups' security postures and sign off on risk exposure, just like they do with financial auditors and legal counsel today. I would anticipate that when it happens, we’ll see cybersecurity due diligence firms emerge to fill this need, just like there are plenty of law firms (at least in the Bay Area) that exclusively focus on working with VCs and startups.
Cybersecurity risks and private equity
Private equity and its relationship with cyber risk
Historically, private equity (PE) firms were very similar to VCs in that they haven’t treated cybersecurity as a core diligence priority. If you think about it, it also makes sense since oftentimes, PE firms acquire companies that they think are underperforming so that they can optimize operations and exit in 3-5 years. While their model is built around financial engineering and controlled risk-taking (think a lot of spreadsheets), and risks like legal, financial, and operational would generally be priced into deals and mitigated, cybersecurity has traditionally been treated more as a potential liability than a fundamental business risk. Basically, the mindset has been that “If we gamble well, nothing terrible will happen in the short time we own the company, and if something bad happens later, it’s going to be somebody else’s problem”.
Over the past decade, this has been changing. The reality is that cyber incidents can derail even the best-laid investment theses, and few cases illustrate it as well as the story of SolarWinds. In 2015, SolarWinds was acquired by Silver Lake and Thoma Bravo and taken private in a transaction valued at $4.5 billion. A few years later, in 2018, it went public again. Sadly, in 2020-2021, it became known that SolarWinds had been breached, and that attackers used SolarWinds to distribute malicious code to its customers. From that point onward, the company stock declined until more or less returning to normal just before the company was once again taken private by Turn/River. The struggles of SolarWinds and the fact that the company has become known worldwide because of the breach highlighted that, while over the long term, the impact of cyber incidents tends to be negligible, given the PE playbook and timelines, it can be pretty disruptive. Incidents like this have made it clear to PE firms that cybersecurity isn’t just a “nice to have”; it’s a critical risk vector that can materially impact exit value, insurance costs, and even regulatory exposure.
Today, more PE firms are recognizing that cyber risk is directly tied to their bottom line. Unlike VCs, PE players are beginning to approach security with the same seriousness they apply to legal and financial due diligence.
The rise of the captive MSSP model in private equity
To manage cyber risk across their portfolios, many PE firms are turning to a new model: the captive MSSP (managed security services provider). Instead of treating each portfolio company as an isolated security challenge, leading PE firms are building centralized security service units that provide baseline cybersecurity programs to every company they acquire. This model is gaining traction, particularly in sectors like healthcare, manufacturing, and fintech, industries where sensitive data and compliance requirements make breaches especially costly. For example, I know of some healthcare-focused PE firms that have established wholly owned MSSPs that onboard every new portfolio company, assess their current posture, and implement a minimum viable security program. The goal for these MSSPs isn’t to build world-class security overnight; it’s to get every portfolio company to a safe, stable baseline quickly and cost-effectively.
Another slight variation of this model is the “captive consultancy,” where the PE firm owns or partners with a security consulting firm that provides recurring services across the portfolio. These firms function like internal MSSPs with multi-tenant capabilities: they help companies build foundational security programs, implement controls, and mature until they’re ready to manage their security independently. In some cases, PE firms appoint CISOs or Heads of Security for entire families of companies. These security leaders are responsible for developing strategy, managing risk, and ensuring consistent controls across diverse business units. It’s a portfolio-level view of security that mirrors the operational playbooks PE firms use for other functions like finance, HR, and procurement.
Approaching security from the “portfolio” standpoint isn’t just smart, but also cost-effective. There are surely savings that can be achieved by unifying standards, systems, and processes, and quite a lot can be done by negotiating volume discounts with vendors. It’s one thing to have each company buy their own, say, EDR tools, but it’s a different story when a single procurement center negotiates a volume discount for tens of thousands of endpoints across all the portfolio companies.
For those interested in reading a more practitioner-focused take on security in the PE world, I recommend checking out this blog post from John Masserini.
Cybersecurity risks in mergers & acquisitions
The role of cybersecurity risk in M&A
For the last few decades, cybersecurity has played little to no role in a typical merger or acquisition. When acquiring a company, buyers would normally focus on well-understood areas like legal structure, tax exposure, and financial performance. That is because each of these areas has proven to be critical over decades of M&A transactions, so buyers know that getting any of these wrong can lead to losing a lot of money. Technical due diligence would generally come down to making sure that the infrastructure is compatible and the acquirer can integrate the tech it buys. The security of the underlying systems or the maturity of the cybersecurity program wasn’t really a part of the review. The reality is that in most M&A processes, the business case for the acquisition is made early, and the factors that come into play are all based on strategic opportunity, revenue potential, product expansion, or anything else that revolves around growth. By the time technical diligence begins, the buy/no buy decision would generally be made. And, since there weren’t any high-profile examples of M&A derailed by cyber risk, there was little incentive for buyers to dig deeper.
This perception started to change in the past decade as soon as some big M&A deals were publicly impacted by cybersecurity failures. One of the earliest wake-up calls came in 2017 when PayPal acquired TIO Networks. Some weeks after the acquisition closed, PayPal discovered that 1.6 million customers’ data had been compromised in a breach that predated the deal. The fallout was really bad: TIO was forced to suspend operations, PayPal got stuck in many lawsuits, and the company took a reputational hit even though it wasn’t responsible for the original breach. The story of TIO Networks became a textbook example of a cyber issue derailing an otherwise promising acquisition, sending over $200M down the drain. It could have been worse: if PayPal had discovered the issues after integrating the two companies, the magnitude of the impact could have been much bigger.
Even more dramatic was Verizon’s acquisition of Yahoo. Initially, the deal was announced to be worth just over $5 billion, but it was almost derailed when Yahoo disclosed two major data breaches, one of which compromised all 3 billion user accounts. In response, Verizon negotiated a $350 million reduction in the deal price and required Yahoo to set aside an entity with sufficient capital to absorb potential breach-related liabilities. While the deal ultimately closed, the financial and operational mess of dealing with the breach while trying to close M&A served as a cautionary tale for future acquirers.
The crazy thing is that these two rather unfortunate stories happened after Marriott acquired Starwood Hotels just a year earlier, in 2016, but before it became known what happened in 2018. After the acquisition, it was discovered that Starwood had been breached years earlier and that attackers maintained access to sensitive data throughout the transition period. The resulting regulatory penalties and litigation stretched into the hundreds of millions of dollars. The story took many years to unravel, and the recent FTC decision goes back to just 2024 (I suspect the legal battles might be ongoing). Unlike the Yahoo case, Marriott couldn’t claw back any of the purchase price, and it inherited full responsibility for the breach.
These three incidents helped establish the idea that cyber risk can’t just be ignored in M&A because not only can it materially impact deal value, but it can also create a significant post-close risk to the acquirer. Let me be clear, too: these aren’t just some three unique events, there are many more. As recently as a year ago, a Fortune 500 company was in the process of buying a clinic laboratory business, but a security event led to a 22% reduction in the purchase price.
The rise of cyber due diligence in M&A
Today, the cybersecurity due diligence step has become a pretty common, though not yet standardized, part of the M&A due diligence process. Unlike just a decade ago, acquirers today are much more likely to request security audits, assess incident history, review data protection policies, and evaluate the technical maturity of internal security programs, because they know that the cost of doing this upfront is much lower than the potential exposure. Some companies, specifically large tech players like Google, Meta, PayPal, and Salesforce, go especially deep. Many (if not all) of them have dedicated cyber due diligence teams that don’t just do surface-level box checking but actually pentest their potential partners, go deep to assess their vulnerability exposure, etc.
While progress is being made, I think it’s important to call out that cyber issues are very unlikely to kill a deal. By definition, M&A is about risk-taking, and every acquisition inherently comes with the risk of not working out, not returning the money, etc. Buyers are pretty used to absorbing a lot of uncertainty. Cyber due diligence isn’t about achieving perfection; it’s about quantifying risk and making sure it’s priced into the deal. What cybersecurity due diligence can (and often does) impact is the value of the transaction. The story of Yahoo's acquisition, where the company lost $350 in value, isn’t even the limit to what’s possible. EY’s Brian Levine, who specializes in cybersecurity due diligence for M&A, has shared on a podcast how his team once helped reduce a transaction price by $1.4 billion based on cyber risk findings alone.
It’s worth calling out that, similar to PE firms, strategic acquirers are investing money not only into evaluating their prospective acquisition targets, but also in improving their security posture. In many cases, the acquirer will bring in short-term security teams (often internal or trusted external MSSPs) to help improve the posture of the newly acquired company. These teams help build foundational security programs (think monitoring, alerting, basic controls, etc.) until the acquired company can take over with internal hires or more formal security leadership. This “captive MSSP” or “portfolio security team” model is becoming very common not just in PE companies, but also in M&As. One of the drivers is the fact that, as Brian Levine points out, adversaries are now targeting companies during the M&A announcement period:
“A large law firm merger received approval from partners on October 13, resulting in significant press coverage. News of the ransomware attack appeared within weeks.
Transactions can be highly visible events that draw the attention of cybercriminals. In November 2021, the FBI warned that cybercriminals were increasingly targeting companies involved in mergers and acquisitions and leveraging these high-profile events for ransomware attacks. Four months later, a Wall Street Journal headline noted: “Ransomware Attackers Begin to Eye Midmarket Acquisition Targets.”
Transactions are a target for cybercriminals not only because they are large, high-profile events but also because they are distracting, and distracted employees are more likely to fall for a phishing email or other social engineering attack. A merger or acquisition often involves new and unfamiliar voices and communication channels, so employees may not be on guard when they receive an email or phone call from someone they don’t recognize. Distracted by concerns about whether the transaction will impact their jobs, employees may be less cautious—or may become insider threats themselves, attempting to download anything that is not secured, such as trade secrets or other proprietary information.” - Source: Brian Levine on LinkedIn
The future of cyber due diligence in M&A
As cyber due diligence becomes a more accepted and necessary step in the M&A process, the demand for security professionals who can operate in this domain is increasing. Cyber due diligence roles are uniquely cross-functional, and people working in them need a combination of technical skills and communication skills. They can’t only be deep in one area like endpoint or cloud - they have to be generalists that can understand the business, what’s relevant to assess, and then do the work, identify red flags, and explain their findings to legal, financial, and executive stakeholders. The people I met in these roles are very adaptable, and they have fantastic presentation skills. I’d say that this role is a real embodiment of the “security as a business enablement” idea since every M&A deal is an opportunity, and security is a part of making sure that that opportunity will actually materialize.
That said, I don’t think most companies will have the need and resources to build this as a separate function in-house. They are much more likely to either offload cyber due diligence on their CISOs and security teams or to get help from consulting firms, especially the Big Four. Regardless of how it unfolds, the good news is that we’re starting to see discussions of the role cybersecurity plays in M&A, and I am optimistic that over time we’ll see more positive changes.
Future of cyber due diligence
In my mind, cyber due diligence is similar to the cyber insurance market. In its early days, cyber insurance was a new offering, so underwriters issued policies without any technical assessments, and often without even asking basic due diligence questions. The time showed that this approach doesn’t really work, so as the amount of losses increased, the market quickly matured. Insurers that survived developed pretty good evaluation frameworks, detailed questionnaires, security control checklists, and all kinds of third-party risk assessments. Skeptics will say that it’s still not good enough (sure, we should do more!), but I think we’ve done a decent job so far.
The same shift is happening in cyber due diligence. Today, many acquirers still approach it informally, treating it as a checkbox instead of a critical part of risk assessment. However, as more buyers have to deal with post-acquisition breaches or get stuck in lawsuits and expensive remediations, the rigor will follow.
I don’t think VCs will start paying attention to cybersecurity as they evaluate companies anytime soon, and frankly, I don’t think they should: there is so much that can go wrong with a startup that cybersecurity won’t make it to the top of the list for a long while. For PE and acquirers, the story is quite different because a) by the time they come into the picture, the company should be much more mature, and b) the risks of poor security posture are much higher. I believe we’re moving toward a world where cyber due diligence becomes a structured, repeatable process, supported by specialized firms, standard methodologies, and benchmarks for security maturity. Just like financial audits, cybersecurity assessments will become a core part of how companies evaluate acquisition targets. The goal is never going to be to eliminate risk entirely, but money is a good argument to understand, price, and manage it better than we’re doing it today.
Awesome write-up, as always. Great move highlighting an often unrecognized reason that organizations need to be concerned & diligent about their security posture.
A very interesting read