You’ve seen the financials. The EBITDA bridges look clean, the customer concentration is manageable, and the growth story is compelling. You are ready to issue the LOI. But there is a ghost in the data room, and it’s not on the balance sheet.
It’s the silent, unpatched vulnerability in a legacy ERP system. It’s the S3 bucket left open by a developer who left three years ago. It’s the vendor access credential that hasn’t been rotated since the Obama administration.
We call this Security Debt, and in 2025, it is the single biggest destroyer of deal value post-close. The classic cautionary tale is Verizon’s acquisition of Yahoo, where undisclosed breaches shaved $350 million off the purchase price. But that was a public mega-deal. In the mid-market private equity world, the horror stories are quieter, but arguably more deadly.
Imagine closing a $50M platform acquisition on Friday, only to discover on Monday that their "proprietary data moat" was exfiltrated six months ago. You didn’t just buy a company; you bought a liability. According to a study by Forescout, 53% of buyers discover critical cybersecurity issues only after the deal closes. By then, the multiple has been paid, the debt has been structured, and the leverage is yours to manage.
The problem is that traditional IT due diligence is often a "checkbox" exercise. A third-party consultant runs a vulnerability scan, checks for a firewall, and asks if employees do phishing training. This is hygiene theater, not risk assessment.
Real security diligence requires hunting for negligence, not just bugs. When we advise PE firms on cybersecurity risk assessments, we don’t just look at patch levels. We look for the culture of security debt.
Let’s talk numbers. Why does a security finding kill a deal? It’s not just the cost of the fix; it’s the uncertainty of the liability. If a target company has a history of ignored alerts, the buyer must price in:
Data from IBM’s 2024 report shows the average cost of a data breach is now $4.88 million. For a mid-market firm with $5M EBITDA, a single incident wipes out a year’s worth of profitability. This is why 78% of buyers say they would walk away entirely if a significant undisclosed breach was found during diligence.
The 2024 ransomware attack on Change Healthcare (a UnitedHealth subsidiary) is the new benchmark for worst-case scenarios. It wasn't just a breach; it was a systemic failure of third-party risk management that cost billions. In the mid-market, we see this constantly: platform companies acquiring smaller add-ons without vetting their security posture, effectively importing a virus into the main network.
When you buy a company with high technical debt, you are almost certainly buying high security debt. They are two sides of the same coin. If they didn't have time to refactor their code, they definitely didn't have time to secure it.
You cannot do a full forensic audit in a 30-day exclusivity period. But you can identify the deal-killers. Here is the triage framework we use to determine if a target is "fixable" or "toxic":
Ask for a list of all third parties with active VPN or API access to the core environment. If the answer is "we need to check," that is a red flag. If the answer is a spreadsheet last updated in 2023, that is a deal-killer. Unmonitored vendor access is the #1 vector for ransomware in portfolio companies.
In a healthy organization, less than 5% of users should have administrative privileges. In a "wild west" startup, it’s often 50%+. If every developer has root access to production databases, you are buying a ticking time bomb. This requires an immediate post-close remediation roadmap funded by a holdback escrow.
Don’t ask to see the Incident Response Plan (IRP) document. Ask to see the logs from the last time they tested it. If they have a 50-page PDF but no record of a tabletop exercise, the plan is fiction. In a real crisis, they will panic.
Security debt is financial debt. It must be subtracted from the Enterprise Value. If you find significant gaps, you have two options: walk away (as 78% of your peers would), or structure a specific indemnity and escrow to cover the remediation costs.
Do not rely on Rep & Warranty insurance to save you. Insurers are increasingly carving out known vulnerabilities and pre-existing conditions. The only insurance you have is rigorous, operator-led diligence. Don't let the ghost in the data room haunt your next exit.
