When PE deal teams price an acquisition, they model EBITDA, working capital, growth, and synergies. They rarely model the line item that has reshaped some of the highest-profile transactions of the last decade: inherited cyber risk.
The numbers are not theoretical. S-RM's 2025 private equity research found that 72% of PE firms across the US and EMEA suffered a serious cyber incident inside their portfolio over the prior three years, with the average cost of a single significant incident landing at $3.4 million.1 IBM's 2025 Cost of a Data Breach Report puts the global average at $4.44 million, with US breaches alone at a record $10.22 million.2 Yet only a fraction of mid-market deals price these exposures into valuation, escrow, or reps and warranties.
That gap, the difference between what a target's cyber posture is actually worth and what gets reflected in the deal, is the question deal teams keep ignoring.
Every acquisition transfers more than financials. It transfers the target's complete digital footprint, including incidents the seller may not have disclosed and vulnerabilities the seller may not know exist.
Forescout's landmark M&A study, surveying 2,779 IT and business decision-makers, found that 53% of organizations had encountered a critical cybersecurity issue during a deal that put the transaction in jeopardy, 73% considered an undisclosed data breach an immediate deal breaker, and 65% experienced buyer's remorse after closing because of cybersecurity concerns they ended up inheriting.3
The pattern repeats across PE specifically. Accenture reports that the announcement of a deal and the appeal of fresh capital attract cyber attackers, with ransomware groups timing campaigns to coincide with M&A activity.4 The PowerSchool breach made this concrete. In March 2026, a federal court allowed claims to proceed against Bain Capital itself, holding that a PE sponsor could potentially be liable for a portfolio company's breach where post-close decisions contributed to the incident.5
Undisclosed prior incidents. Marriott's acquisition of Starwood is the textbook case. Attackers had been resident in Starwood's systems for years before close. The breach was not discovered until after the deal closed, resulting in multi-year litigation and government settlements.6
Third-party and supply chain exposure. IBM's 2025 report found that supply chain compromises cost an average of $4.91 million per incident and take 267 days to resolve, the longest of any attack vector.2 Most M&A diligence stops at the target's perimeter and never assesses the vendors, MSPs, and cloud providers the target depends on.
Regulatory inheritance. Under the SEC's cybersecurity disclosure rule effective December 2023, public-company acquirers must disclose material cybersecurity incidents within four business days of determining materiality, including incidents inherited through acquisition.7 HIPAA, GDPR, and state privacy laws transfer liability for pre-close violations to the buyer at the moment of close.8
The fix is not a longer checklist. It is integrating cyber assessment into the deal lifecycle the same way legal and financial diligence are integrated.
PwC's M&A cyber framework recommends a tiered approach scaled to deal risk: pre-LOI threat landscape review, confirmatory diligence during exclusivity, pre-close validation, and a structured 100-day post-close integration plan.9 EY-Parthenon's PE practice emphasizes one additional discipline: quantifying cyber risk in dollar terms during diligence so it can be negotiated, not just flagged.10
For a typical mid-market acquisition, cyber due diligence ranges from roughly $25,000 to $75,000 depending on deal complexity, industry, and timeline.11 A finding that justifies even a $1 million purchase price reduction or an escrow holdback pays for the diligence many times over, and often catches the issue that would have surfaced as a much larger post-close cleanup.
The $2.8 million question is not whether cyber risk exists in the target. It almost always does. The question is whether the deal team prices it in before signing or absorbs it after closing.
Operating Partners and Deal Partners who treat cyber as a financial workstream, not an IT checkbox, protect deal value, accelerate integration, and exit cleaner. Those who treat it as an afterthought eventually pay the difference. They just pay it as a post-close write-down, an undisclosed liability, or a four-business-day SEC filing instead of a negotiated escrow line.
If your next acquisition closes in the next 90 days and cyber diligence has not started yet, it is already late. The right time to bring in an independent cyber advisor is before the LOI, not after.
Accelerate Partners works with PE firms and their portfolio companies as a vendor-agnostic technology and cybersecurity advisor across the full deal lifecycle. Pre-LOI through post-close integration, we quantify cyber risk in dollar terms so deal teams can negotiate it, not just flag it. Beyond diligence, we help portfolio companies increase ROI on existing technology investments by eliminating redundant tools, consolidating overlapping platforms, and rightsizing licenses, and we reduce ongoing spend through technology expense management and vendor procurement advocacy. The result is a portfolio that is more resilient, more efficient, and worth more at exit.
1. "Cyber Risk Management for Private Equity." S-RM Intelligence and Risk Consulting, 2025. https://www.s-rminform.com/cyber-risk-management-for-private-equity
2. "Cost of a Data Breach Report 2025." IBM, July 2025. https://www.ibm.com/reports/data-breach
3. "Forescout Study Reveals Cybersecurity Concerns on the Rise Amid M&A Activity." GlobeNewswire, June 24, 2019. https://www.globenewswire.com/news-release/2019/06/24/1872829/0/en/Forescout-Study-Reveals-Cybersecurity-Concerns-on-the-Rise-Amid-M-A-Activity.html
4. "Private Equity and the Rising Cost of Cyberattacks." Accenture, 2025. https://www.accenture.com/us-en/insights/strategy/private-equity-rising-cost-cyberattacks
5. "Unprecedented: Private Equity Firm Potentially on Hook for Portfolio Company's Data Breach." National Law Review, March 2026. https://natlawreview.com/article/unprecedented-private-equity-firm-potentially-hook-portfolio-companys-data-breach
6. "Cybersecurity: The Hidden Pillar of M&A Due Diligence." Centri Business Consulting, December 2025. https://centriconsulting.com/news/insights/cybersecurity-the-hidden-pillar-of-ma-due-diligence/
7. "Disclosure of Cybersecurity Incidents Determined To Be Material and Other Cybersecurity Incidents." U.S. Securities and Exchange Commission, May 21, 2024. https://www.sec.gov/newsroom/speeches-statements/gerding-cybersecurity-incidents-05212024
8. "Cybersecurity Due Diligence for M&A Deals." Atlant Security, February 2026. https://atlantsecurity.com/cybersecurity-due-diligence/
9. "Understanding Cyber Due Diligence." PwC, 2024. https://www.pwc.com/us/en/services/consulting/deals/library/understanding-cyber-due-diligence.html
10. "How Private Equity Cybersecurity Can Improve Deal Value Creation." EY-Parthenon, October 2025. https://www.ey.com/en_us/insights/strategy/how-private-equity-cybersecurity-can-improve-deal-value-creation
11. "The Real Cost of Cybersecurity Due Diligence: What You're Actually Paying For." Atlant Security, February 2026. https://atlantsecurity.com/blog/cost-of-cybersecurity-due-diligence/