84% of IT integrations fail or experience significant issues (Gartner, 2024). But the number that should actually concern you? A significant number of executives report discovering cybersecurity breaches during M&A integration -- after the deal has closed.
You've just signed the papers on your latest acquisition. The deal team did brilliant work. Your CFO is modelling synergies. Your PE sponsor is pleased. And somewhere in the acquired company, there's a server in a cupboard that nobody told you about, running unpatched software from 2017, with three people sharing the admin password.
The pattern is well documented across post-acquisition audits. The security posture you think you're buying rarely matches the reality you inherit. No MFA on the email system. Spreadsheets with customer data living on personal Dropbox accounts. A "temporary" VPN set up during COVID that's become permanent, with credentials written on sticky notes. Legacy systems that can't be patched because "it'll break everything."
And the moment you close, it's all yours—legally, financially, operationally. UK GDPR doesn't distinguish between vulnerabilities you created and those you inherited. The ICO doesn't care that the breach happened before you owned the company. Your cyber insurance doesn't cover gaps you should have discovered.
This isn't a theoretical risk. It's the gap between close and integration—the risk window where you own the liability but don't yet control the environment. And for roll-ups doing 3-5 acquisitions a year, that window compounds with every deal.
What follows is a practical framework for the first 90 days: what to audit, what to shut down, what to harden, and how to build cybersecurity into your integration playbook without grinding operations to a halt.
Why Cybersecurity Is Your Problem the Moment You Close
The legal transfer of ownership doesn't wait for IT integration to catch up. The instant the deal closes, you inherit every unpatched server, every weak password, every undisclosed incident, and every regulatory obligation.
Under UK GDPR and the Data Protection Act 2018, buyers assume liability for data breaches-even those that occurred before acquisition. If the target suffered a breach six months ago and didn't disclose it (or didn't know about it), you're now the data controller responsible for notification, remediation, and any resulting fines. The ICO has made it clear: ignorance isn't a defence.
The numbers are stark. Industry surveys consistently show that a significant proportion of acquisition targets lack formal incident response plans. Many buyers discover security incidents during integration that were never disclosed during due diligence. And the majority of acquirers say they would reconsider or abandon a deal if a significant breach were uncovered.
But here's the problem: traditional M&A due diligence is a point-in-time snapshot, usually conducted weeks or months before close. It's a questionnaire, a policies review, maybe a third-party assessment. What it doesn't capture is the dynamic risk that emerges after the deal—when you begin connecting networks, migrating data, and granting access to your platform systems.
For roll-ups, this risk compounds. You're not integrating one company: you're managing the cumulative security posture of 5, 10, 15 acquisitions at various stages of integration. Each one is a potential entry point. Each one inherits access to shared resources. And if your internal IT team is already stretched thin managing day-to-day operations, cybersecurity in acquired companies often gets deferred.
Real Talk: It's not uncommon for acquirers to discover ransomware infections during the first week of file migration, or to find acquired companies with no endpoint protection, no backup strategy, and customer data on USB drives in desk drawers. The closet server test is real-physically walk the offices, because what's documented and what exists are rarely the same thing.
The window between close and integration is where deals go to die-or where liabilities you didn't price into the deal quietly erode value. Cybersecurity isn't an IT problem. It's an execution risk that directly impacts synergy realisation, regulatory compliance, and your ability to operate the combined business.
The Five Critical Security Risks After Acquisition
The security risks you inherit aren't hypothetical. They follow predictable patterns, and recognising them early gives you a chance to contain the damage.
Inherited Vulnerabilities and Shadow IT
The acquired company's IT hygiene is rarely what the due diligence report suggested. Legacy systems running unsupported software-Windows Server 2008, outdated CRM platforms, bespoke applications built by a contractor who left three years ago-are common. These systems can't be patched because nobody knows how they'll react, and they can't be replaced immediately because operations depend on them.
Then there's Shadow IT: the tools and services that staff adopted without IT's knowledge or approval. Personal Dropbox accounts syncing company files. WhatsApp groups sharing customer details. A facilities manager running operations through a free version of Trello. None of it is documented. None of it is secure. And all of it becomes your problem.
Case in Point: Consider a landscaping roll-up that discovers an acquired company's operations manager has built an entire job scheduling system in Google Sheets, shared via his personal Gmail account with a dozen subcontractors. No encryption. No access controls. Customer addresses, payment terms, and schedules-completely outside the corporate environment.
IT integration creates a high-risk window. You're moving financial data, customer records, employee information, and operational files between environments. Data is in transit, often across incompatible systems. Credentials are being shared with migration teams. Access controls are loosened temporarily to help transfers.
This is when attackers strike. Phishing campaigns targeting acquired company staff who are anxious about changes. Credential stuffing attacks exploiting weak passwords that nobody's rotated. Ransomware infections that spread from the acquired network into your platform before you've segmented properly.
The migration window is also when data quality issues surface-duplicates, incomplete records, unencrypted files-and the temptation is to rush through cleanup to meet integration timelines. That's when corners get cut and security is deferred.
Access Creep and Orphaned Admin Rights
Who has admin access to the acquired company's systems? In small businesses, it's often the previous owner, the IT person (who might be part-time or outsourced), maybe a trusted manager. These credentials rarely get revoked promptly after close.
Access creep happens when permissions accumulate without being reviewed. An employee who moved from finance to operations still has access to payroll. A former contractor who built the website still has CMS admin rights. Shared admin passwords that were "temporary" three years ago.
Post-acquisition, disgruntled employees are a real risk. Not everyone is happy about being acquired. If a key manager leaves in the first 90 days and still has remote access, you've got a problem. Orphaned admin accounts-credentials that belong to no one, documented nowhere-are entry points waiting to be exploited.
Warning: It's common to find 5-10 admin-level accounts in acquired companies that nobody can identify. No owner. No purpose. Just permissions that have persisted for years.
Regulatory and Compliance Gaps
Compliance is never uniform across acquisitions. One company might have invested in GDPR readiness: another might have a privacy policy copied from a template and no data processing records. If you're operating across the UK and EU, you're navigating the UK GDPR, EU GDPR, and increasingly NIS2 and the Cyber Resilience Act.
Mismatched standards create risk. If your platform is ISO 27001 certified but the acquired company has no information security controls, you've just introduced a compliance gap that auditors will flag. If you're in healthcare or handle payment data, the stakes are even higher-CQC, PCI-DSS, sector-specific regulations that the target may not have understood or followed.
The ICO has been clear: controllers must demonstrate accountability. You can't simply inherit a non-compliant environment and plead ignorance. You must assess, remediate, and document. And if a breach occurs during that window, you're liable.
Vendor and Third-Party Attack Surface
Every acquired company brings a tail of vendor relationships: IT support providers, software subscriptions, cloud services, contractors with VPN access. Many of these arrangements are informal, month-to-month, or documented only in email threads.
Weak supplier contracts mean no security obligations, no breach notification clauses, no right to audit. And those third parties now have access to your combined environment. If the acquired company's outsourced IT provider has lax security, they're a potential entry point into your platform.
Supply chain risk is compounding. Attackers increasingly target smaller, less secure partners as a route into larger organisations. If you don't map and assess the third-party attack surface quickly, you're flying blind.
What M&A Cybersecurity Due Diligence Misses
Traditional due diligence focuses on policies, certifications, and questionnaires. It asks: Do you have a security policy? When was your last penetration test? Do you have cyber insurance? These are important, but they're static and backward-looking.
What due diligence often misses:
- Undisclosed incidents. Many acquisition targets lack a formal incident response plan. If they don't have a plan, they probably don't know if they've been breached. Small intrusions, ransomware infections that were quietly paid off, data exfiltration that went unnoticed-these don't appear in due diligence because nobody's looking for them.
- Dynamic integration risks. Due diligence happens before close. It doesn't assess the risks that emerge during integration: data in transit, temporary access granted to migration teams, the complexity of connecting disparate networks, or the human risk of anxious staff clicking on phishing emails.
- Shadow IT and undocumented systems. If the target's IT person filled out the questionnaire, they probably documented what they manage. They didn't document the systems they don't know about-the cloud apps staff subscribed to on company credit cards, the old CRM that's "still running for historical data," the personal devices with company email.
- Vendor and supply chain exposure. Due diligence might review major supplier contracts, but it doesn't map every third party with access, every SaaS subscription, every contractor with VPN credentials. The long tail of vendors is where risk hides.
- Cultural and process gaps. A policy on paper doesn't mean it's followed. MFA might be "required" according to the handbook, but if half the staff disabled it because it was inconvenient, the real posture is far weaker than the documented one.
Real Talk: Take a facilities management roll-up that acquires a company with "strong IT controls" according to due diligence. First week after close, the integration team discovers the admin password for the financial system is "Password123" and hasn't been changed in four years. Policy vs. reality.
For serial acquirers, cyber risk in acquired companies isn't a one-time assessment-it's an ongoing discipline. You need a repeatable playbook that assumes gaps, verifies controls, and prioritises hardening before you integrate deeply.
Immediate Actions for the First 90 Days
Speed matters. The longer you leave inherited vulnerabilities unaddressed, the wider the window for exploitation. Here's a practical 90-day security hardening plan designed for roll-ups with limited IT resources.
Week 1: Inventory and Isolate
Your first priority is to know what you own and contain the risk.
Audit all IT assets:
- Servers (physical and virtual), workstations, mobile devices, network equipment.
- Software: operating systems, applications, SaaS subscriptions.
- User accounts: employees, contractors, former staff, shared accounts.
- Admin and privileged access: who has it, how it's managed, whether MFA is enforced.
Conduct the closet server test:
Physically walk through offices. Find the hardware nobody mentioned. Check desk drawers, storage rooms, and under desks for USB drives, old laptops, and external hard drives with company data.
Isolate networks temporarily:
Don't connect the acquired company's network to your platform until you've assessed the risk. Treat it as untrusted. Segment access. Use VPNs and secure gateways if integration must begin immediately.
Verify no active breaches:
Review logs for unusual activity-failed login attempts, after-hours access, data exfiltration patterns. If the target has monitoring tools, pull the last 90 days. If they don't (likely), this is a blind spot you must address quickly.
Revoke unnecessary access:
Disable accounts for former employees, contractors, and third parties who no longer need access. Reset all shared and admin passwords immediately. If you can't identify who owns an account, disable it and wait for someone to complain.
Immediate wins:
- Enforce MFA on email and any externally accessible systems. This is non-negotiable.
- Disable legacy remote access methods (RDP exposed to the internet, old VPNs with weak credentials).
- Run vulnerability scans to identify unpatched systems and prioritise critical patches (remote code execution, privilege escalation flaws).
Days 30–90: Harden and Harmonise
Once you've contained immediate risk, you begin systematic hardening and align the acquired environment with your platform security standards.
Standardise identity and access management:
Migrate user accounts to your centralised identity provider (Microsoft Entra ID, Google Workspace, Okta). Enforce MFA across all users. Carry out role-based access controls so staff have only the permissions they need.
Patch and update aggressively:
Prioritise critical vulnerabilities in internet-facing systems, then work through internal systems. If something can't be patched (legacy application, unsupported OS), isolate it on a separate VLAN and restrict access tightly.
Review and rationalise SaaS subscriptions:
Map every cloud service the acquired company uses. Cancel redundant subscriptions. Migrate essential tools to your platform where possible. For services you must keep, enforce strong authentication and review access permissions.
Audit third-party access:
List every vendor, contractor, and partner with access to systems or data. Terminate unnecessary access. For essential vendors, enforce MFA, require security attestations, and document the relationship.
Establish endpoint security:
Deploy endpoint protection (antivirus, EDR) across all acquired devices. Ensure devices are encrypted and enforce screen lock policies. Remove personal devices from accessing corporate resources unless properly managed (MDM).
Backup and disaster recovery:
Verify that the acquired company's data is being backed up securely and test restores. Many small businesses have backup systems that haven't been tested in years. If they don't have backups, set them up immediately.
Document everything:
Create an asset register, a user directory, a network diagram, and a vendor list. This isn't bureaucracy-it's operational necessity. You can't secure what you can't see.
Compliance check:
Assess GDPR compliance: Is there a data processing register? Are privacy notices accurate? Is consent documented where required? If the acquired company handles EU data, are they complying with cross-border transfer rules post-Brexit?
If you're in a regulated industry (healthcare, finance), map sector-specific obligations and remediate gaps.
User awareness and training:
Acquired staff are anxious and distracted-prime targets for phishing. Run a short security awareness session covering password hygiene, recognising phishing, and whom to contact if something seems wrong. Position it as support, not policing.
Communication is critical:
Explain why security changes are happening. Frame it as protecting the business and their jobs, not as distrust. Acquired teams often interpret new controls as loss of autonomy: clear, respectful communication mitigates resistance.
Building Cyber Hygiene Into Your Integration Playbook
One-off fixes aren't enough. For roll-ups doing multiple acquisitions a year, cybersecurity must be embedded into your integration playbook-not treated as an afterthought.
Establish a repeatable Day 1 security checklist:
- Inventory assets and user accounts.
- Revoke access for former staff and unknown accounts.
- Enforce MFA on email and critical systems.
- Isolate the acquired network until assessed.
- Run vulnerability scans and patch critical issues.
This checklist becomes part of your Minimum Viable Integration (MVI). Even if you're running a low-touch integration and leaving operations autonomous, baseline security is non-negotiable.
Assign clear ownership:
Who is responsible for cybersecurity in acquired companies? If your answer is "IT will handle it eventually," you've got a problem. For many roll-ups, IT is 2-3 people managing helpdesk, infrastructure, and security for 200+ users. Every acquisition adds work they don't have bandwidth for.
Consider whether post-acquisition security hardening is a role for an integration partner, a fractional CISO, or an MSP with M&A experience. The key is ensuring someone is accountable in the first 90 days-not letting it drift.
Continuous monitoring, not point-in-time checks:
Security isn't a one-time audit. Implement centralised logging and monitoring so you have visibility into the acquired environment. Tools like Microsoft Sentinel, Splunk, or even simpler SIEM solutions give you early warning of anomalies.
Align cyber insurance and risk appetite:
Review your cyber insurance policy. Does it cover acquired companies during integration? Are there notification requirements for material changes in risk profile (new acquisitions, increased data volumes)? Many policies have exclusions or require disclosure.
Understand your PE sponsor's risk appetite. Some will tolerate a 90-day hardening window: others want zero connectivity until security is validated. Clarify expectations early.
Use established frameworks and standards:
If you're working toward ISO 27001 or Cyber Essentials Plus, acquisitions are an opportunity to extend certification across the portfolio. Use the same control framework for every integration-it simplifies audit and creates consistency.
NIS2 and the Cyber Resilience Act are raising the bar for supply chain security. If you're in a regulated sector or working with enterprise customers, demonstrating that you harden acquired companies quickly is a competitive advantage.
Build security into your deal model:
When evaluating targets, factor cybersecurity remediation into your synergy assumptions. If a target has weak security, budget 20-40 hours of IT/security work in the first 90 days and price that into the deal. Surprises erode value.
At PMI Stack, security assessment is a core part of our audit and planning phase. We map inherited risks before migration begins, isolate networks during integration, and enforce baseline controls before connecting acquired companies to platform systems. It's not optional -- it's how you protect the value you just paid for.
Stop Deferring Security -- It's Day 1 Work
Post-acquisition cybersecurity risks aren't edge cases-they're the norm. Weak passwords, unpatched systems, Shadow IT, orphaned admin accounts, and undisclosed breaches are predictable patterns that show up in acquisition after acquisition.
The moment you close a deal, you own the liability. UK GDPR doesn't care that the breach happened before you took control. Your cyber insurance doesn't cover gaps you should have found. And your PE sponsor won't accept "we didn't know" as an explanation when a security incident derails integration.
Gartner's finding (2024) that 84% of IT integrations experience significant issues isn't about bad luck or poor strategy-it's about execution gaps in the risk window between close and full integration. Cybersecurity is one of the biggest and most overlooked gaps.
The practical reality: this is fixable. A disciplined first 90 days-inventory and isolate, patch and harden, enforce MFA and access controls, audit vendors-contains the risk and sets a foundation for secure integration. Build that discipline into a repeatable playbook, assign clear ownership, and treat security as a Day 1 priority, not an IT backlog item.
For roll-ups doing 3-5 deals a year, post-acquisition cybersecurity can't be an afterthought. It must be part of how you execute M&A-because the value you're paying for evaporates quickly if you can't operate the business safely.
If your internal IT team is stretched thin and security hardening is getting deferred deal after deal, it's worth considering whether this is work that belongs with a partner who understands both the technical execution and the operational realities of roll-up M&A.
We're happy to talk through your integration roadmap-no pressure, no pitch. Just a practical conversation about how to protect the value you've worked hard to build.
Frequently Asked Questions
What's the biggest cybersecurity risk we inherit when we acquire a company?
The biggest risk is usually visibility-or the lack of it. You don't know what systems exist, who has access, what's been patched, or whether there's been a breach. Shadow IT, orphaned admin accounts, and undocumented vendor access are the most common gaps. Until you can see the environment clearly, you're flying blind.
Do we need to shut down the acquired company's network immediately after close?
Not necessarily, but you should isolate it. Don't connect their network to your platform until you've assessed the risk. Treat it as untrusted. Use secure gateways, VPNs, or temporary segmentation. If operations depend on connectivity, implement strict access controls and monitoring during the assessment window.
How long does it take to harden an acquired company's security posture?
For a small acquisition (10-50 users), basic hardening-MFA, patching critical vulnerabilities, revoking orphaned access, deploying endpoint protection-can be done in 2-4 weeks. Full alignment with your platform security standards typically takes 60-90 days. Larger or more complex acquisitions take longer, especially if you're dealing with legacy systems or compliance gaps.
What if the acquired company is running software we can't patch or update?
Legacy systems that can't be patched need to be isolated. Put them on a separate VLAN with restricted access. Limit who can connect and monitor activity closely. Document the risk and build a plan to replace or decommission the system. "We can't patch it" isn't an acceptable long-term answer-it's integration debt that compounds.
Are we liable for GDPR breaches that happened before we acquired the company?
Yes. Under UK GDPR, the acquirer becomes the data controller and assumes responsibility for compliance-including breaches that occurred before close. If a breach happened six months ago and wasn't disclosed (or discovered), you're now responsible for notification, remediation, and any regulatory consequences. This is why post-close security audits and breach verification are critical.
Should cybersecurity be part of due diligence or post-close integration?
Both. Due diligence gives you a snapshot of the target's security posture and helps you identify red flags before you commit. But due diligence is backward-looking and doesn't capture dynamic integration risks-data migration, network connectivity, access changes. Post-close, you need a structured 90-day hardening plan. For serial acquirers, post-close security should be a standard part of your integration playbook.
Who should be responsible for post-acquisition cybersecurity-IT, operations, or an external partner?
It depends on your IT team's bandwidth and expertise. If your IT team is already managing infrastructure, helpdesk, and security for your platform, adding acquisition security work can overwhelm them. Many roll-ups use a combination: internal IT sets policy and standards, and an integration partner or MSP executes the technical work (audits, patching, migration). The key is assigning clear ownership so nothing falls through the cracks.
What's the most common mistake acquirers make with cybersecurity after close?
Deferring it. Telling themselves "IT will get to it eventually" or "we'll address it after we migrate the CRM." The longer you wait, the wider the risk window. Cybersecurity can't be the last item on the integration backlog-it needs to be a Day 1 priority, even if deep integration happens later.
