The uncomfortable truth in any merger or acquisition is that you are not just buying an organisation’s future cash flows; you are buying its history. That includes the risks it has recorded, the risks it has ignored, and, most dangerously, the risks it doesn’t even know it is carrying.
In South Africa, mergers and acquisitions (M&A) activity is already governed by a rigorous compliance framework. From the Companies Act and Competition Act to BBBEE considerations and labour obligations, due diligence is a multidisciplinary exercise that local boards take seriously. Yet, a critical component is frequently treated as an afterthought: cyber due diligence.
Post-Steinhoff, governance, solvency and operational controls have rightly become non-negotiables for South African investors and boards. However, cyber risk does not present itself like a debt schedule or a disputed contract. It hides in the shadows of an organisation’s infrastructure — in loose identity controls, forgotten administrator accounts, unsupported software and unmanaged endpoints.
For acquirers, the danger is that traditional financial and legal due diligence often fails to uncover these toxic assets until the deal is signed and the networks are connected.
The visibility deficit
The primary challenge is a lack of visibility. Many organisations simply do not have a reliable, current picture of what they own, what is exposed, and what is vulnerable. This is particularly acute where IT and operational technology environments intersect, such as in manufacturing, mining or logistics sectors.
If an organisation cannot see it, they cannot secure it. And if they cannot secure it, a potential buyer cannot accurately value it.
When an acquirer inherits a target’s network, they inherit its compromises. If a threat actor has been lurking in a target’s system for six months — which is not uncommon given the average breach lifecycle — that dormant threat becomes the acquirer’s crisis on day one. The “synergies” promised in the deal presentation quickly evaporate when faced with the costs of remediation, regulatory fines of tens of millions of rands under the Protection of Personal Information Act, and reputational damage.
Technical debt represents future costs
It is time to stop viewing cybersecurity solely as an IT hygiene issue and start treating it as a valuation lever.
If a target organisation has significant technical debt — such as legacy systems that cannot be patched or a flat network architecture that allows ransomware to spread unchecked — that is a financial liability. It represents a future cost that must be factored into the purchase price.
Consider the cost of a data breach. According to the South African Reserve Bank’s 2025 Financial Stability Review report, the average cost of a data breach in South Africa has risen to more than R50-million. For a mid-market acquisition, absorbing a hidden breach could wipe out a significant proportion of the projected value of the deal.
One hidden liability example might be a company that processes large volumes of personal information, but can’t demonstrate a clear data inventory, lawful processing basis, retention controls or consistent access management. A breach may have taken place years ago and been investigated informally. Post-acquisition, there’s evidence of historic unauthorised access, which then becomes a board-level risk that wasn’t taken into account at the right time.
Far from being theoretical, there are numerous examples globally where cyber issues have directly affected M&A outcomes. Verizon’s acquisition of Yahoo is now a textbook example. After disclosures of major breaches, the purchase price was reduced by $350-million. Another cautionary tale is Marriott’s acquisition of Starwood. The UK Information Commissioner’s Office stated that Marriott “failed to undertake sufficient due diligence” when it bought Starwood, and that the underlying cyber incident dated back years before the breach was publicly disclosed.
Over and above risk mitigation, though, accurate cyber due diligence can be a powerful negotiation tool. Discovering that a target requires a R20-million security overhaul to meet the acquirer’s compliance standards provides legitimate grounds to renegotiate the purchase price or structure the deal with specific warranties and indemnities.
Red flags to watch out for
How can boards and dealmakers identify these risks before it is too late? It requires asking unfamiliar, probing questions about the target’s security maturity.
One major red flag is the separation of duties. In many smaller, high-growth organisations, the “IT guy” holds the keys to the kingdom — managing firewalls, endpoints and backups, often with unrestricted administrative access. If that individual is compromised (or goes rogue), the damage can be total.
Another critical indicator is vulnerability management. Is there a measurable, consistent programme with executive visibility, or is the target relying on a cycle of reactive fixes?
The same scrutiny must apply to third parties. Supply chains are often the widest and least controlled route into sensitive systems. An acquirer needs to know not just who the target does business with, but how those vendors connect to the target’s network.
Finally, compliance maturity needs to be demonstrable. It is easy to write a policy; it is much harder to prove that the policy is tested and enforced in practice.
M&A activity creates the perfect conditions for attackers. The chaos of integration — connecting new networks, migrating data, merging email systems — creates noise that masks malicious activity.
Attackers know that during a merger, employees are expecting unusual emails from HR or IT about “new systems” or “payroll changes”. This makes them prime targets for social engineering and phishing attacks.
Making it a day-one priority
In the same way a board would not sign on the dotted line without clarity on an organisation’s tax affairs, a deal should not proceed without a realistic view of security posture. This must include a clear plan — and budget — for bringing the acquired environment up to the standard regulators, customers, and insurers expect.
By making cyber due diligence a day-one priority, South African organisations can ensure that their next acquisition brings growth and innovation, rather than a hidden legacy of risk. DM
Richard Ford is the group chief technology officer at Integrity360. With more than 15 years of experience in the IT security channel, he specialises in evolving technical capabilities and managed services to meet the changing security needs of organisations.