Why Cybersecurity is a dealbreaker in M&A

In M&A, the costliest risks often hide in plain sight. A misconfigured cloud bucket, a spoofed executive, a data room accessed by the wrong hands don’t show up on the term sheet. But they can derail a deal or lead to nine-figure losses post-close.

In a recent episode of Clause and Effect, Emma Legal CEO Rick Van Esch sits down with Zsolt Fabian, founder of Threat Intelligence and Group Cybersecurity Lead at Byborg Enterprises, to unpack how cybersecurity fits into the M&A process not as an IT afterthought, but as a fundamental lever for protecting value and accelerating deals.

From ransomware attacks timed to deal announcements, to voice-cloned WhatsApp messages impersonating a CEO, Zsolt offers a behind-the-scenes look at what happens when cybersecurity is treated as optional. 

He also explains how platforms like Emma can help surface red flags early and create the structure dealmakers need to move with confidence.

The problem when cybersecurity joins the deal too late

In theory, buyers want transparency. In practice, security is still seen as a back-office task. Too many deals are structured, negotiated, and priced before anyone evaluates the technical realities.

A Gartner study found that 62% of organizations cited cybersecurity as their top concern after an acquisition. Most issues stemmed from undisclosed security breaches or inadequate integration planning.

“Security is often treated like an operational detail,” Zsolt says. “But it can move valuations by millions.”

This isn’t a hypothetical. In one deal Zsolt supported, a known security incident reduced the valuation of a $2 billion transaction by $150 million. 

In another case, a financial advisory firm received a malware-infected USB stick as a “thank you” gift from what appeared to be a reputable data room provider. The attack was timed to match the close of diligence.

These aren’t isolated stories. They’re patterns.

“Attackers know there’s money on the table,” Zsolt explains. “They monitor the headlines, they time their campaigns. And they target not just buyers and sellers, but the law firms and financial advisors involved too.”

Buyers inherit more than a business

Once the deal is signed, the buyer owns every technical misstep whether it was disclosed or not. That includes:

• Vulnerabilities in open-source software
• Outdated IT systems with no audit trail
• Poorly defined access rights across departments
• Passwords from legal advisors found on the dark web

Zsolt recounts a now-famous case: Marriott’s acquisition of Starwood Hotels. A breach in Starwood’s systems went undetected until well after the deal closed. The result? Hundreds of millions in penalties, class-action lawsuits, and a major reputational hit.

“What’s written on paper, what people say in interviews, and what’s actually true from a technical perspective, those are three very different things,” he says.

Due diligence isn’t about checking boxes. It’s about surfacing those truths before you own them.

Cybersecurity isn’t friction, it’s leverage.

Zsolt challenges the notion that involving security slows things down. If anything, it creates clarity faster.

When buyers catch issues early, they gain leverage. They can reprice. Walk away. Or demand fixes before signing.

“Handled properly, security doesn’t slow the deal,” Zsolt explains. “It speeds up the right one.”

He likens cybersecurity to trust infrastructure. Just like you’d assess a target’s legal exposure or tax position, you need to understand what could bring their operations down or put your firm in the headlines next.

That means going beyond the checklist. It means stress-testing systems, people, and processes. Sometimes even spotting the social engineering tactics already in play.

From spoofed CEOs to cloned voices

One of the most chilling moments in the podcast comes when Rick shares a personal story.

While working at a listed tech company, he received a WhatsApp message (seemingly from the CEO) urging him to connect with legal counsel about an urgent acquisition. It came with context, pressure, and timing that made it feel real.

It wasn’t.

“For a few hours, I actually believed it,” Rick says. “It felt important, exciting. But something felt off. I flagged it to IT and they confirmed it was spear phishing.”

Zsolt confirms these attacks are becoming more sophisticated. In some cases, attackers even attach cloned voice messages to make the deception more convincing.

“This isn’t fiction,” he says. “It’s the hard reality.”

How platforms like Emma are part of the solution

Cybersecurity isn’t solved by one tool. But platforms like Emma play a critical role in making it easier to surface the right risks, earlier in the process.

Emma helps legal teams:

• Map data rooms to the information request list automatically
• Run red flag checks across areas like IT, IP, and compliance
• Spot gaps in vendor agreements, indemnity clauses, or data handling terms
• Collaborate across teams without losing context or control

And when something is flagged, like a vague service-level agreement or a missing security clause, the team can assign a reviewer, add comments, and track it through to the Red Flag Report.

“Emma gives you structure,” Zsolt says. “And that structure makes it easier to involve security early and before it’s too late.”

Cybersecurity is about culture, not just controls

Still, Zsolt is quick to point out that process isn’t enough. Culture matters. “Security is everyone’s job. But everyone assumes it’s someone else’s.”

From IT to legal, from deal leads to junior analysts, the assumption is that someone else is handling security. That’s why it gets missed. That’s why attackers get in.

The companies that handle cyber risk best? They’re not the ones waving ISO certificates. They’re the ones who respond quickly, take ownership, and use real incidents as fuel for better awareness.

“When we run training sessions, storytelling works best,” Zsolt says. “Real stories make people realize it could happen to them.”

Final thoughts on cybersecurity in M&A

Cybersecurity isn’t a back-office concern anymore. It’s a deal-shaping factor that influences how transactions are priced, structured, and closed. When overlooked, it can mean the difference between a smooth exit and a costly lawsuit, or between a seamless integration and a post-close mess. But when handled early and properly, security doesn’t slow the deal down. It strengthens it.