Why security due diligence is a valuation issue, not just a risk issue
Security debt in a Nigerian fintech acquisition affects deal value in concrete ways. A platform with critical API vulnerabilities requires engineering resources and downtime to remediate — a direct cost that should reduce the purchase price or create an escrow holdback. A platform that has experienced an undisclosed data breach carries regulatory liability under the NDPA 2023 — including potential fines from the NDPC and mandatory notification obligations that the acquirer inherits. A platform without a valid CBN penetration test report needs remediation before the next examiner visit — a timeline that may not align with the acquirer's integration plans.
Sophisticated acquirers — and increasingly, the Nigerian PE and VC funds that advise on fintech M&A — now include security findings in deal pricing conversations. A clean security assessment supports the seller's valuation narrative. A security assessment that surfaces significant technical debt creates grounds for price adjustment or additional representations and warranties around security costs and liabilities.
What buyer-side security due diligence covers
When we conduct security due diligence on behalf of an acquirer, we examine six areas:
Architecture and threat model review: We map the target's technology stack, data flows, and trust boundaries. We identify the highest-risk data stores, the most exposed API endpoints, and the security controls (or absence thereof) at each layer. This produces a risk-ranked architecture assessment that tells the acquirer exactly where the security exposure is concentrated.
Penetration testing of critical systems: We conduct targeted penetration testing of the target's highest-risk systems — typically the payment API, the admin panel, the mobile application, and the cloud infrastructure. We are looking for critical and high-severity vulnerabilities that would affect deal terms if disclosed in negotiations.
Compliance gap analysis: We assess the target's compliance posture against CBN's Risk-Based Cybersecurity Framework, the NDPA 2023, and any other applicable regulatory requirements. We document which requirements are fully met, which are partially met, and which are not met — with a remediation cost estimate for each gap.
Incident history review: We review the target's security incident log, breach history, and any regulatory correspondence related to security. Undisclosed past breaches are a material representation risk. We use technical forensics where log evidence is available to confirm the completeness of the disclosed incident history.
Third-party and vendor risk: We assess the security posture of the target's critical technology vendors — payment processors, BaaS providers, cloud infrastructure, and software tools. The acquirer inherits the target's vendor relationships and the risk associated with them.
Security team and process assessment: We evaluate the target's internal security capability — whether a security function exists, what processes are in place, and whether the team can be retained or must be replaced or supplemented post-acquisition.
What seller-side security preparation covers
Sellers who engage us before entering an M&A process benefit from knowing what a buyer's diligence team will find. We conduct the same assessment from the seller's perspective and produce findings organized by: issues that must be remediated before a buyer sees them (critical and high findings that would create deal risk), issues that can be disclosed with remediation plans (medium findings that a buyer will expect to see addressed in the integration plan), and findings that confirm the platform's security maturity (controls that compare favorably to market standard).
Specific Nigerian considerations in fintech M&A security
Several Nigeria-specific factors affect fintech M&A security due diligence and are not covered by international due diligence frameworks:
- CBN licence transferability: A CBN licence does not automatically transfer in an acquisition. The regulatory approval process can reveal security gaps the acquirer was not expecting to address. We assess what security improvements are required to satisfy CBN's licence transfer review.
- NIMC and BVN data custody: The target's BVN and NIN data must be protected under the NDPA 2023. Data custody rights and obligations are a legal transfer issue but the technical security controls around that data are a security due diligence issue. We assess whether the target's data protection controls meet the standard required for the acquirer to hold the data lawfully.
- Customer fund liability: For targets that hold customer wallet balances, we assess the segregation controls between customer funds and operating capital, and the technical controls that prevent unauthorized access to customer funds. Inherited fund liability is both a financial and regulatory risk.
Undisclosed data breach discovered during pre-closing security review
We were engaged by a Lagos-based PE fund conducting due diligence on a Nigerian lending fintech. During our review of the target's application logs, we identified evidence of a successful API exploitation that had occurred eight months prior. Customer PII including BVN and bank account numbers had been accessed by an external party. The incident had not been disclosed to the seller's management, had not been reported to CBN or the NDPC as required, and was not mentioned in any of the seller's data room representations. The buyer's legal team used our findings to renegotiate the purchase price, require a specific indemnification for regulatory liability arising from the undisclosed incident, and establish an escrow holdback pending confirmation that the NDPC reporting obligation was fulfilled post-closing. The security review, which cost a fraction of the deal value, protected the acquirer from an unquantified and undisclosed regulatory liability that could have exceeded the security assessment cost many times over.
Acquiring or being acquired? Get security due diligence that protects the deal and surfaces liabilities before they close.
Book M&A Security Due DiligenceFrequently asked questions
At what stage of an M&A process should security due diligence happen?
Security due diligence should begin at the same time as financial and legal due diligence — after a term sheet is signed and access to the data room is granted. Conducting security due diligence in parallel with financial due diligence ensures that material security findings can be factored into final deal pricing and representations and warranties before the transaction closes.
What happens if a security issue is found after the deal closes?
Post-closing discovery of material security issues creates both operational and legal complications. The acquiring entity has inherited the liability. Depending on the representations and warranties agreed in the purchase agreement, the acquirer may have a claim against the seller — but exercising that claim requires litigation. Prevention through pre-closing due diligence is significantly cheaper than post-closing remediation combined with potential legal action.
What does the seller get from pre-sale security due diligence?
A seller who conducts their own pre-sale security assessment (also known as a vendor security assessment) gains four advantages: they know what a buyer's diligence team will find, they can remediate issues before they become deal risks, they can present a clean security posture as part of the deal narrative, and they avoid having a buyer use undiscovered security issues as leverage for price reduction during negotiations.
How long does fintech security due diligence take?
A comprehensive security due diligence engagement for a Nigerian fintech typically takes 2 to 4 weeks depending on the complexity of the technology stack, the number of systems, and the level of access provided. We can produce an executive summary within the first week for board and investor communication, with the full technical report following within the complete timeline.
Related reading
Blog: Security due diligence in fintech acquisitions · CBN licence security requirements · Why investors demand pentests
Services: Penetration testing · Secure architecture review