The Risk of Inherited Breaches

In the rush to close Mergers and Acquisitions (M&A), legal and financial due diligence takes priority. Lawyers scrutinize contracts, and accountants pore over the revenue numbers. However, the most explosive liability in modern M&A is hidden in the target company's AWS architecture.

Consider the famous Marriott/Starwood acquisition. Marriott acquired Starwood, unaware that Starwood's network had been compromised years prior. Marriott inherited the breach, resulting in the exposure of 500 million guest records and a £18.4 million GDPR fine. Under the Nigeria Data Protection Act (NDPA), acquiring a compromised fintech carries the exact same liability.

The 3 Pillars of M&A Security Due Diligence

When Simpa Labs is engaged by Private Equity (PE) firms or incumbent banks to evaluate a target fintech in Nigeria, we focus on three critical pillars.

1. The Codebase (Application Security)

Startups optimize for speed, which often leads to technical debt. We conduct rapid, targeted penetration testing on the target's core APIs to ensure they are not vulnerable to catastrophic business logic flaws or IDORs that would allow the immediate theft of customer funds.

2. The Infrastructure (Cloud Security)

We audit the target's cloud environments (AWS, Azure). Are their databases publicly exposed to the internet? Do they have Multi-Factor Authentication (MFA) enforced for all developers? We look for the "low-hanging fruit" that ransomware gangs exploit to gain initial access.

3. The Supply Chain (Third-Party Risk)

A fintech might have secure proprietary code, but they might rely on an outdated, vulnerable open-source library or a compromised third-party SDK. We conduct Software Composition Analysis (SCA) to identify hidden liabilities deep within the dependency tree.

Impact on Valuation and Deal Structuring

Cybersecurity due diligence is not just a checkbox; it is a negotiation lever.

Valuation Discounts

If our audit reveals that the target company's core architecture is fundamentally flawed (e.g., they store user passwords in plaintext or their API lacks basic authorization), the acquirer will have to spend significant capital to rebuild the system post-acquisition. This projected remediation cost is directly subtracted from the target's valuation.

Escrow and Indemnification

If the due diligence reveals high-risk indicators (e.g., evidence of a past, undisclosed breach), the acquirer's legal team can structure the deal to hold a percentage of the purchase price in escrow. If a breach notification occurs within 12 months post-acquisition stemming from the pre-acquisition era, the acquirer uses the escrow funds to pay the NDPC fines.

For the Founders

Preparing your Startup for Acquisition

If you are a startup founder aiming for an exit, you must proactively clean up your security debt. Commissioning regular penetration tests and maintaining a clean security posture prevents acquirers from using security flaws as an excuse to drive down your valuation during the final negotiations.

Are you acquiring a fintech or preparing your startup for an exit?

Discuss M&A Due Diligence

Frequently asked questions

What is Cybersecurity Due Diligence in M&A?

It is the process where an acquiring company (e.g., a Tier-1 Bank) assesses the security posture of a target company (e.g., a payment startup) before finalizing the acquisition, ensuring they aren't inheriting hidden data breaches or massive regulatory liabilities.

Why is a standard financial audit not enough?

Financial auditors look at the balance sheet, but they do not check if the target company's AWS root keys are hardcoded in a public GitHub repository. If you acquire a company that suffers a breach the next day, the acquiring brand absorbs the reputation damage and the NDPA fines.

What does the due diligence process entail?

It typically involves a rapid but deep-dive penetration test of the target's core APIs, an audit of their cloud infrastructure (AWS/Azure), a review of their open-source dependencies (SCA), and an evaluation of their internal security policies.

Can security due diligence affect the valuation of the target?

Absolutely. If the due diligence reveals that the target company requires $500,000 in immediate security engineering work just to meet CBN compliance standards, the acquirer will subtract that $500,000 (and the associated risk premium) from the final purchase price.

Related reading

Blog: Cost of a Data Breach · Security as a Competitive Advantage

Guides: CBN Compliance Guide · NDPA Compliance Guide

Services: Penetration Testing · Vulnerability Assessment