In this episode of The Rook, David Shaw, founder of Corvus Cybersecurity and principal vCISO, examines the most consistently overlooked risk in M&A transactions: inherited cyber exposure. From Yahoo's misrepresentation of its breach history during the Verizon acquisition to the Marriott-Starwood breach that went undetected for four years, the pattern is the same. Cybersecurity due diligence gets a questionnaire, while financial and legal diligence get exhaustive scrutiny. The result is that acquirers close deals and inherit compromised environments, undisclosed incidents, and compliance gaps that carry real remediation costs.

In this episode:

• How Yahoo's misrepresentations to Verizon held through signing, and what saved Verizon wasn't diligence
• How Marriott bought a four-year-old, undetected breach when it acquired Starwood
• Why the standard M&A cybersecurity questionnaire fails to catch material risk
• How R&W insurance carve-outs and cyber insurance pre-existing condition exclusions are changing the stakes for deal teams
• The four-stage cyber due diligence process used on the buy side, and the three-bucket model for translating findings into deal team decisions
• What sellers should be doing now to protect deal value
• Three artifacts every buyer should require, not just three questions to ask

The Rook · Corvus Cybersecurity · corvus-cyber.com · David Shaw, CISSP, GLEG