The €4 million question — how cyber due diligence moves the purchase price

"What if I could take 4 million off your next acquisition price — before you sign?"

This question sits at the centre of every cyber-DD mandate we run at Woodlands. It is not hyperbole. It is conservative. On a typical DACH mid-market target with €120M Enterprise Value, a properly run cyber due diligence moves between €2.4M and €9.6M of purchase price in expectation. The four million sit cleanly in the lower third of that range.

This article is the analytical foundation behind that line. It names the documented precedents, quantifies the breach economics through the established industry standard reports, describes the underwriter mechanics from practice, and shows the calculation for a €120M target in detail. Every figure cited here is backed by an institutional or regulatory primary source.

1. The documented case — Verizon ↔ Yahoo (2017)

If anyone asks whether cyber findings actually move the purchase price, pointing to a single deal is enough.

• July 2016: Verizon announces the acquisition of Yahoo's core business for $4.83 billion.
• September 2016: Yahoo discloses a 2014 breach — 500 million accounts.
• December 2016: Yahoo discloses an additional 2013 breach — initially 1 billion, later revised to 3 billion accounts.
• 21 February 2017: The parties agree on a $350 million reduction of the purchase price. Final price: $4.48 billion. They also share future litigation and regulatory costs (with SEC investigations and shareholder lawsuits borne by Yahoo alone).

Effective movement: roughly 7.25% of Enterprise Value. Documented. Public. SEC-filed.

The case durably changed M&A practice. It is now a standard reference in due-diligence training at major PE houses and investment banks — and the reason R&W underwriters began building cyber carve-outs into their policies from 2018 onwards.

Primary sources: SEC 8-K Yahoo (21.02.2017), coverage at TechCrunch and CNN Money.

2. The counter-case — Marriott ↔ Starwood (2016/2020)

Verizon–Yahoo shows what cyber DD moves when it runs between signing and closing. Marriott–Starwood shows what the missing DD costs.

• 2016: Marriott acquires Starwood Hotels for $13 billion.
• September 2018: Marriott discovers a breach in the Starwood reservation system. The attack had been running since 2014 — long before the acquisition.
• Exposure: hundreds of millions of records worldwide, including over 30 million records relating to EEA data subjects.
• October 2020: The UK Information Commissioner's Office (ICO) imposes a fine of £18.4 million (originally announced: £99.2 million).

The finding from the ICO that matters for this discussion — verbatim from the Mishcon de Reya and Herbert Smith Freehills write-ups:

"Despite undertaking due diligence, these historic issues had not been discovered."

In other words: Marriott did run due diligence. But the diligence that was run was not capable of uncovering the cyber problems that had been sitting in the Starwood network since 2014. That is exactly the limit of classical M&A DD that treats cyber as a compliance checklist instead of a technically understood risk analysis.

The downstream costs run far beyond the ICO fine. Marriott has since disclosed multiple US class actions, a $52 million state attorneys general settlement (October 2022), and continuing investigation, forensics and remediation expenses. Aggregate documented exposure sits in the high nine to low ten figures USD, depending on scope.

Primary sources: ICO penalty coverage at Mishcon de Reya, Herbert Smith Freehills, Debevoise & Plimpton, and the Marriott investor notice.

3. Breach economics — what an incident costs is quantifiable

A price adjustment in an M&A deal is nothing other than the up-front internalisation of expected breach costs. Those costs are publicly quantifiable through two annual industry standard reports.

IBM / Ponemon: Cost of a Data Breach Report 2024

Based on the analysis of 604 documented breaches worldwide:

• Global average: $4.88 million per incident — the highest value ever measured, with the largest year-on-year increase since the pandemic.
• Germany (2024 edition): $5.31 million per incident. This places Germany among the top five most expensive countries globally for data incidents.
• Sector peaks: Healthcare $9.77M, Financial Services $6.08M.

This figure is the expected value per breach — on a risk-analytical basis. For the SPA negotiation it means: if the DD identifies a concrete vulnerability with a substantive probability of leading to a breach, $5M is the anchor figure for the underwriter conversation.

Primary source: IBM Newsroom — 2024 edition release (30.07.2024) and IBM Cost of a Data Breach Report (main).

Verizon Data Breach Investigations Report (DBIR) 2024

The most granular public breakdown of actual breach vectors — DBIR 2024, based on more than 30,000 analysed security incidents:

• 68% of all breaches involve a human element (phishing, misuse, error). The value has been remarkably stable for years.
• 15% of all breaches involve a third-party vector — a +68% increase year-on-year. Driver: the continuing supply-chain waves around MOVEit and the Cleo file-transfer vulnerabilities.
• The time to exploit newly published vulnerabilities dropped sharply in 2023/2024 — patch hygiene has become a measurable valuation question.

Primary source: Verizon 2024 Data Breach Investigations Report and Verizon news release on DBIR 2024.

ENISA and BSI — the EU context

The EU cybersecurity agency ENISA and the German federal information-security authority (BSI) confirm the picture in their annual landscape reports. The ENISA Threat Landscape continues to flag ransomware and supply-chain attacks as the dominant threats for the EU; the BSI Lagebericht for the first time classifies the German threat picture as worrying throughout, with particular emphasis on SMB exposure and supply-chain paths.

4. R&W insurance — where cyber findings get priced

Representations & Warranties (R&W) insurance is now standard in the majority of institutional mid-market deals. It is the point at which cyber findings get a concrete price.

The underwriter mechanics have been well-rehearsed since the Verizon–Yahoo precedent:

1. Carve-out / exclusion in the policy wording — cyber risks are then simply not covered by the R&W. The buyer has to negotiate a separate, typically more expensive cyber-specific indemnity or escrow.
2. Higher retention (self-insured threshold) — the buyer carries more loss before the policy responds.
3. Specific indemnity demand — the underwriter forces the buyer to write a specific seller indemnity into the SPA. This lands directly in the purchase-price negotiation.

Marsh and Aon — the two dominant R&W brokers — document cyber as a growing driver of claims and policy adjustments in their annual transaction-risk reports. Anyone who has ever spoken with an underwriter about a tech target carrying an open RDP port and a known CVE in the auth service knows the mechanic.

5. The €120M calculation in detail

The industry numbers and documented precedents translate to a typical DACH mid-market target of €120M Enterprise Value as follows:

• Identity-stack sprawl (e.g. Snowflake pattern, leaked OAuth tokens, missing MFA on admin accounts): 1–5% EV, i.e. €1.2–6.0M. Mechanic: remediation + underwriter carve-out.
• Vendor concentration / supply chain (single-vendor risk such as the Change Healthcare cluster 2024): 2–4% EV, i.e. €2.4–4.8M. Mechanic: R&W exclusion + specific SPA indemnity.
• Crown-jewel / code exposure (critical CVE, exposed secrets, source-code leaks): 3–8% EV, i.e. €3.6–9.6M. Mechanic: walkaway risk or structural SPA restructure.

Aggregated conservatively: 2–8% EV → €2.4–9.6M of price movement in expectation. The claimed "4 million off" sits in the lower third of that interval. Statistically, it is below rather than above average.

The investment-to-leverage ratio

• Cyber-DD investment pre-close: in the range of €25,000–€60,000 for a focused mid-market audit (varies with scope, tech stack and geography).
• Expected value of the price movement: €2.4–9.6M on a €120M target.
• ROI factor: 40× to 380×.

Few workstreams in a due-diligence process have a leverage so clearly quantifiable and so clearly documented.

6. The "found nothing" outcome — the buyer still wins

The uncomfortable truth of cyber DD: even the mandates where we find nothing material are value-determining.

Concretely, "nothing material" means:

• A faster close. No last-minute renegotiation loop after the closing memo, no re-underwriting of the R&W policy, no nervous co-investor.
• Cheaper acquisition financing. Lenders accept a clean cyber status as risk mitigation — which feeds into spread and covenants.
• A year one without the cyber incident that breaks the synergy thesis. Most post-close cyber events are not bad luck — they are the consequence of what the DD did not see.

In each of those outcomes, the DD investment has already paid for itself — before we get to the deals where 4, 6 or 8 million ended up in the SPA.

7. Why Woodlands

We are not generalists. We are a boutique with a sharp specialism: cyber due diligence for institutional capital in DACH.

What separates us from the majority of DD providers:

• Founder-owned mandates. Every engagement is owned by the founder — Fabian Hausner, currently SAP Global Security Advisory Lead. Operational threat-intelligence responsibility inside one of Europe's largest software companies feeds directly into the assessment logic of every mandate. Delivery is run by a curated team of senior practitioners across cloud, identity, AppSec and compliance — no outsourcing, no junior substitution.
• Buy-side M&A integration experience. Hausner was part of the SAP integration team for the Signavio acquisition and operationally owned the cyber-integration workstream. What we look for in DD, we know from the post-close reality.
• A technology and advisory network that scales when the scope demands it. Implementation partnerships with Vanta, Kertos and Aikido cover GRC automation and application security. Law-firm partners for engagement letters and regulatory questions; external forensics teams for incident response on call — structurally embedded, not improvised ad hoc.
• Investor-grade governance. Markel Insurance SE — €5M cyber and professional liability coverage. HRB 756933 AG Mannheim. Procurement-ready for the largest PE houses in DACH.
• Capacity-disciplined. We take a clearly bounded number of mandates per quarter. That is not a marketing pose — it is the precondition for every mandate to receive the depth an investment-relevant finding deserves.

We are the boutique you call when the LOI is supposed to be signed in the next briefing slot and the cyber workstream in the standard DD set-up isn't catching. We deliver technically defensible findings — not compliance-theatre PDFs.

Initial consultation

If you have a concrete transaction in mind and want to assess whether a cyber-DD mandate fits your set-up, book a 20-minute initial consultation. No obligation, confidential, peer-to-peer.

→ Book a consultation

For those who prefer the live format: on 15 July 2026, 16:30 CET we are running a confidential briefing on exactly this subject for PE, VC, family-office and M&A-advisory decision-makers. Cyber Due Diligence in M&A — webinar details.