Mergers and acquisitions (M&A) often unfold at breakneck speed, driven by business opportunity and shareholder expectations. But as Dave Lewis, global advisory CISO at 1Password, explains, cybersecurity risks are still too often left as an afterthought.

Lewis points to a recent example involving Salesforce apps and SalesLoft, where an acquired company carried unresolved security issues around OAuth tokens. Attackers quickly took advantage, highlighting how inherited vulnerabilities can turn into immediate liabilities. The story isn’t unique—it’s a pattern the industry has seen repeatedly.

So why does it keep happening? According to Lewis, business imperatives tend to outweigh technical diligence. Companies want to close deals quickly, integrate systems, and move forward without slowing down for in-depth risk assessments. Security teams are often brought in after contracts are signed, tasked with cleaning up issues that could have been avoided with proper vetting.

The challenge is that M&A introduces a perfect storm: blending different technology stacks, identity systems, and compliance requirements—all under the pressure of cultural and operational change. Without a structured approach to assessing inherited risk, organizations expose themselves to breaches, data leakage, and regulatory trouble.

Lewis stresses that security must be part of the due diligence process from the outset. That means evaluating identity management practices, reviewing access controls, and conducting threat modeling before integration begins. It also requires acknowledging that attackers monitor M&A activity closely, knowing transitions often leave cracks to exploit.

The lesson is clear: every acquisition is also an acquisition of risk. If organizations want to protect shareholder value and customer trust, cybersecurity can’t be an afterthought in the M&A process—it has to be a cornerstone.