Chasing Entropy Podcast 021: Cybersecurity in M&A with Brian Levine

Show Notes

This week I got to sit down with Brian Levine who is a cybersecurity consultant and former U.S. DOJ cybercrime prosecutor, to unpack how security risks shape mergers, acquisitions, divestitures, and investments. We cover what really moves deal price and structure, why early cyber due diligence matters, and how to protect “Day 1” operations without blowing up the integration plan. 

Brian Levine, Cybersecurity consultant; former DOJ national coordinator for cybercrime prosecutors; founder of FormerGov, a directory connecting former government and military professionals with employers and recruiters.

Key takeaways

• Incidents move deals. Known or newly discovered breaches often pause negotiations, change terms, and drive down price—even if they don’t kill the deal.
• Do diligence in three passes:
  1. Inside-out (docs, policies, IR records, pen tests, insurance);
  2. Outside-in (OSINT, dark-web intel);
  3. Technical testing (when permitted pre-sign/close).
• Start early. The earlier you assess cyber risk, the more leverage you have to shape price, integration plans, and pre-close remediation.
• MFA, IAM, backups = table stakes. Missing basics can invalidate cyber-insurance claims and should be fixed before announcement to avoid “signal flare” attacks.
• Cloud reality check. Many targets lack visibility into their cloud posture; prioritize third-party assessments and guardrails that protect PII, IP, and operations.
• Vendor blast radius matters. Mature third-party risk management includes annual reassessments, contractual obligations, insurance checks, and vendor-involved tabletops, plus contingency (“backup vendor”) planning.
• Culture can be a blocker. If “everyone is an admin,” expect friction; design an identity plan that tightens controls without triggering mass attrition.
• Day-1 playbook, security-first. Run a compromise assessment pre-connect, harden the first systems to integrate (often O365), and sequence identity, segmentation, and logging before broad access.
• Boards should ask: What did we actually do for cyber diligence, what didn’t we do, and why? Reasonableness, and the paper trail, matters.

Notable moments

• Unearthing issues outside-in: spotting malware beacons and leaked data for sale before the target even knows.
• Regulatory context: Europe’s heavier regime (GDPR, DORA, AI rules) vs. U.S. patchwork, either way, negligence standards still bite.
• Real-world stakes: from payroll outages to healthcare delays, cyber incidents can rapidly become safety and livelihood issues.

Resources & mentions

• FormerGov, directory for former government and military professionals seeking roles in the private sector.
• Topics referenced: GDPR, DORA, MFA, IAM, immutable backups, zero-trust enclaves, dark-web monitoring, third-party risk management & vendor tabletop exercises.

About the show

Chasing Entropy goes beyond headlines, no hype, no FUD, exploring the human decisions and systemic cracks that put security to the test. Subscribe, share, and send me your questions for future episodes.