South Africa: Buying a Breach - - the Multimillion-Rand Blind Spot in SA Dealmaking

12 February 2026
Daily Maverick (Johannesburg)
opinion By Richard Ford

Mergers in South Africa often overlook cyber due diligence, risking undisclosed liabilities and hidden costs that can significantly impact the acquired organisation's value and security posture.

The uncomfortable truth in any merger or acquisition is that you are not just buying an organisation's future cash flows; you are buying its history. That includes the risks it has recorded, the risks it has ignored, and, most dangerously, the risks it doesn't even know it is carrying.

In South Africa, mergers and acquisitions (M&A) activity is already governed by a rigorous compliance framework. From the Companies Act and Competition Act to BBBEE considerations and labour obligations, due diligence is a multidisciplinary exercise that local boards take seriously. Yet, a critical component is frequently treated as an afterthought: cyber due diligence.

Post-Steinhoff, governance, solvency and operational controls have rightly become non-negotiables for South African investors and boards. However, cyber risk does not present itself like a debt schedule or a disputed contract. It hides in the shadows of an organisation's infrastructure -- in loose identity controls, forgotten administrator accounts, unsupported software and unmanaged endpoints.

Follow us on WhatsApp | LinkedIn for the latest headlines

For acquirers, the danger is that traditional financial and legal due diligence often fails to uncover these toxic assets until the deal is signed and the networks are connected.

The visibility deficit

The primary challenge is a lack of visibility. Many organisations simply do not...

Read the full story on Daily Maverick.

Tagged:
Copyright © 2026 Daily Maverick. All rights reserved. Distributed by AllAfrica Global Media (allAfrica.com). To contact the copyright holder directly for corrections — or for permission to republish or make other authorized use of this material, click here.

AllAfrica publishes around 500 reports a day from more than 90 news organizations and over 500 other institutions and individuals, representing a diversity of positions on every topic. We publish news and views ranging from vigorous opponents of governments to government publications and spokespersons. Publishers named above each report are responsible for their own content, which AllAfrica does not have the legal right to edit or correct.

Articles and commentaries that identify allAfrica.com as the publisher are produced or commissioned by AllAfrica. To address comments or complaints, please Contact us.