Secure Score as a Term-Sheet Adjuster: How CISOs Are Pricing M&A Cyber Risk

Microsoft Secure Score is no longer just a number used by the Security Operations Center (SOC).

It has now become part of the deal conversation.

In many M&A deals today, private equity (PE) buyers are setting a minimum Secure Score directly in the term sheet.

If the score is too low, it can affect the deal, through a price reduction, an escrow holdback, or a requirement for the seller to fix issues before closing.

For example, one PE firm includes a fixed minimum Secure Score in every deal.

If the target company falls short, the gap is calculated as a cost.

The buyer then decides whether to reduce the price, hold back money in escrow, or ask the seller to fix the issues before signing.

This approach is starting to spread. Other PE firms are watching closely, and even strategic buyers are beginning to adopt it.

If you’re involved in the deal, whether as a CISO, part of the corporate development team, or a lawyer, Secure Score is now a number you need to pay attention to.

But it’s not just the score itself. The details behind it matter just as much.

Things like MFA coverage, past breaches, unused privileged accounts, legacy authentication, unmanaged devices, PIM maturity, and cyber insurance all play a role.

These are not just technical details anymore.

Each of them can show up in the deal, as part of the term sheet, the agreement, escrow terms, or even insurance requirements.

Why Secure Score works as a deal-term lever

Secure Score is not the most advanced or detailed security metric, and that’s not why it’s being used.

It works because it’s simple, consistent, and easy to defend.

Deal teams need one number they can explain in a partner meeting or on an insurance call, without needing a deep technical discussion.

That’s why Secure Score is becoming the “go-to” cyber number in deal terms.

Here’s what makes it useful:

• It converts easily into cost –
  Each improvement action comes with an effort estimate.
  When you apply a remediation cost, it quickly turns into a number that can be used in the deal, whether as a price adjustment, escrow, or pre-close fix.
• It’s one clear, defensible number –
  A score (for example, 412 vs a target of 680) is easy to carry across the entire deal process, from internal approvals to legal agreements to insurance discussions.
• It’s not controlled by either side –
  Since the methodology comes from Microsoft, both buyer and seller can rely on it.

This helps avoid long debates and speeds up decision-making.

The flip side

Secure Score shows the situation at a specific point in time, it’s not a full history.

Microsoft typically shows only recent trends (around 90 days).

So during a deal, you may only see the current score, not how it has changed over time.

To get a better view, buyers should ask for a 12-month trend.

If the seller has tracked it, this data may be available in tools like SharePoint, Excel, or a SIEM system.

What you can actually get pre-signing

In most deals, IT due diligence happens without direct access to the company’s Microsoft 365 environment.

Buyers are usually not given admin access (like Global Admin or Security Reader).

So they can’t log in and check things themselves.

Instead, they depend on what the seller provides, such as:

• Data room documents
• License details
• Secure Score summaries
• Discussions with the seller’s IT team

Because of this, buyers typically cannot run tools themselves like Compliance Manager, Purview, or even Secure Score.

These tools require admin-level access, which is rarely shared before signing.

So, the entire Secure Score analysis depends on structured information provided by the seller.

In higher-risk deals, there’s another approach.

A neutral third party (under NDA) may be brought in to review the environment and share the findings with the buyer. This is often called a clean team model.

It’s also important not to rely only on what the seller shares.

Buyers should cross-check with external sources like:

• Public breach records
• Regulatory filings
• Employee reviews that may reflect IT practices

The eight findings that drive the Secure Score – and what each one costs you

Secure Score is the headline. Sitting underneath it are eight specific findings, each with its own deal-term implication. This is where the CISO earns a seat at the term-sheet table.

1.The Secure Score gap

What to request

Ask the seller for:

• Current Secure Score
• Microsoft’s target score
• Full list of improvement actions
• 12-month score history (if available)

How to estimate the cost

Start with the top 10 improvement actions.

For each action, calculate:

• Engineering effort (hours × hourly rate)
• Plus any required licensing costs

Licensing may include tools like Defender, Entra ID P2 (for PIM), or other Microsoft security upgrades.

The total gives you a remediation budget for improving the Secure Score.

How this shows up in the deal

From least to most protection for the buyer:

• Seller fixes before closing – The seller completes the improvements before signing. No financial adjustment needed.
• Escrow after closing – The buyer holds back an amount based on the estimated cost and uses it if needed.
• Price reduction – The deal value is reduced upfront based on the remediation cost.

2. MFA coverage gaps

Microsoft has been pushing MFA (multi-factor authentication) for years, but most environments still have gaps.

Common examples include:

• Executives excluded for convenience
• Service accounts not covered by MFA
• Contractor accounts left inactive after offboarding
• Legacy authentication still enabled for certain use cases

What to request

Ask the seller for:

• MFA registration report (who is configured, enabled, and fully enforced)
• Conditional Access policy details (where MFA is actually required)
• Legacy authentication sign-in reports

The non-negotiable rule

Any admin or privileged account without MFA must be fixed before signing.

This is not something to leave for later.

Why this matters for the deal

Cyber insurers now expect clear MFA coverage, especially for privileged accounts.

If there are gaps:

• Insurance premiums may increase
• Policy renewals may become difficult
• Claims could be challenged after an incident

In regulated industries, this can also lead to compliance risks.

3. Breach and security-incident history

This is one of the hardest risks for buyers to uncover.

Past security incidents usually don’t appear in standard reports or configuration data.

If an incident didn’t require formal disclosure, it may never show up in the data room.

That means a company could have experienced:

• Successful phishing attacks
• Attempted ransomware incidents
• Business email compromise
• Insider threats
• Or serious near-misses

-without clearly sharing them during diligence.

This doesn’t mean these incidents don’t matter.

It just means you won’t find them unless you ask directly.

What to request and check

• Include incident history as a clear requirement in the SPA
• Ask for 24 months of SOC incident summaries
• Request Microsoft Defender for Office 365 incident history
• Speak directly with the CISO, not just the CIO
  (they often have different visibility and perspectives)
• Cross-check using public breach databases

4. Dormant privileged credentials – the Marriott pattern

Dormant privileged credentials are a serious hidden risk a buyer can inherit during an acquisition. In one well-known case pattern (seen in large enterprises like Marriott-style incidents), old access that was never properly removed after an acquisition later contributed to a major security exposure.

The same risk often exists in Microsoft 365 environments. In Entra ID, privileged roles are not automatically cleaned up. If no one actively removes them, old access can remain in place for a long time.

This means people who no longer work for the company, such as former employees, ex-contractors, guest users, or outdated service accounts, may still have high-level permissions like:

• Global Administrator
• Exchange Administrator
• SharePoint Administrator
• Security Administrator
• Power Platform Administrator
• or other custom admin roles

Even if they left the business long ago.

What to request

Ask for an export of all privileged role assignments.

For each privileged identity, request:

• last sign-in date,
• MFA status,
• account type: user, service principal, or guest,
• assigned role,
• and business justification.

The hard rule: Any Global Administrator account that has not been used in the last 30 days should be:

• reviewed immediately, and
• either removed, downgraded, or justified before signing the deal.

5. Legacy authentication still enabled

Even though Microsoft has mostly turned off basic (old-style) authentication in Exchange Online (around 2022–2023), the problem is not fully gone.

Some old access methods are still active, such as:

• SMTP AUTH
• Hybrid Exchange (on-prem + cloud) setups
• Third-party apps using hardcoded usernames/passwords

Why this is risky:

These old methods do not support MFA (Multi-Factor Authentication).

So, attackers can log in using just a password, making it a major account takeover risk.

What to request. Sign-in logs filtered for legacy authentication, broken out by user, application, and IP range.

Deal-term mechanics. Ideally, the seller should turn off all remaining legacy (old) authentication methods before the deal is signed. If that is not possible, the cost to fix these issues later should be included in the security improvement budget after the deal closes.

6. Unmanaged device inventory and BYOD exposure

Intune-managed device counts rarely reflect the full population of devices touching tenant data. BYOD(Bring Your Own Device), contractor devices, and legacy endpoints that never enrolled form an unmanaged estate, and it has to be priced into both migration planning (every device takes an unjoin–rejoin cycle post-close) and security-posture pricing.

What to request:

• Intune-enrolled device inventory.
• Entra ID joined-device inventory.
• Conditional Access sign-in logs filtered for devices accessing tenant data that aren’t enrolled.

The gap between (Intune + Entra-joined) and (devices actually signing in) is your unmanaged-device estate. That number drives inherited security exposure and the cutover ticket spike when MFA re-registration, device re-enrollment, and SSO breakage all hit at once.

7. Privileged Identity Management (PIM) maturity

PIM gives admins access only when they actually need it, just-in-time, time-bound, approval-gated. It is one of the cleanest signals of how mature an organization’s identity security really is. When a company either doesn’t use PIM, or uses it but doesn’t enforce it across every admin role, admins hold permanent access, a serious risk regardless of what the Secure Score headline says.

PIM requires Entra ID P2 licensing plus active management. Many companies already have the license but never implemented PIM properly, and it is one of the most common gaps surfaced in pre-deal diligence.

What to request. A full PIM configuration export showing which roles are permanent (standing access) and which are eligible (just-in-time). Where PIM isn’t fully in place, implementation cost goes into the security-improvement budget, it’s not a simple config toggle, it takes process change across the organization.

This links straight back to Finding 4: dormant admin accounts sitting on top of permanent standing access is how “a few old admin accounts” turns into a breach.

8. Cyber-insurance coverage assessment

The target’s cyber-insurance policy either travels with the transaction or gets re-papered under the buyer’s name. Either way, coverage gaps only surface when a claim is made, usually on Day-1 or Year-1, when it’s far too late to fix anything.

There is also an org-design gap to watch for: cyber-insurance DD sits with the buyer’s risk/broker team, while M365 technical DD sits with IT. The two teams frequently don’t compare findings, and the buyer ends up holding a policy that assumes controls are in place, MFA for all users, EDR on every device, immutable backups, when they actually aren’t.

What to request:

• The cyber-insurance policy itself, with the specific list of technical prerequisites for coverage.
• A cross-reference of each prerequisite against the IT DD findings, MFA coverage, EDR deployment, backup strategy, ransomware-specific endpoints.
• A flag for any gap between insurance requirements and actual configuration, treated as a pre-signing remediation requirement.

Common findings that invalidate cyber claims post-close:

• Policy excludes ransomware delivered via OneDrive or SharePoint sharing.
• Policy requires MFA on all privileged accounts; legacy auth is still enabled, so MFA is bypassable.
• Policy excludes business email compromise (BEC) without specific endorsement.
• Policy requires EDR (Endpoint Detection and Response) on all endpoints; unmanaged BYOD(Bring Your Own Device) population is not covered.

Deal-mechanics layer, in increasing cost and protection:

1. Re-paper the cyber insurance policy in the buyer’s name before closing, and make sure all security requirements are properly verified.
2. Add a clause where the seller must pay to fix any gap between what the insurance requires and what the system actually has, before the deal closes.
3. Buy special M&A cyber insurance (called representations and warranties insurance) that covers risks the normal cyber insurance does not cover. This is now commonly used in private equity tech deals.

A pre-deal Secure Score data-room request – copy this list

Send this list to seller IT through the data-room platform. Expect to receive 60–80% in usable form. The remainder becomes either a clean-team workstream or an SPA representation.

1. Secure Score – current score, Microsoft target, and the improvement-action list.
2. Secure Score 12-month trend if retained.
3. MFA registration report – configured vs. enabled vs. enforced per user.
4. Conditional Access policy export in JSON, with creation date, last-modified date, and 30-day enforcement-event count per policy.
5. Legacy authentication sign-in report – last 90 days, by user, application, IP range.
6. Privileged role assignment export – Global Admin, Exchange Admin, SharePoint Admin, Power Platform Admin, Security Admin, and custom roles. Per identity: last sign-in, MFA status, account type, business justification.
7. PIM configuration export – eligible vs. permanent assignments per role.
8. Intune-enrolled device inventory + Entra ID joined-device inventory + sign-in logs from non-enrolled devices.
9. 24-month SOC incident-log summary + Microsoft Defender for Office 365 incident history.
10. Cyber-insurance policy with the technical-prerequisites schedule attached.
11. CISO interview (separate from the CIO interview) covering the items above.

That list maps directly to the eight findings above and produces the inputs for the rollup table that follows.

Walk-away triggers – when the Secure Score story kills the deal

Walk-away triggers are situations where the Secure Score findings are serious enough to cancel the deal outright, not just reprice it. Most Secure Score problems are handled through remediation estimates, but some cross a no-go line, and those lines should be drawn before diligence starts, not during negotiation.

Typical triggers:

• An active, undisclosed major security breach investigation at the seller.
• Existing regulatory action tied to identity or compliance issues (HIPAA, FINRA, CMMC).
• A remediation bill that approaches the entire deal value.
• Privileged-access risk too severe to remediate by the closing date.

These situations are rare, but high-stakes. Communicate these thresholds to the diligence team early, so everyone can tell the difference between a finding that’s normal and one that should stop the deal cold.

CISO bottom line

Secure Score is no longer just an internal metric. It is becoming a key lever in deal negotiations.

Private equity buyers are already factoring it into deal pricing, and strategic buyers are starting to follow.

For CISOs, the opportunity is to bring the eight findings into the deal discussion before signing. This means converting security gaps into legal terms like representations and warranties, escrow requirements, seller obligations, and cyber insurance conditions.

That is how the CISO influences the structure of the deal instead of simply inheriting whatever setup the seller leaves behind.

The migration-execution version of these problems, rebuilding Conditional Access in the target tenant, handling MFA re-registration at cutover, cleaning up dormant Global Admin accounts after Day 1, is addressed in Identity and Access Risks in M&A Migration and Microsoft 365 Migration Risks: Identity, MFA, Devices & Apps. The pre-deal version is the one that decides what the deal actually costs.

Further reading

• Pre-deal (forthcoming): The M365 Pre-Deal Due Diligence Problem: Why You’re Pricing What You Can’t See – the full no-admin-access framework.
• Compliance-side companion (forthcoming): The Litigation Hold Trap How to Surface Held Mailboxes Before You Sign – the parallel pre-deal workstream for legal/compliance.
• Post-signing operational follow-on:

Identity and Access Risks in M&A Migration

Microsoft 365 Migration Risks: Identity, MFA, Devices & Apps