Cyber Due Diligence for Carve-Outs: Untangling Shared IT Infrastructure

Why Carve-Outs Are Different

In a standard acquisition, the target company possesses its own IT infrastructure, security team, and technology contracts. Due diligence assesses what exists and identifies risks within a defined perimeter. In a carve-out, that perimeter does not exist yet. The acquired business unit shares Active Directory domains, network infrastructure, security monitoring, email systems, ERP instances, and often application code with the parent and its other divisions.

This entanglement means that the acquirer is not simply inheriting a technology estate — it is constructing one. The cost, complexity, and risk of that construction are determined by the degree of integration between the carved-out unit and the parent's shared services. Cyber due diligence in carve-outs must therefore assess not only what exists today, but what must be built, migrated, or replicated to create a viable standalone technology environment.

The security implications are particularly acute. During the transition period, the carved-out business operates in a hybrid state: partially dependent on parent infrastructure, partially migrating to new systems, with temporary access arrangements and data flows that create an expanded attack surface. This transitional architecture is inherently less secure than either the pre-transaction or post-separation state, and the duration of this vulnerability is directly proportional to the quality of pre-transaction planning.

Shared Services Assessment

The first priority in carve-out cyber diligence is a comprehensive shared services dependency map. This analysis identifies every technology service consumed by the target business unit, determines whether each service is dedicated to the unit, shared with other divisions, or centrally provided, and assesses the feasibility and cost of separation.

Critical shared services typically include identity and access management (Active Directory, single sign-on, privileged access management), network infrastructure (WAN, firewalls, VPN concentrators, DNS), security operations (SIEM, endpoint detection, vulnerability management), enterprise applications (ERP, CRM, HR systems), and communications (email, collaboration platforms, telephony). For each service, the assessment must determine: Can this service be cleanly separated? What is the timeline and cost? What interim arrangement is required during transition?

The depth of integration often surprises acquirers. A business unit that appears operationally independent may share a single Active Directory forest with the parent, meaning user accounts, group policies, security configurations, and authentication infrastructure are inextricably linked. Separating a single organisational unit from a shared forest while maintaining access continuity for users and applications is a complex undertaking that typically requires six to twelve months of careful execution.

Transitional Service Agreements: Security Provisions

Transitional Service Agreements (TSAs) govern the parent's continued provision of shared services during the separation period. From a cybersecurity perspective, TSAs are both a necessity and a risk. They are necessary because the carved-out business cannot operate without continued access to shared infrastructure during migration. They are a risk because they create ongoing dependencies on an entity that no longer has an ownership interest in the business's security.

TSA security provisions must address several critical areas. Access controls should ensure that the parent's ongoing infrastructure access is limited to what is necessary for TSA service delivery, with clear delineation of administrative privileges. Incident response responsibilities must be explicitly allocated: if a security incident affects the shared infrastructure during the TSA period, who leads the response, who bears the cost, and how is information shared between the parties?

Data segregation requirements must be specified in detail. During the TSA period, the carved-out business's data continues to reside on parent-controlled infrastructure. The TSA must define access restrictions, encryption requirements, backup responsibilities, and deletion obligations at TSA termination. Monitoring and logging requirements should ensure that the acquirer has visibility into security events affecting its data and users, even while those assets reside on parent infrastructure.

Data Separation and Classification

Data separation is frequently the most complex and time-consuming element of a carve-out. Structured data in shared ERP or CRM systems must be extracted, validated, and migrated without corruption or loss. Unstructured data on shared file servers and collaboration platforms must be identified, attributed to the correct business unit, and transferred. Email archives, which often contain both business-critical communications and sensitive personal data, require careful handling under GDPR^[1].

The cybersecurity dimension of data separation extends beyond migration logistics. The acquirer must determine what data the carved-out unit actually needs versus what it has historically had access to within the parent's shared environment. Shared customer databases, for example, may contain records relevant to multiple divisions; the separation must ensure that the acquirer receives only the data to which it is entitled, and that the parent retains no residual access to the acquirer's data post-separation.

Legacy data presents additional challenges. Historical records, archived systems, and decommissioned applications may contain data relevant to the carved-out unit but reside in environments that were never designed for selective extraction. The cost and effort of recovering and migrating this data must be factored into the transaction model, alongside the regulatory risk of leaving data behind in an environment the acquirer no longer controls.

Identity Migration and Access Continuity

Identity migration — transferring user accounts, access permissions, and authentication infrastructure from the parent's identity systems to the acquirer's — is the single most critical workstream in a carve-out from both operational and security perspectives. Errors in identity migration can lock users out of essential systems, grant excessive access to sensitive resources, or create orphaned accounts that become attack vectors.

The migration plan must account for every identity-dependent service: application authentication, VPN access, email, file shares, cloud services, and privileged access to infrastructure components. For organisations using cloud identity providers, migration may involve transferring user accounts between tenants, reconfiguring application trust relationships, and migrating multi-factor authentication enrollments — each of which carries operational risk if poorly executed.

Privileged access deserves particular attention. Administrative accounts for infrastructure components, databases, and applications must be identified, transferred to the acquirer's control, and rotated immediately upon separation. Any shared service accounts or embedded credentials that span the parent-child boundary represent a persistent security risk until they are eliminated. A comprehensive credential inventory, conducted during due diligence, is essential to planning a secure separation.

Day One Readiness and Security Baseline

The objective of carve-out planning is to achieve Day One readiness: a state where the carved-out business can operate independently with an acceptable security posture from the moment the transaction closes. In practice, full independence is rarely achievable by Day One; the goal is to ensure that TSA dependencies are clearly defined, interim security controls are in place, and the migration roadmap is realistic and funded.

The minimum Day One security baseline should include: independent identity and access management (even if initially synchronised with parent systems via the TSA), endpoint protection deployed on all carved-out devices, network segmentation between the carved-out environment and the parent, an operational incident response capability (either internal or through an IR retainer), and monitoring sufficient to detect common attack patterns targeting transitional architectures.

For PE acquirers, carve-out cybersecurity planning directly impacts the investment thesis. Underestimating separation costs leads to budget overruns; underestimating timelines extends TSA dependency and its associated costs; and underestimating security risk during transition creates exposure to incidents that can impair the very value the acquisition was intended to capture. Rigorous cyber due diligence, conducted early in the transaction process, is the most effective mitigation for all three outcomes.