"Every time you've got a mismatch in technology and methodologies in terms of mitigating risk, you have an opportunity for failure," he said. "The problem with cybersecurity is if you miss a little detail, it could turn into something huge. It's incumbent on you to make sure you don't miss those things."
And if the investigation process uncovers an ongoing breach, the merger needs to be paused, said JB Rambaud, managing director at Stroz Friedberg.
"You work with the incident response team and work with external counsel to understand the extent of the breach, and mitigate the extent of the risk first, patch the holes," he said said. "And if everyone understands how much it will cost to mitigate that risk completely, then you can include it as part of the cost of the M&A."
BitSight's Boyer said he hasn't heard of a case in which a cybersecurity audit resulted in a merger being called off.
"But the cybersecurity posture can definitely impact a deal and how much a company is willing to pay for a deal," he said.
Prepare for increased phishing and other attacks
In the lead-up to a merger as well as during and immediately afterwards, employees will expect to get questions and communications from people they don't know, including auditors, consultants, and employees at the other company.
Privileged users in particular should expect to get targeted, sophisticated attacks, said Pescatore.
This is also an opportunity to check if both companies have phishing education programs in place, and to address any shortcomings of the weaker program.
Attackers could also go after third-party targets, said Chris Coleman, CEO at LookingGlass Cyber Solutions. Those include legal firms working on the acquisition, other vendors involved in the process, and even cloud-based service providers.
"I've witnessed a lot of situations where adversaries were actually targeting law firms to get M&A information," said Coleman, whose company did three acquisitions last year.
Review existing contracts for cybersecurity issues
A merger and acquisition could also be an opportunity for both companies to renegotiate existing vendor contracts to include better cybersecurity provisions, Coleman added.
"It does open the door," he said.
For example, it's not enough to have a single, initial security audit -- customers need to be able to review security of their vendors, and their vendors' vendors, on an ongoing basis, and contracts need to reflect that.
One specific type of vendor contract that will almost definitely be affected as a result of a merger or acquisition is a company's cybersecurity policy, which will now need to cover a larger operation, and possibly a larger and more diverse set of risks.
Sign up for CIO Asia eNewsletters.