Cybersecurity is a vital but often overlooked aspect of M&A, with risks that can significantly impact a company’s value. This reality inspired Sunny S. to found Rexon Cyber, a specialist firm that helps buyers identify and manage cyber risks throughout the M&A due diligence and integration process.
In our conversation, Sunny shared his journey from practitioner to founder, why cybersecurity is essential in M&A across industries, and how his firm supports clients at different stages of the deal lifecycle.
Q: Can you share your background and what inspired you to start Rexon Cyber?
I spent about seven years working in intelligence in the UK, which gave me exposure to a wide range of technology and threats. I traveled a lot, worked in embassies, and handled numerous IT and security projects.
Through that, I met someone who became a mentor and taught me ethical hacking. That got me into penetration testing and offensive security. From there, I worked in consultancy, spending time as a private security consultant for businesses of all sizes — from small law firms to major companies like Barclays and Jaguar Land Rover.
Eventually, I went into contracting, and then decided it was the right time to start my own company. That had always been the goal — to work on my own terms.
Q: Why did you decide to specialize in cybersecurity for M&A as opposed to another area?
At university, I studied financial computing, a degree split between finance and markets and IT, which included cybersecurity and web development. I’d been torn between accountancy and IT, so it allowed me to pursue both.
I didn’t really grasp how M&A and cybersecurity connected until my first consultancy job. I was assigned to assess the cybersecurity of a healthcare company, but we couldn’t share the results directly with them; they had to go back to the firm managing the M&A.
The company went through a detailed security assessment where we uncovered significant issues, including evidence of a data breach that had occurred a year before the M&A process began.
Q: Was that the moment you realized how important cybersecurity could be in M&A?
Definitely. In that project, I found a scanned letter from a law firm confirming the data breach.
That got me thinking — surely this impacts the company’s value? It’s like buying a car and then discovering it’s been in an accident; it changes what you’re willing to pay. A cyber incident can materially impact value, especially for private companies without a public share price.
Q: Since founding Rexon, have you seen demand for M&A cybersecurity grow?
Yes, there’s definitely growing awareness. The first firm I worked with is probably the largest cybersecurity consultancy in the world, and the fact that they’re being asked to perform cyber due diligence shows how important it’s become.
I also know that major firms like KPMG have entire internal teams dedicated to cyber due diligence. You wouldn’t invest in that unless the demand is significant.
That said, a lot of people still assume cybersecurity only applies to tech-focused M&A, like acquiring a software company. In reality, it’s critical for all types of businesses. When you frame it as “what vulnerabilities are you buying?”, people start to get it.
Q: Do you get brought in at different stages of a deal depending on the client?
Yes, it varies a lot. At the pre-deal stage, we might do an initial cyber due diligence report based on open-source intelligence, which means purely public information.
For example, in one case I spotted on a company’s YouTube videos that all their office PCs were running Windows 7 — an operating system that was retired nearly a decade ago! That’s a red flag before you even set foot on site.
As you move into deal and post-deal phases, the work becomes more in-depth. You get consent to run threat modeling, vulnerability scans, pentests, and build reviews — like checking how secure a standard corporate laptop is. All this feeds into valuation discussions and post-integration checks, because merging networks often creates new vulnerabilities.
Q: What are the biggest cybersecurity education gaps you see?
The biggest gap is around the relevance of cybersecurity in M&A. As I mentioned, many people still think it only applies to tech companies like software firms, SaaS platforms, anything obviously “IT-heavy.” That’s just not the case.
Take a dental practice, for example. If they get hit with ransomware, all their patient records could be stolen and leaked online. That’s a huge operational issue and also a legal one. In the UK, GDPR would come into play, and the regulatory fallout could be severe. In the US, it would fall under HIPAA and other state-level data protection laws.
So, it’s not about whether the business sells technology. It’s about the data it holds, the systems it relies on, and the risks if those are compromised.
Q: Do you also provide guidance on how to fix vulnerabilities?
Absolutely. We package this into our virtual CISO service, which helps companies build a practical, prioritized roadmap.
It usually starts with a cyber health check — internal and external vulnerability scans, penetration tests, build reviews of corporate devices, and so on. From there, we prioritize the issues. For example, out of 30 vulnerabilities found, we highlight the 10 high-risk ones that need immediate attention.
We explain exactly how to fix each item and how to verify that it’s been fixed. That could mean re-running tests, reviewing updated configurations, or checking logs.
If there’s a lot of work to do, we’ll create a multi-month “path to green” plan. That’s essentially a timeline for moving from the current state to a healthy, well-defended security posture.
Q: How are you adapting to AI — both to enhance your services and to address the risks it poses?
We’ve started using AI to take on some of the legwork. For example, the tools we use to collect open-source information create a lot of raw data, and we use AI to efficiently organize the results.
On the admin side, we’re looking at ways that AI can streamline client onboarding. Imagine adding a new customer to your CRM and having AI automatically send the NDA, welcome email, key contact information, and even schedule an introductory call ten days later — all without human intervention.
In terms of risks, it’s about helping clients understand how AI handles their data. Many don’t realize that public AI tools like ChatGPT or Copilot can store and use your inputs to train their models. Unless you’re using something like Copilot’s enterprise “work mode”, which sandboxes data inside your own environment, you should assume anything you enter could end up in a public dataset.
That’s where it becomes an M&A concern. If you’re acquiring a company with valuable intellectual property, you need to check whether they’ve used public AI tools and, if so, what they’ve entered. Sensitive IP that’s been shared with a public model may no longer be exclusive to that company, and from a valuation and risk perspective, that could be a major problem.
