Blog · Carve-Outs

The perimeter is new. The threats are not.

Carve-out cybersecurity for Day One is the workstream that decides whether Newco operates safely or carries inherited exposure into its first hours of independent operation. The work covers identity, perimeter, endpoint, monitoring, incident response, and third-party risk. This article sits inside the broader carve-out advisory program and lays out the controls Newco needs before close and the program sequence that delivers them.

6
Control Domains
Close
Posture Live
8 min
Read Time
2026
Last Updated
Section 01

Why Day One cyber is uniquely hard.

Cybersecurity in a carve-out faces a problem most security programs do not. The defender is building the controls while the systems are already in use, while threat actors know the carve-out is happening, while identity boundaries are blurry, and while change is constant. The seller's controls protect the seller's perimeter. The buyer's controls protect the buyer's perimeter. Newco needs its own perimeter, set up under deadline pressure, against active adversaries who know carve-outs produce gaps.

Carve-out announcements draw attention. Threat actors monitor M and A news for opportunities. Phishing campaigns targeting employees during transitions are common. Social engineering against finance and HR employees succeeds at elevated rates during periods of organizational change. The cyber program needs to anticipate the threat profile and harden the most exposed processes before close.

The dependency on the seller is structural. Newco often relies on the seller's identity systems, network controls, and security operations during the TSA. The seller's security policies, monitoring, and incident response cover Newco initially. As the TSA exits, those protections wind down. Newco needs equivalent controls operational before the seller's protections end. Sequencing matters because gaps between the two states are exploitable.

The cyber workstream needs senior leadership attention from signing forward. A CISO or equivalent security leader needs accountability on the Newco side, with budget and authority, before close. Programs that defer security leadership hiring until post-close usually carry control gaps for months. The Day One readiness context is in carve-out Day One readiness.

Section 02

Identity is the cyber anchor.

Identity is the cyber control that everything else depends on. Newco needs its own identity provider, its own directory, its own conditional access policies, and its own privileged access management. The Newco tenant needs to exist before applications can be migrated, before endpoints can be enrolled, and before any of the other cyber controls can be configured. Identity readiness is on the critical path for the entire cyber program.

Privileged access deserves particular attention. Administrative accounts on the seller's systems often retain access to Newco environments long after close. The privileged access inventory needs to be built during diligence and reconciled at Day One. Every administrative credential, every service account, every shared password needs to be identified, transferred to Newco ownership, rotated, or revoked. Programs that skip this audit carry persistent backdoor exposure.

Federation and single sign on with the seller is a particularly thorny problem. Many applications rely on the seller's identity provider for authentication. After close, those federation arrangements need to migrate or terminate cleanly. Federation arrangements left in place produce hidden dependencies that surface when the seller changes its identity provider configuration. The migration plan needs to address every federated application.

Multi factor authentication for every user account is non optional. The seller may or may not enforce it across all systems. Newco must enforce it from Day One. Conditional access policies that limit access by device, location, and risk score need to be in place before any user logs in to a Newco system. The configuration takes weeks. The dependencies are deep. The work needs to start at signing.

Section 03

Endpoint, network, and the perimeter.

Endpoint security on Newco devices needs Newco controls. The seller's endpoint management agents on Newco laptops have access into the seller's environment, run policies designed for the seller, and report to the seller's security operations. After close, those agents either need to be replaced with Newco agents or operate under explicit TSA arrangements. The transition needs to maintain protection while changing the management chain.

Network perimeter controls protect Newco's environment from the internet. The Newco perimeter includes web filtering, DNS security, email gateway protection, and outbound traffic controls. Each of these is typically a product purchase, a configuration project, and an integration with the rest of the security stack. The full perimeter stack needs to be operational before Newco traffic flows independently of the seller.

Email security is the highest priority perimeter control. Email is the most common entry vector for phishing, business email compromise, and credential theft. Newco's email security gateway, anti phishing controls, brand protection records (SPF, DKIM, DMARC), and user awareness training all need to be configured before the new email domain goes live. Programs that activate email without these controls in place provide an open door for the first attack.

Network segmentation between Newco and the seller is essential. During the TSA, Newco systems often need network connectivity into the seller's environment for shared applications. Each connection point needs explicit firewall rules, monitoring, and access controls. Programs that leave broad network access open during the TSA create lateral movement risk in both directions. The IT context is in the carve-out IT separation playbook.

Section 04

Monitoring and incident response from day one.

Monitoring needs a security operations function on Day One. The function can be in house, outsourced to a managed detection and response provider, or a hybrid. The choice depends on Newco scale and security maturity. The function needs visibility across endpoints, network, identity, email, and cloud platforms. Visibility gaps are exploitation gaps. The monitoring footprint should match the operating footprint from the first hour.

The security operations function needs working integrations on Day One. Endpoint detection sends alerts to the SOC. Identity events stream to the SOC. Network traffic anomalies surface to the SOC. Email events feed the SOC. Each integration is an engineering project. Programs that defer integration to post-close operate blind for weeks. The discipline is to stand up the SOC tooling early, in parallel with system migrations, so visibility is live when systems go live.

Incident response procedures need to exist before any incident occurs. The runbook covers detection, escalation, containment, eradication, recovery, and communication. Newco needs executive authorities defined, external partners (forensics, legal, communications) on retainer, and notification obligations to regulators and customers documented. The TSA needs to address how incidents involving shared infrastructure between Newco and the seller are handled.

A tabletop exercise within the first 30 days is the test of readiness. The exercise simulates a realistic incident, walks the response team through the runbook, and surfaces gaps in tooling, communication, and authority. Programs that conduct tabletop exercises early find their gaps in a safe context. Programs that wait until a real incident find their gaps the hard way.

Section 05

Third-party risk and compliance.

Newco inherits a supplier base with varying security postures. The seller's third-party risk program covered those suppliers under the seller's framework. Newco needs its own third-party risk program with its own framework, its own risk tiers, its own assessment cadence, and its own contractual requirements. Building the program from scratch in the first months after close requires focused effort. Migrating the seller's framework is rarely a viable shortcut because the framework reflects seller risk tolerances rather than Newco's.

Cloud platform configurations need separate attention. Newco often has accounts in AWS, Azure, GCP, and various SaaS platforms that were configured under seller security baselines. The configurations need review, hardening, and ongoing posture management under Newco governance. Misconfigurations in cloud are a common breach pathway. Programs that defer cloud security review carry exposure that may not surface until exploited.

Compliance obligations follow Newco from Day One. Industries with specific cyber requirements (HIPAA, PCI, GLBA, NERC, ITAR, GDPR) have ongoing obligations that do not pause during transitions. Audit cycles, attestation schedules, and breach notification requirements continue. The compliance calendar needs Newco ownership, Newco evidence, and Newco governance from close. Programs that assume the seller's compliance covers Newco during the TSA create gaps in the audit trail.

Cyber insurance needs to be in place by Day One. The seller's insurance does not cover Newco after close. The new policy requires underwriting questions answered with Newco specific data, security control attestations, and incident history. The application process can take 60 to 90 days. Coverage gaps at Day One create both regulatory and financial exposure. The data privacy specifics are covered in the GDPR article for carve-outs in the queue.

Related Reading

More on carve-out execution.

Free Download

Get the buyer-side TSA Exit Playbook.

The 90-day governance, IT, finance, HR and procurement separation plan we run on live carve-outs. Get the playbook plus the bi-weekly Day One Letter — short, signal-heavy, buyer-side.

No spam. Unsubscribe in one click. · Read the overview first →

The perimeter is new. The threats are not.
Day One Readiness

Stand up the perimeter. Before the threat does.

Fixed-fee proposal in 48 hours. Senior team on day one. The first conversation is always free.

White paper

The TSA Exit Playbook

Seven buyer-side moves to exit a Transition Services Agreement on time and below budget. The mark-up, the extension-fee curve, exit sequencing, and the 11-month calendar.

Read the playbook →
White paper

The Cybersecurity Day-One Playbook

Exit the seller's security stack first. Every week of shared security is a week of shared blast radius on a business they no longer own.

Read the playbook →
The Day One Letter

Get buyer-side TSA intelligence every two weeks

One tactic, one benchmark, or one pattern from a recent buyer-side engagement. Short. Signal heavy. Free.

Subscribe to The Day One Letter →