Investment committee cyber questions are almost never about the vulnerability count. They are about liability surface, transferability of risk, and the cost to fix what the diligence team found.
In a mid-market PE transaction in the $350M–$450M range — platform sector, not named here — the IC circulated an eight-question memo after receiving the cyber diligence summary. Seven of the eight questions were answerable from the evidence the CISO had already assembled. One was not.
The question that nearly killed the deal was not about a critical CVE or a compliance gap. It was about insurance transferability. The target carried a $15M cyber policy with a carrier the acquirer's portfolio had already strained. The IC wanted to know whether the policy was assignable, what the retentions were under the new ownership structure, and whether the EBITDA model had accounted for the premium delta at renewal.
None of that information lived in the diligence scan. It lived in the policy documents and in a conversation with the broker. The CISO had the technical findings but not the transfer language. Closing that gap took nine days and a supplemental underwriter review. The deal still closed — but at a 0.4x EBITDA adjustment that was negotiated in the final 72 hours because the insurance answer arrived late.
The seven questions that were answerable all had a common shape: the IC wanted a dollar figure, a source, and a confidence level. Not a risk rating. Not a heat map color. A number with a reason and a caveat. The diligence team had been collecting evidence for six weeks, but the evidence was organized by control domain, not by the three things the IC actually needed.
The pattern that emerged from the memo is consistent with what operating partners see across transactions of this size. IC-level cyber questions cluster into three categories: liability (what could this cost us?), operability (what breaks if we try to integrate or exit?), and proof (what evidence exists that the seller's claims are true?). Diligence teams tend to over-index on operability and under-invest in the liability and proof categories — because those require financial translation and evidence packaging that goes beyond the scan output.
The two findings that created friction were both translatable with the right evidence, not intrinsically fatal. The insurance gap was solvable because the underlying controls were adequate — the problem was documentation and packaging, not posture. The second friction point, a cloud misconfiguration with an estimated $2.1M exposure under a FAIR-style model, was resolved when the seller provided a credible remediation timeline with control proof attached. The IC accepted the timeline because the evidence existed and was organized legibly.
The principle that held across both friction points: an IC will accept a known, bounded, credibly-evidenced risk faster than an unknown, unbounded, uncredentialed claim. The number does not need to be small. It needs to be real and inspectable.
For operating partners preparing cyber evidence packages for IC, the organizing question is not "what did we find?" It is "what does the IC need to make a funded decision, and is that information in a form they can interrogate?"
That reframe changes what goes into the evidence package. The scan output is the raw material. The package is the translated, source-linked, confidence-bounded artifact that answers the memo questions before they are asked.