dblnews.

Clear, practical, independent coverage

A column by Sylvia Parrish

Sylvia Parrish, Chief Business Columnist

July 19, 2026 · 14 min read

Mergers and acquisitions due diligence: more than a formality

A $133.9 million transaction can now enter the U.S. Hart-Scott-Rodino zone. That figure, effective from February 17, 2026, is not a universal filing trigger—party-size tests, exemptions, and…

Mergers and acquisitions due diligence: more than a formality

A $133.9 million transaction can now enter the U.S. Hart-Scott-Rodino zone. That figure, effective from February 17, 2026, is not a universal filing trigger—party-size tests, exemptions, and structure still matter—but it is a useful reminder of what corporate dealmaking has become: expensive before the bankers have finished congratulating themselves.

For a reportable transaction, filing fees now run from $35,000 to $2.46 million, depending on deal value. That is the visible cost. The invisible cost is the one boards routinely underestimate: buying liabilities, data exposure, market-conduct problems, and managerial fantasies at a premium valuation because someone treated mergers and acquisitions due diligence as a document scavenger hunt.

I have watched this reflex for years. The deal team wants speed. The sponsor wants leverage. The CEO wants the announcement before the next earnings call. Counsel gets handed a virtual data room and told, in effect, to find every landmine by Thursday. Then everyone acts surprised when a "minor" issue becomes a post-close impairment, regulatory inquiry, or six-month integration paralysis.

Due diligence is not a formality. It is the unpleasantly practical exercise of discovering whether the asset exists in the form the seller claims—and whether it will still be worth owning after regulators, competitors, employees, and hackers have had their say.

A diligence report that merely confirms the seller's narrative is not reassurance. It is a very expensive mirror.

The strategic shift: from document collection to deal thesis destruction

The conventional m&a due diligence checklist has a seductive quality. Corporate records? Tick. Financial statements? Tick. Material contracts? Tick. Litigation schedule? Tick. Someone creates a tracker with 140 rows, the room fills with green status markers, and the transaction begins to feel inevitable.

That is precisely when the work becomes dangerous.

A useful diligence process does not ask only whether documents exist. It tests the assumptions that made the buyer want the company in the first place. If the investment case rests on pricing power, diligence should examine customer renewal behavior, discounting authority, churn in the accounts that matter, and the commercial reality behind "sticky" revenue. If the thesis promises cost savings, the team must identify which costs are actually removable and which are protected by contracts, labor arrangements, service-level obligations, or the stubborn fact that systems do not integrate themselves.

Financial due diligence importance is often reduced to quality-of-earnings analysis. That work matters enormously, of course. Revenue recognition, working-capital normalization, debt-like items, cash conversion, and customer concentration can alter the purchase-price economics with admirable brutality. But the financial model cannot operate in a vacuum. A target may show excellent margins because it delayed maintenance, underfunded compliance, leaned too hard on one distributor, or avoided the cybersecurity investment that every responsible board should have demanded years ago.

That is not margin. That is deferred pain.

I would separate the work into three questions, each with a different owner but one commercial purpose:

1. What are we actually buying?

This covers legal ownership, capital structure, material contracts, intellectual property, licenses, customer rights, data rights, and the less glamorous question of whether the target can transfer what the buyer thinks it is acquiring.

2. How does the business really make money?

Here sit quality of earnings, unit economics, pricing, customer concentration, cash flow, working capital, supplier dependence, sales practices, and the operating assumptions embedded in the forecast.

3. What follows us home after closing?

This is where competition law, sanctions, anti-corruption controls, cyber exposure, employment liabilities, tax, environmental issues, data privacy, and sector-specific regulation stop being specialist footnotes and start becoming deal terms.

The last question tends to receive the least patience because its answers rarely improve the pitch deck. Yet that is where a buyer earns the right to call itself disciplined rather than merely acquisitive.

A smart board should insist that each major diligence finding receives a clear commercial translation: is it a price issue, a closing condition, an indemnity matter, a remediation cost, a separation problem, or a reason to walk? "Flagged for management attention" is not a decision. It is a euphemism for postponing one.

The 2026 HSR landscape: thresholds are not permission slips

The 2026 HSR adjustments arrived with the usual regulatory arithmetic and the usual outbreak of confusion in deal rooms. The minimum size-of-transaction threshold is now $133.9 million. Other adjusted thresholds include $26.8 million, $267.8 million, $294.5 million, $535.5 million, $1.339 billion, and $2.678 billion.

Those numbers matter. They do not relieve anyone of judgment.

A transaction above $133.9 million is not automatically reportable. The applicable party-size tests, exemptions, entity relationships, and deal structure still decide the issue. Conversely, a buyer that treats the threshold as the entire antitrust analysis has missed the point by several miles. HSR is a filing regime, not a certificate that a merger lacks competitive consequences.

The fee schedule has its own small lesson in corporate realism: process costs rise quickly when the transaction becomes large enough to command public attention.

Transaction value at filing2026 HSR filing fee
Below $189.6 million$35,000
$189.6 million to less than $586.9 million$110,000
$586.9 million to less than $1.174 billion$275,000
$1.174 billion to less than $2.347 billion$440,000
$2.347 billion to less than $5.869 billion$875,000
$5.869 billion or more$2.46 million

The filing form itself has added a layer of procedural friction. In March 2026, the FTC said it was accepting filings under the pre-February 10, 2025 form and instructions following the court judgment that vacated the later form, while also voluntarily accepting filings under the 2025 form. If that sounds untidy, welcome to regulatory practice. The correct response is not hand-wringing; it is early antitrust counsel, a disciplined filing timetable, and an internal record of what the parties knew and when.

There is another operational detail executives love to discover too late: after the HSR waiting period ends or terminates, the acquirer generally needs to cross the filing threshold within one year. It can generally acquire up to the next notification threshold for five years without another filing. "Generally" does meaningful work here. Transaction mechanics deserve the same attention as the headline valuation, particularly where staged acquisitions, rollover holdings, or complicated ownership chains enter the picture.

For boards, the larger lesson is simpler. Regulatory workstreams cannot be bolted on after the commercial team has promised a closing date. Once a public timetable becomes a management commitment, rational analysis tends to become an inconvenience. And executives are remarkably inventive when asked to explain why an inconvenience should not change a decision already announced.

Antitrust diligence is also an information-control problem

The 2023 DOJ and FTC Merger Guidelines made an old truth impossible to ignore: the most revealing evidence often comes from ordinary-course documents, not from the carefully laundered materials produced after a deal enters formal review.

A board presentation written before the target knew it might be acquired can reveal how management actually sees pricing, capacity, labor costs, R&D, market entry, and competitive threats. A sales plan may say more about likely post-merger conduct than a hundred pages of counsel-crafted assurances. If internal materials discuss raising prices, reducing output, cutting wages or benefits, or curtailing research and development after a deal, regulators will not regard those as charming examples of commercial candor.

They will regard them as evidence.

This is why a narrow competition review built only around market shares is so often a mirage. Market concentration remains central, naturally. But the information pathways created by a transaction can matter just as much. A merged business may gain visibility into competitors' sales volumes, forecasts, promotion plans, product road maps, or entry strategies. That access can reshape competitive incentives even where the headline concentration numbers look manageable.

The practical consequence is not "share less information," which is the sort of vague instruction that produces neither safety nor efficiency. It is to establish clean-team protocols and access rules before commercially sensitive material moves between parties.

The information questions that should make executives pause

  • Who sees pricing, volume, and customer-level data before close? Sales leaders may have the strongest commercial appetite for granular information and the weakest instinct for antitrust boundaries. A charming combination.
  • Can the buyer's operating team receive future plans without creating avoidable exposure? Product launches, planned capacity changes, wage strategies, and commercial bids require controlled review, often through clean teams or outside advisers.
  • Are integration discussions drifting into pre-closing coordination? Buyers may plan integration. They may not operate the target before closing or use a signed deal as a license to coordinate conduct that should remain independent.
  • Do ordinary-course records contradict the merger narrative? If the public story says the deal will stimulate innovation while internal papers describe reduced R&D spending, someone needs to resolve that conflict before a regulator does it for them.
In antitrust review, the prettiest slide deck loses to the ugliest internal email every time.

The same discipline should extend to board materials. Directors do not need to become competition lawyers. They do need to ask whether the deal thesis depends on outcomes that look suspiciously like reduced competition when translated into plain English.

"Rationalized capacity" can mean less output. "Commercial optimization" can mean higher prices. "Workforce efficiency" can mean lower wages or thinner benefits. Language does not alter substance, however much investment bankers may wish it did.

Successor liability: the liability you acquire does not wait politely outside the closing room

Sanctions and anti-corruption diligence sit in the category of work that appears optional only until it is not.

OFAC has been clear that sanctions-related risk assessment and due diligence matter in mergers and acquisitions, especially where non-U.S. companies enter the picture. Compliance functions should be integrated into the acquisition and integration process so that concerns are identified, escalated, addressed before closing where possible, and incorporated into the risk assessment thereafter.

That is a fairly direct instruction. Yet I still see buyers treat sanctions diligence as a name-screening exercise performed near signing, often by a team that has little visibility into the target's distributors, beneficial ownership chains, payment flows, freight routes, resale markets, or technology exports.

The target may not have a dramatic sanctions problem. Fine. But the buyer should know whether its revenue depends on intermediaries nobody can explain, customers in higher-risk jurisdictions, contractual rights that permit problematic resale, or payment practices that make the finance team suddenly develop an interest in archaeology.

Anti-corruption diligence requires the same refusal to settle for superficial answers. The DOJ and SEC's FCPA guidance addresses successor liability in M&A. Timely remediation and an effective compliance and ethics program can matter in charging and investigative decisions. That does not mean a buyer can purchase a compromised business, install a policy document on Day One, and expect the past to evaporate. Corporate misconduct is not a software bug solved by clicking "update."

The serious questions are granular:

  • Which third parties produce disproportionate revenue or operate in high-risk markets?
  • What do commissions look like relative to services actually performed?
  • Who approved unusual discounts, rebates, gifts, travel, or consulting arrangements?
  • Did internal reports raise concerns that management dismissed, delayed, or quietly buried?
  • Can the target's compliance records be trusted, or do they merely show that somebody knew how to fill out forms?

Where serious issues arise, the buyer needs a remediation plan with owners, timing, budget, reporting lines, and board visibility. Not a sentence in an integration deck. A plan.

This is also where deal structure earns its keep. Pricing adjustments, specific indemnities, escrow arrangements, pre-closing remediation covenants, closing conditions, and a willingness to abandon the deal all have different roles. No single tool cures every risk. The seller may resist. It usually does. That is negotiation, not injustice.

Cybersecurity governance is now part of the valuation argument

Cybersecurity used to appear in diligence as an IT annex: systems inventory, penetration-test summary, insurance coverage, perhaps a cheerful note that no "material incidents" had been identified. That approach belongs in the museum alongside BlackBerry holsters and the belief that cloud migration automatically lowers risk.

For U.S. public-company targets, SEC cybersecurity rules require registrants to describe their processes for assessing, identifying, and managing material cyber risks, as well as the board's oversight and management's role. A material cyber incident must be disclosed on Form 8-K within four business days after the company determines that the incident is material, subject to limited delay provisions.

Note the phrasing: after the company determines materiality. Not four days after a suspicious alert appears on a screen. Not four days after an employee receives a phishing email. Materiality is a judgment, and judgments made in the heat of a breach can expose every weakness in governance.

A buyer should therefore diligence cyber risk at two levels: technical exposure and governance credibility.

Technical exposure includes identity management, privileged access, patching, network segmentation, cloud architecture, incident response, backup integrity, third-party connections, data classification, and the protection of crown-jewel systems. This is familiar terrain for security professionals, even if deal executives still regard it as something that can be summarized in three traffic-light icons.

Governance credibility is harder and often more revealing. Does the board receive meaningful cyber reporting? Can management explain who owns incident decisions? Has the company rehearsed a materiality assessment? Does the security leader have authority and resources, or merely a title designed to impress procurement questionnaires? Are disclosures consistent with internal incident records and risk assessments?

Operational due diligence risks frequently hide in these gaps. A target can possess modern tools and still be badly governed. It can have a strong security function and still be one phishing email away from a material incident that the new owner will be answering for the moment the ink dries on the share purchase agreement.

The translation into deal terms matters as much as the underlying finding. A handful of unpatched legacy servers may justify a remediation covenant and an indemnity. Evidence that the board has never received a serious cyber briefing is a governance issue and, candidly, a valuation issue. A history of near-misses quietly contained by an overworked incident-response team suggests latent exposure that the purchase price has not yet discounted. And the suspicion that the target has been hiding material incidents from disclosure regimes can move the conversation from negotiation to litigation.

A disciplined cyber workstream produces not a checkbox but a set of practical answers: what we have found, what it is worth in price or structure, what we require before closing, what we will fix in the first hundred days, and what would make us walk away. Anything less is theater.

The discipline behind the closing table

Most deals that go badly wrong after signing did not fail because diligence was absent. They failed because diligence was performed as decoration—gathered, filed, summarized, and then allowed to lose to a closing date, a leverage target, or a chief executive who had already told the board the transaction was happening.

Why due diligence fails is rarely a mystery. Sponsors compress the timeline. Sellers restrict access. Operating teams filter findings upward only when convenient. Boards accept summaries rather than demanding the underlying record. Counsel structures the right indemnities and then watches them erode in negotiation because the commercial team will not support drawing a line that might cost the deal.

The remedy is procedural rather than heroic. Diligence workstreams must start before the term sheet hardens. Findings need owners with authority. Issues need commercial translations with deadlines. The board needs to see what the deal team sees, not what the deal team decides the board should see. And someone in the room needs to be paid to say no, on a regular basis, with credible reasons.

A serious due diligence process leaves a deal team with three artifacts at signing: a clearly priced view of what the asset is worth in its current condition; a documented set of conditions, indemnities, and remediation covenants that must be in place at closing; and a credible plan for what cannot be fixed by contract, including a candid answer to whether the price still makes sense. Boards that insist on those artifacts tend to avoid the post-close surprises that turn announced transactions into ongoing embarrassments. Boards that treat due diligence as a closing-week formality tend to fund someone else's expensive education.

Mergers and acquisitions due diligence will never be the most popular topic in a deal process. It is, however, the difference between a transaction that creates value and one that merely transfers it.

FAQ

What is the current minimum transaction threshold for HSR filings?
As of February 17, 2026, the minimum size-of-transaction threshold for HSR filings is $133.9 million.
Does exceeding the HSR filing threshold automatically mean a transaction is reportable?
No, exceeding the $133.9 million threshold does not automatically trigger a filing, as party-size tests, exemptions, and deal structure remain critical factors.
Why is ordinary-course documentation important in antitrust review?
Regulators view internal documents created before a deal as more credible evidence of competitive intent than materials produced after the transaction is announced.
How should a buyer approach cybersecurity during due diligence?
A buyer should evaluate both technical exposure, such as network architecture and patching, and governance credibility, including how the board oversees cyber risks and materiality assessments.
What are the three primary questions a buyer should ask during due diligence?
The three questions are: what are we actually buying, how does the business really make money, and what liabilities follow us home after closing?

Sylvia Parrish