← Back to Insights

The Exit Ready Series · Post R.24

View the full series →

The Sticky Note on the Router

The buyer's IT consultant asks for a cybersecurity policy. The answer tells him everything. The wifi password, unchanged since 2014, tells him the rest.

The buyer's IT diligence consultant asks Kevin Downer for the company's cybersecurity policy.

Kevin does not have a cybersecurity policy. He is not sure Meridian has ever had one. He tells the consultant this and asks whether he would like him to draft something now.

The consultant says no. He has the answer he needed.

He moves to the next question. Multi-factor authentication on the email system?

No. Not on email. Not on the accounting system. Not on the network drive where the fourteen workbooks from The Spreadsheet Empire live. Not on dispatch. The only system with MFA is the bank portal, because Fifth Third requires it.

Endpoint security?

Windows Defender. The antivirus that came with the operating system. No managed endpoint detection. No centralized monitoring.

Employee security training?

None. New employees are shown how to use email and dispatch on day one. Nobody mentions security beyond "don't open attachments from people you don't recognize."

The wifi password?

The company name plus the year. Changed each January by incrementing the year. Written on a sticky note on the side of the router since 2017. The ink has faded.

The consultant writes none of this down with surprise. He has heard this answer set on the majority of mid-market services businesses he has reviewed.

What the buyer is actually pricing

The cybersecurity diligence is not, in the buyer's mind, a technology question. It is an insurance question and an indemnity question.

This is The Sticky Note on the Router — the pattern where a business has no cybersecurity posture, which means the buyer inherits risk they cannot quantify and the seller carries personal liability for incidents nobody can prove didn't happen.

The buyer is asking three things.

What is the residual cyber risk? The consultant assesses Meridian against the baseline any cyber insurance underwriter would apply: MFA on critical systems, endpoint detection on every machine, documented security policies, employee training, tested backups, incident response plan, patching cadence, network segmentation. Meridian meets none of the baseline.

Can the business be insured under the buyer's cyber policy? The buyer carries a portfolio-wide cyber insurance umbrella. Meridian, as it stands, cannot be added. The buyer must fund a controls buildout before Meridian qualifies — and during the gap, Meridian operates uninsured.

What is the indemnity exposure for pre-closing incidents? Cyber incidents have long tails. A breach can occur before closing and surface months later. The buyer wants the seller — Ed personally — to indemnify against losses from pre-closing incidents that appear within a defined post-closing window.

The protection takes the form of a clause. Ed indemnifies the buyer for three years. The cap is meaningful.

The password nobody changed

The wifi password is the smallest item in the findings. The consultant treats it as the most diagnostic.

A business that has not changed its wifi password since 2014 has not reviewed its security posture in over a decade. Every visitor since 2014 — vendors, customers, contractors, the cleaning crew, former employees — has the password. The sticky note has been visible to anyone who walks past the router for eight years.

None of this means Meridian has been breached. It also does not mean Meridian has not been breached. Meridian has no monitoring that would detect an intrusion. The consultant flags this: Cannot determine retrospectively whether intrusions have occurred.

That note produces a specific clause in the indemnity language. Ed indemnifies the buyer not only against incidents that surface within the standard window, but against incidents revealed by the buyer's post-close forensic audit. The forensic window runs three years.

What Ready Looks Like

The controls the buyer's insurance carrier requires are not expensive. For a business of Meridian's size, the cumulative cost of having them in place runs $40K to $70K per year.

MFA on every system that touches business data. Email, accounting, dispatch, file storage. The cost is essentially zero — most enterprise software includes MFA. The gap is a configuration decision, not a budget decision.

Managed endpoint security on every machine. Not Windows Defender alone — a managed endpoint detection and response (EDR) platform with centralized monitoring. Three to seven dollars per endpoint per month.

A documented security policy and incident response plan. Most cybersecurity firms can produce a tailored policy for under $10K. Updated annually.

Quarterly employee security training. Phishing simulations, basic hygiene, incident reporting. A few thousand dollars per year.

Tested backups with quarterly restoration verification. As covered in The Backup That Wasn't There — untested backups are hopes, not backups.

Network segmentation. Operations on one segment, customer data on another, guest wifi on a third.

For Meridian, none of these were true.


The cybersecurity consultant the buyer hires to run the post-close buildout meets with Ed for a handoff conversation.

The consultant walks through each control. He explains MFA — a second factor so a stolen password is not enough. He explains EDR — software that watches for unusual behavior and stops it. He explains the security policy — a written document so answers live on paper instead of in someone's memory.

Then he explains the wifi password.

"Ed, the current password is your company name and a year. If a guesser tried meridian2014, then 2015, then 2016, they'd land on yours within twelve guesses. But the deeper problem is that the password has been the same for twelve years. Anyone who has visited your office and read that sticky note knows it. Anyone who has worked here and left knows it. The password isn't a secret. It's a phrase that some hundreds of people have learned over the years."

Ed thinks about the sticky note. Kevin put it there in 2017. Nobody has touched it since. Ed has walked past it five thousand times.

What this cost Ed: $120K.

The buyer funded the cybersecurity buildout post-close — MFA deployment, managed endpoint security, documented policies, employee training, network segmentation, backup verification — and deducted the cost from the purchase price. The $120K is the direct remediation: the cost of standing up the controls Meridian should have had in place before the deal started. The indemnity clause Ed signed is separate — three years of personal exposure for any pre-closing incident that surfaces post-close. The indemnity is not a deduction. It is a risk Ed now carries because Meridian had no way to prove an incident did not occur.

Don't be Ed.