38 Due Diligence Red Flags Across 6 Streams (2026): Severity Matrix + Walk Rate

Last updated: May 2026

I run cyber-DD on a $300M strategic-buyer deal where the target had 47 OAuth integrations across critical data sources — half undocumented, none rotated post-SalesLoft. The deal team's red flag inventory called it "vendor risk, medium." After cross-referencing the SalesLoft 700-org victim list against the target's integration map, "medium" became "do not close without 30-day post-close token rotation as a condition precedent." Three weeks later, the working-capital QoE supplement surfaced a $1.2 million peg gap, the legal team flagged a non-assignment clause in the top-2 customer contract, and the founder confirmed two senior engineers had given notice. By signing day the red flag inventory was 14 items deep across 6 streams, the Concentrated Trio test had failed twice, and the deal closed at a 7% lower price with $3 million carved out of R&W into a cyber-specific escrow. Due diligence red flags in 2026 are not the binary "kill or close" signal they were in 2019 — the SRS Acquiom 2025 data shows walk-away constructs collapsed from 18% to 11% YoY while undisclosed-liability claims doubled. The discipline shifted from "do we walk?" to "how do we structure?". I run Peony, a data room platform used by 4,300+ customers across M&A, private equity, and DD workflows. Backed by VCs including Target Global, this guide maps the 38 red flags across 6 DD streams with severity tiers, the Red/Orange/Yellow severity matrix, the Concentrated Trio test, the Bain Test for PE cyber liability, and the Walk Rate data on how buyers actually respond.

Quick answer: Due diligence red flags in 2026 cluster across six streams (financial, legal, commercial, operational, tech/cyber, ESG/regulatory) with 38 named flags total. The Red/Orange/Yellow severity matrix scores each flag on materiality (under 2% / 2-10% / over 10% of enterprise value) and curability (easily curable / indemnifiable / uncurable). Red — walk — only triggers when high materiality combines with uncurable risk. The Concentrated Trio test (customer over 30%, vendor over 70%, founder-essential) produces the cleanest binary deal-killer signal. Post-March 18, 2026, the Bain Test elevates cyber red flags from price-chip leverage to sponsor-level fiduciary exposure for PE buyers. Walk rates collapsed in 2025: no-survival R&W constructs dropped from 18% to 11% YoY while undisclosed-liability claims doubled — buyers are negotiating around red flags rather than walking.

---

The Walk-Rate Collapse: Why Red Flags Trigger Structure, Not Walks

SRS Acquiom's 2025 Deal Terms Study, covering more than 2,200 private-target deals valued at $505 billion, found that "no survival" walk-away R&W constructs fell from 18% in 2024 to 11% in 2025.¹ Concurrently, undisclosed-liability claims doubled since 2022 and now account for 24% of all R&W indemnification claims.²

The proprietary inference: walking has gotten rarer because R&W insurance plus special indemnity plus escrow now absorb risks that would have killed deals in 2019. But this creates a delayed-explosion pattern — disputes shift from pre-close walk to post-close claim. R&W claim payouts hit record levels in 2025: Marsh placed $91.6 billion in transactional-risk limits, up 34% YoY, and AON's North America clients recovered over $1.4 billion through Q4 2024.³⁴

The practical guidance: most red flags now don't trigger walks — they trigger structure. Walk only when (a) Red-severity per the matrix, (b) all three Concentrated Trio tests fail, or (c) the Bain Test cannot be satisfied for cyber or regulated-industry targets.

---

What Counts as a Red Flag in Due Diligence?

A due diligence red flag is any finding during the DD process that materially alters the buyer's risk-return calculation. The 2026 framework groups red flags across six streams:

• Financial — revenue recognition, customer concentration, working capital, debt covenants, deferred revenue mismatch, related-party transactions, cash burn rate
• Legal — pending litigation, IP ownership ambiguity, regulatory inquiries (Wells Notice, FTC, DOJ, OFAC), contract change-of-control, employee misclassification, non-compete enforceability
• Commercial — customer churn trend, single-customer dependency, contract renewal failures, win-rate decline, sales-pipeline coverage ratio, GTM dependency on departing leader
• Operational — key-person risk, single-vendor dependency, systems brittleness, capacity constraints, regulatory licenses lapsed, supplier concentration
• Tech / Cyber — undisclosed breach, OAuth integration sprawl, shadow AI usage, no SOC 2, key engineer departure, vendor supply-chain exposure
• ESG / Regulatory — UFLPA forced labor exposure, CSDDD compliance gap, environmental remediation cost, climate transition risk, governance issues

Inside each stream, individual flags scale across three severity tiers — Yellow (renegotiate price or terms), Orange (pause and condition signing on cure), Red (walk).

---

Stream 1: Financial Red Flags (7 Flags)

F-1. Revenue recognition aggression / ASC 606 non-compliance. QoE report reveals revenue booked before performance obligations met. Severity: Orange. Auditor restatement risk is the single biggest R&W claim severity driver — financial-statements breaches account for 37% of all W&I dollars paid per Marsh 2025.³

F-2. Customer concentration over 30% from a single customer. Top-10 schedule shows one logo over 30% of TTM revenue or top-5 over 60%. Severity: Red above 30% for PE/SBA; Yellow at 10-25%.⁵ Fix: walk if no alternative; otherwise structure 30-50% earnout tied to retention of the concentrated account.

F-3. Working capital target gamed / pre-close stuffing. AR aging stretched, deferred revenue accelerated to revenue, payables held, inventory dumped. SRS Acquiom 2025 found buyers' calculations accepted in 7 of 10 PPA disputes.⁶ Severity: Yellow to Orange. Fix: separate escrow specifically for WC adjustment (now 58% of deals per ABA 2025 Study); independent accounting referee.⁷

F-4. Deferred revenue / billings-revenue mismatch. Cash receipts exceed revenue recognized by an unexplained margin. The highest-frequency QoE finding in SaaS deals.⁸ Severity: Orange. Fix: QoE re-bridge of ARR to GAAP revenue; restrict purchase-price multiple to verifiable revenue.

F-5. Related-party transactions / undisclosed self-dealing. Vendor or customer entities owned by founder, board member, or family. Severity: Orange. This was the central FTX failure mode — Alameda/FTX entity-web overlap was flagged in Tiger Global's DD memo but did not block the $38M check.⁹

F-6. Cash burn rate vs runway misrepresentation. SmileDirectClub filed Chapter 11 in September 2023 and shut down in December 2023 with about $900M debt, having posted a $278M net loss in 2022.¹⁰ Severity: Red if runway under 6 months and unprofitable.

F-7. Debt covenants near tripping / springing covenants. Leverage covenant at 4.0x with TTM EBITDA trending toward 3.9x; undisclosed change-of-control acceleration in the credit agreement. Severity: Orange. Fix: lender waiver as condition to signing.

---

Stream 2: Legal Red Flags (7 Flags)

L-1. Pending litigation with damages over 10% of EV. Severity: Yellow with insurance/escrow; Red if uninsurable. Fix: special indemnity outside R&W cap.

L-2. IP ownership ambiguity. Code commits from contractors without signed assignment agreements; founder pre-incorporation work; university IP. Severity: Orange to Red if core IP affected. Fix: retroactive assignment agreements with consideration; carve-out indemnity.

L-3. Open-source contamination (GPL/AGPL in proprietary product). Software composition analysis reveals copyleft components shipped in commercial product or running as SaaS backend. Per Black Duck 2025 OSSRA, 30% of license conflicts stem from hidden dependencies. AGPL closes the SaaS loophole: network use triggers source-disclosure obligations.¹¹ Severity: Orange.

L-4. Regulatory inquiries — Wells Notice, FTC second request, DOJ/OFAC subpoena. Block paid $175M+ to state regulators and CFPB in 2025 for BSA/AML failures.¹² SEC dismissed many crypto Wells in early 2025 (Coinbase February 27, Robinhood Crypto February 24).¹³ Severity: Orange to Red.

L-5. Contract change-of-control / anti-assignment in top-10 customer contracts. Material customer contracts include change-of-control or anti-assignment with consent rights.¹⁴ Severity: Yellow to Orange. Fix: pre-close consent letters; consent-tax budget; price escrow for non-consenting customers.

L-6. Employee misclassification (1099 vs W-2, exempt vs non-exempt). Material contractor population doing core function; DOL/IRS in renewed enforcement push for 2025.¹⁵ Severity: Yellow. Average exposure $7,000-$15,000 per misclassified worker federal; over $100,000 in CA/NY when state penalties stack.

L-7. Non-compete enforceability post-FTC-rule-vacatur. FTC's 2024 rule was vacated by Texas court August 2024; FTC abandoned the appeal September 2025; California, North Dakota, Minnesota, and Oklahoma effectively ban employee non-competes.¹⁶ Severity: Yellow. Fix: replace non-competes with retention bonuses + non-solicits + gardening leave.

---

Stream 3: Commercial Red Flags (6 Flags)

C-1. Customer churn trend reversal. Net dollar retention dropping over trailing 4 quarters; gross logo churn accelerating; cohort retention curves bending negative. Severity: Orange.

C-2. Sales pipeline coverage ratio under 2.5x. Coverage below industry-normal threshold (3x to 4x for typical 25-33% win rates; 4-7x for enterprise; 7-10x for strategic mega-deals).¹⁷ A target showing pipeline at 2x against a 25% win rate implies a near-certain miss. Severity: Yellow to Orange.

C-3. Win-rate decline against a specific competitor. Win-loss data shows decline of 5+ percentage points YoY; named competitor winning over 60% of head-to-head deals in last 2 quarters. Severity: Yellow.

C-4. Contract-renewal failure in top accounts. Renewal rate below 90% in top-20 customers in last 12 months. Severity: Orange.

C-5. GTM dependency on a single rep, founder, or "GTM whisperer." Sales-by-rep concentration shows one closer over 40% of new ARR. Severity: Orange. Fix: retention package with vesting; non-solicit on departing reps.

C-6. Discounting acceleration / price compression. ASP declining quarter-over-quarter; list-to-net discount widening. Severity: Yellow.

---

Stream 4: Operational Red Flags (5 Flags)

O-1. Key-person risk — founder or CEO or CTO is irreplaceable. Customer references say "we bought because of [founder]"; CRM shows founder on over 30% of deal threads. Severity: Orange. When key employees leave post-close, institutional knowledge walks and customer relationships suffer.¹⁸ Fix: retention packages 25-50% of consideration in unvested equity over 3-4 years; cliff retention bonus at 12 and 24 months.

O-2. Single-vendor dependency. AWS/Stripe/Plaid is over 95% of cost-of-goods with no failover; or one supplier provides a critical input with no qualified second source. Severity: Yellow to Orange. Fix: architecture review; portability plan.

O-3. Systems brittleness / technical debt. Production incidents trending up; sub-100-engineer team running 8+ year-old monolith; uptime metrics not measured. Severity: Yellow. Fix: capex reserve; integration plan that absorbs re-platform cost.

O-4. Capacity / fulfillment constraints. Backlog growing while delivery times slip; manufacturing throughput at over 95% utilization with no expansion plan. Severity: Yellow.

O-5. Regulatory licenses expired / about to lapse. Money-transmitter license, broker-dealer registration, professional licenses with near-expiration or change-of-control triggers. Severity: Orange to Red if revenue depends on the license. Fix: pre-close renewal; consent letters with state regulators.

---

Stream 5: Tech / Cyber Red Flags (6 Flags)

T-1. Undisclosed data breach in last 24 months. Severity: Red post-PowerSchool/Bain. The March 18, 2026 S.D. Cal. ruling allowed Bain's negligence claims to proceed because the breach straddled the October 1, 2024 close — initial intrusions August 16 to September 17, 2024 using stolen vendor credentials, second intrusion December 19 to 28, 2024 discovered December 28, 2024, public disclosure January 7, 2025 — and Bain directed post-close offshoring of cybersecurity functions that allegedly enabled subsequent harms.¹⁹ Cyber claims now reach 42% deal-value impairment per FTI Consulting's March 2026 CISO Redefined III study.²⁰ Fix: walk; or carve-out indemnity outside R&W cap with specific dollar reserve.

T-2. No SOC 2 / ISO 27001 / equivalent certification. Severity: Yellow unless enterprise customer base depends on it. Fix: remediation plan; reserve for compliance investment.

T-3. OAuth-token / third-party integration exposure (SalesLoft Drift pattern). Severity: Orange post-August 2025. The SalesLoft Drift breach affected 700+ orgs (Cloudflare, Google, PagerDuty, Palo Alto, Proofpoint, Zscaler) via stolen OAuth refresh tokens.²¹ Per Verizon DBIR 2025, third-party-involved breaches doubled YoY to 30%.²² Fix: OAuth-audit conditions to closing; reps on no-pending-third-party-breach-notifications.

T-4. Shadow AI / unsanctioned LLM usage. Employees using ChatGPT/Claude/Copilot without enterprise license; no DLP policy. Severity: Yellow. Per IBM 2025 Cost of a Data Breach, shadow AI adds $670K to average breach cost; 97% of AI-related incidents involved organizations lacking AI access controls.²³

T-5. Key engineer / security lead departure in last 90 days. LinkedIn cross-check shows 2+ senior engineers left; security lead transition mid-DD. Severity: Orange. Fix: retention packages for remaining team; interim security consultant during integration.

T-6. Vendor supply-chain exposure (Snowflake / MOVEit pattern). Critical data residency in third-party SaaS without enterprise security review; vendor-risk register not maintained. Severity: Orange. Per IBM 2025, supply-chain compromise is the costliest breach vector.²³

---

Stream 6: ESG / Regulatory Red Flags (5 Flags)

E-1. UFLPA / forced-labor supply-chain exposure. Tier-3 sourcing trace shows polysilicon, cotton, tomato, lithium, caustic soda, copper, red dates, or steel originating in Xinjiang or affiliated regions; supplier on UFLPA Entity List (144 entities, expanded August 2025 from 66 in 2024). Severity: Orange to Red. FY2025 CBP detained 7,325 shipments (+51% YoY); only roughly 6.5% ultimately released.²⁴

E-2. CSDDD / CSRD compliance gap (EU-nexus deals only). Target has EU revenue or operations exposure; no human-rights-and-environmental due-diligence policy. Severity: Yellow currently — Omnibus I narrowed scope; CSDDD compliance now required only for companies with over 5,000 EU employees and over €1.5B EU revenue (non-EU companies require over €450M EU turnover); application date pushed to July 26, 2029.²⁵

E-3. Environmental remediation cost / known-contamination site. Phase I/II environmental assessment reveals contamination; CERCLA exposure. Severity: Orange. Environmental claims tend to be long-tail, expensive, and uninsurable under R&W. Fix: carve-out the asset; specific indemnity outside R&W.

E-4. Climate transition risk / stranded asset exposure. Target operates in oil-gas, coal, cement, steel, or auto-ICE with 5+ year asset life and no decarbonization plan. Severity: Yellow.

E-5. Governance issues — board independence, related-party deals, dual-class structures. Board has no independents or independents are friends/family. Severity: Orange. This was the central FTX failure mode: no board, no CFO, no audit, SBF concentrated control.⁹

---

Frame 1: The Red / Orange / Yellow Severity Matrix

Score each red flag on two axes — materiality (low / medium / high) and curability (easily curable / indemnifiable / uncurable):

The Easily-Curable + Low + Uncurable region is where most "soft red flags" cluster. Red walks sit only in the bottom-right cell.

---

Frame 2: The Concentrated Trio Test

Three concentration tests — fail one, renegotiate. Fail two, pause. Fail all three, walk.

• Customer concentration: Top-1 customer over 30% of revenue OR Top-5 over 60%.⁵
• Vendor concentration: Single supplier/cloud/processor over 70% of COGS with no qualified alternate.
• Key-person concentration: Single founder/exec irreplaceable — defined as departure would (a) cost over 10% of customers in 12 months OR (b) cause over 20% of engineering team to leave.

The Concentrated Trio is the cleanest binary deal-killer test in mid-market SaaS DD. Hawaiian-Alaska 2025 integration losses — net income fell from $395M (2024) to $100M (2025), partly from Hawaiian-revenue mix exposure to single-market Hawaii tourism cycle — illustrate post-close concentration cost.²⁶

---

Frame 3: The Bain Test (Post-March 18, 2026 PE Cyber-DD Standard)

Post the March 18, 2026 S.D. Cal. PowerSchool ruling, PE sponsors face direct liability for portfolio cyber failures rooted in pre-closing conduct. The Bain Test is a 5-point gating standard before signing:¹⁹

1. Independent forensic scan, not seller-provided, before LOI binds.
2. 30-day post-close window: discovery of any breach in this window now triggers sponsor-level liability discussion under the PowerSchool theory.
3. Reps on "no notice of breach" plus a "no constructive knowledge" tail covering vendor/contractor-credential exfiltration.
4. Specific cyber indemnity outside R&W cap, with carve-out from time-bar.
5. Post-close control-failure firewall: any cyber/IT/eng decisions sponsor directs must go through documented governance — PowerSchool held Bain's offshoring directions actionable.

---

Frame 4: The Confirmation Gap

The single highest-yield qualitative red flag is when management's narrative in the meeting doesn't match the documents in the data room. Examples that have killed deals:

• Management said "no SOC 2 findings" — data room contains a Type II report with 17 exceptions.
• CEO claimed "two-year contracts, no churn" — contract sample shows month-to-month auto-renewal language.
• CFO presented EBITDA — QoE bridges out $4M of one-time adds the CFO described as "ongoing."
• Founder said "we never had a breach" — incident-response retainer invoice from prior CISO is in legal billings.

Detection rule: if the third Confirmation Gap surfaces, escalate to a partner-level decision on whether to continue DD. This is the precursor to the FTX archetype: SBF told Sequoia stories that documents would have contradicted. Sequoia did not demand the documents.⁹

---

Frame 5: The Walk Rate (What Buyers Actually Do)

Across SRS Acquiom's 2025 dataset (covering roughly $298B in 1,200+ private-target deals), no-survival "walk-away" R&W constructs fell from 18% (2024) to 11% (2025).¹ Concurrently, undisclosed-liability claims have doubled since 2022 and now account for 24% of all R&W indemnification claims.²

Practical guidance: Most red flags now don't trigger walks — they trigger structure. Walk only when:

• Red-severity per Frame 1 (high materiality + uncurable), OR
• All three Concentrated Trio tests fail, OR
• The Bain Test cannot be satisfied for cyber or regulated-industry targets.

For everything else, the 2026 playbook is special indemnity outside the R&W cap, cyber-specific escrow separately calibrated from the general indemnity escrow, and reps tail-period stacking to cover the long-tail discovery window.

---

Which Red Flag Category Pays Out the Most in R&W Claims?

Financial statement breaches account for only about 13% of W&I notifications by frequency but 37% of all losses paid per Marsh's 2025 Global Transactional Risk Claims data — by far the highest-severity R&W category. Tax claims run about 30% of frequency at 17% of dollars; compliance is roughly balanced at 20% / 20%.

Per Marsh's 2025 Global Transactional Risk Claims data, claims distribute by frequency and severity very differently:³

The structural takeaway: financial statements are 13% of frequency but 37% of dollars paid — making them the single highest-severity category. Buyers who under-weight financial DD pay the most in post-close claims.

---

Honest Comparison: Which Data Room Tool Fits Red Flag Management?

Different DD profiles fit different data room platforms. We use Peony, obviously, but the honest mapping is:

For mid-market and growth-equity DD where the team needs AI-accelerated red flag inventory across 6 streams, Peony is purpose-built. AI auto-indexing organizes 1,500-4,500 documents into a 6-stream folder tree in under 3 minutes. AI extraction lets the DD team ask cross-document questions like "list every red flag mentioned in any QoE, legal memo, or auditor report and quote the supporting language."

---

What Else Do Deal Teams Ask About Red Flags?

What single red flag is most often missed? Founder pre-incorporation IP not assigned to the company. It's a Yellow-to-Red flag depending on materiality, and investors view it as "the company doesn't own its core technology." Fix is retroactive assignments with consideration.

How many red flags typically surface in a mid-market deal? 1-3 material adverse findings per deal, per industry benchmarks. The challenge is not finding them — it's synthesizing them into a top-5 memo with named owners and dollar estimates.

Does R&W insurance cover red flags discovered during DD? No. R&W covers UNDISCLOSED issues. Anything discovered in DD must be carved out and handled via special indemnity or escrow. R&W policies typically pay out only when an issue was unknown at signing.

When does a red flag become "kill the deal" instead of "renegotiate"? When the Severity Matrix puts it in High-Materiality + Uncurable, OR when all three Concentrated Trio tests fail, OR when the Bain Test cannot be satisfied for cyber targets. Otherwise, the 2026 playbook is structure, not walk.

---

Why Does Peony Fit Red Flag Management Across 6 Streams?

Peony is one of several data room platforms for managing DD red flag inventory — not the only fit for every deal. For mid-market and growth-equity DD, the workflow advantages compound:

• AI auto-indexing organizes 1,500-4,500 documents into a 6-stream folder tree (financial, legal, commercial, operational, tech/cyber, ESG/regulatory) in under 3 minutes.
• AI extraction lets the DD team ask cross-document questions like "list every red flag mentioned in any QoE, legal memo, or auditor report and quote the supporting language."
• Per-investor watermarks track which version of a document each internal stakeholder read.
• Screenshot protection prevents sensitive red flag findings from leaking outside the data room — capture attempts are blocked and logged.
• NDA gates with integrated e-signatures stage sensitive findings (cyber DD, regulatory letters, pending litigation) behind a signed CA.
• Page-level analytics show exactly which DD team members read which sections.

Peony Business at $40 per admin per month gives unlimited data rooms with AI Q&A across all uploaded DD documents. Over 4,300 customers use Peony for M&A, fundraising, and DD workflows.

For $200M+ cross-border deals where the M&A bank is the process owner, Datasite or Intralinks remain the conservative defaults — their legacy reflects 25+ years of enterprise M&A workflow design.

---

Related Reading in the DD Cluster

• Due Diligence Mistakes That Kill Deals — 12 buyer-side mistakes with deal anchors
• M&A Due Diligence Process Guide — the canonical end-to-end process map
• Cybersecurity Due Diligence — the 5-axis breach-readiness matrix and full Bain Test
• Third-Party Due Diligence — 5-jurisdiction exposure map
• Vendor Due Diligence Checklist — procurement-led TPRM workflow
• Due Diligence Cost Breakdown — workstream-by-workstream cost ranges
• Investment Due Diligence Checklist — VC and growth-equity DD lens

---

Footnotes and Sources

Footnotes

1. SRS Acquiom, "M&A Deal Terms Study 2025" — https://www.srsacquiom.com/our-insights/deal-terms-study-2025/ . ↩ ↩²

2. Goodwin Procter, "Undisclosed Liability Claims Have Doubled Since 2022" (Sep 2025) — https://www.goodwinlaw.com/en/insights/publications/2025/09/insights-privateequity-undisclosed-liability-claims-have-doubled . ↩ ↩²

3. Marsh, "Global Transactional Risk Insurance Claims Report 2025" — https://www.marsh.com/en/services/private-equity-mergers-acquisitions/insights/global-transactional-risk-insurance-claims-report.html . ↩ ↩² ↩³

4. AON, "2025 Transaction Solutions Global Claims Study" — https://www.aon.com/en/insights/reports/transaction-solutions-global-claims-study . ↩

5. Livmo, "Customer Concentration Risk: How Buyers Price It" (2025) — https://livmo.com/blog/customer-concentration-risk-saas-exit/ . ↩ ↩²

6. SRS Acquiom, "2025 Working Capital Purchase Price Adjustment Study" — https://www.srsacquiom.com/our-insights/2025-working-capital-purchase-price-adjustment-study/ . ↩

7. American Bar Association, "2025 Private Target Mergers & Acquisitions Deal Points Study" — https://www.americanbar.org/groups/business_law/resources/business-law-today/2025-december/aba-2025-private-target-mergers-acquisitions-deal-points-study/ . ↩

8. Deloitte, "Revenue Recognition for SaaS and Software Companies" — https://www.deloitte.com/us/en/services/audit-assurance/articles/revenue-recognition-saas-software-guidance.html . ↩

9. Crain Currency, "FTX founder and CEO Sam Bankman-Fried 'misled and deceived' Sequoia Capital" — https://www.craincurrency.com/investing/ftx-founder-and-ceo-sam-bankman-fried-misled-and-deceived-sequoia-capital-firm-says ; Fortune, "FTX bankruptcy, collapse fueled by venture capital carelessness" — https://fortune.com/2022/11/17/ftx-bankruptcy-bankman-fried-venture-capital-ceo-ray/ . ↩ ↩² ↩³

10. CNN Business, "SmileDirectClub shuts down after filing for bankruptcy" — https://www.cnn.com/2023/12/09/business/smiledirectclub-shutdown-bankruptcy/ . ↩

11. Nixon Peabody, "Open Source Software Risks and Best Practices in M&A" (Oct 15, 2025) — https://www.nixonpeabody.com/insights/articles/2025/10/15/open-source-software-risks-and-best-practices-in-ma . ↩

12. NY DFS, "Superintendent Adrienne A. Harris Secures $40 Million Settlement with Block, Inc." (April 10, 2025) — https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202504101 ; CSBS, "State Regulators Issue $80 Million Penalty to Block, Inc., Cash App for BSA/AML Violations" — https://www.csbs.org/newsroom/state-regulators-issue-80-million-penalty-block-inc-cash-app-bsaaml-violations . ↩

13. Morrison Foerster, "Top 5 SEC Enforcement Developments for February 2025" — https://www.mofo.com/resources/insights/250325-top-5-sec-enforcement-developments-for-february-2025 . ↩

14. TechContracts, "Don't Confuse Change of Control and Assignment Terms" — https://www.techcontracts.com/2020/09/11/dont-confuse-change-of-control-and-assignment-terms/ . ↩

15. Plante Moran, "Navigating worker classification: Your guide to legal, tax, and deal impacts" (November 2025) — https://www.plantemoran.com/explore-our-thinking/insight/2025/11/navigating-worker-classification . ↩

16. Venable LLP, "FTC Non-Compete Enforcement and State Law Restrictions" (October 2025) — https://www.venable.com/insights/publications/2025/10/ftc-non-compete-enforcement-and-state-law ; FTC, "Federal Trade Commission Files to Accede to Vacatur of Non-Compete Clause Rule" (September 2025) — https://www.ftc.gov/news-events/news/press-releases/2025/09/federal-trade-commission-files-accede-vacatur-non-compete-clause-rule . ↩

17. Outreach, "Pipeline coverage: Complete guide to calculation and benchmarks" — https://www.outreach.ai/resources/blog/sales-pipeline-coverage-ratio . ↩

18. Goodwin Procter, "How to Secure and Retain Top Talent in Asset Purchases" (November 2025) — https://www.goodwinlaw.com/en/insights/publications/2025/11/insights-privateequity-ma-how-to-secure-and-retain-top-talent . ↩

19. Womble Bond Dickinson, "Unprecedented: Private Equity Firm Potentially on Hook for Portfolio Company's Data Breach" (March 2026) — https://www.womblebonddickinson.com/us/insights/alerts/unprecedented-private-equity-firm-potentially-hook-portfolio-companys-data-breach . ↩ ↩²

20. FTI Consulting, "CISO Redefined III: Navigating Cybersecurity Risks in Transactions" (March 17, 2026) — https://www.fticonsulting.com/insights/reports/ciso-redefined-navigating-transactions-cybersecurity-landscape . ↩

21. Cloud Security Alliance, "The Salesloft Drift OAuth Supply-Chain Attack" (September 25, 2025) — https://cloudsecurityalliance.org/blog/2025/09/25/the-salesloft-drift-oauth-supply-chain-attack-cross-industry-lessons-in-third-party-access-visibility . ↩

22. Verizon, "2025 Data Breach Investigations Report" — https://www.verizon.com/about/news/2025-data-breach-investigations-report . ↩

23. IBM, "Cost of a Data Breach Report 2025" — https://www.ibm.com/reports/data-breach . ↩ ↩²

24. Troutman Pepper Locke, "Preventing Forced Labor in Global Supply Chains: Key Updates to the 2025 UFLPA Strategy" — https://www.troutman.com/insights/preventing-forced-labor-in-global-supply-chains-key-updates-to-the-2025-uflpa-strategy-and-what-importers-need-to-know/ . ↩

25. Covington & Burling, "EU CSDDD/CSRD Omnibus Published in Official Journal" (February 26, 2026) — https://www.cov.com/en/news-and-insights/insights/2026/02/eu-csddd-csrd-omnibus-published-in-official-journal-transposition-delegated-acts-and-guidelines-are-next . ↩

26. Alaska Air Group, Q1 2025 Earnings Release (April 23, 2025) — https://news.alaskaair.com/wp-content/uploads/2025/04/ALK-Q1-2025-Earnings-Release.pdf . ↩