Decision Memo: Remediate Before Close or Contain After?

Some findings must be fixed before ownership changes. Others are safer to contain and remediate under buyer control. Decide by consequence and proof.

The answer

Diligence has identified a material technical weakness. The parties must decide whether the seller fixes it before close or the buyer contains it and remediates after control transfers.

Situation

Diligence has identified a material technical weakness. The parties must decide whether the seller fixes it before close or the buyer contains it and remediates after control transfers.

Remediate before close when

- The weakness could prevent lawful or practical transfer of control.

- The seller holds unique access, knowledge or contractual leverage that disappears at close.

- Connection to the buyer would create intolerable exposure.

- Completion can be verified without destabilising the business.

Risk: rushed seller remediation can destroy evidence, create outages or produce superficial compliance.

Contain after close when

- The buyer has stronger capability and direct control of the end state.

- The issue can be isolated without exposing the buyer or customers.

- Seller changes would interfere with evidence, operations or negotiation.

- The deal mechanism preserves budget, access, people and accountability.

Risk: “after close” becomes permanent when commercial priorities take over.

Decision rule

Compare maximum consequence before remediation, ability to contain, quality of acceptance evidence, dependency on seller personnel and cost of delay. If containment cannot bound the consequence, remediation is a closing condition. If remediation cannot be safely proven before close, use quarantine, holdback and a dated buyer-controlled plan.

Recommendation

Write the end state before choosing timing. Name the control that must exist, evidence that proves it, responsible party, funding, deadline and failure consequence. Avoid negotiating verbs—“enhance,” “improve,” “address”—that conceal an undefined destination.

Sources

  1. NIST Cybersecurity Framework 2.0NIST Cybersecurity Framework 2.0

    Primary authority

  2. NIST — Cybersecurity Supply Chain Risk ManagementNIST

    Primary authority

Ross BelhommePartner, Svperior / Legal

Adam J. De Collibus

Adam co-founded Svperior and leads systems engineering from requirements through implementation. His work connects architecture, implementation, deployment, and operating discipline across complex environments where failure must be anticipated and technical capability must remain dependable under pressure.

Systems engineering / Technical architecture / Production operations / Operating resilience

Need to apply this to a specific situation?

Send us the initial context. If the matter fits, we will respond directly.

Send private inquiry
Decision Memo: Remediate Before Close or Contain After?