The Seller’s Admin Account Is a Closing Risk

If the seller still owns the domain, cloud tenant or recovery path at close, the buyer has acquired an asset it cannot fully control.

The answer

Legal ownership can transfer while the seller retains the account capable of changing everything. A founder owns the cloud tenant. The parent company controls the domain. A seller administrator remains the recovery contact.

Legal ownership can transfer while the seller retains the account capable of changing everything.

A founder owns the cloud tenant. The parent company controls the domain. A seller administrator remains the recovery contact. These are not post-close housekeeping items. They are conditions of control.

Identify sovereign accounts

Find identities that can create administrators, change recovery, export data, disable logging or suspend service. Include vendor master accounts and personal developer profiles.

Value object — The Closing Control Schedule

- System and sovereign account.

- Current holder.

- Transfer or replacement method.

- Evidence required at close.

- Interim seller right.

- Containment if transfer fails.

Do not accept password handover

Transfer ownership through the provider, rotate factors, validate recovery and remove seller sessions. Preserve necessary evidence.

The shares can close on Friday. Operational sovereignty should not be left for Monday.

Where this breaks

Closing teams may accept screenshots showing new ownership without testing provider recognition, sessions or recovery. The seller can remain capable of regaining control.

The operating move

Make transfer a demonstrated outcome: buyer-owned identity, rotated factors, verified recovery, removed seller sessions and independent provider confirmation.

Identify every sovereign account.

Transfer through the provider.

Rotate dependent machine credentials.

Preserve closing evidence.

The test

After close, attempt recovery using the seller’s former contacts. Success means the control condition was never satisfied.

Sources

  1. NIST: Cybersecurity Framework 2.0NIST: Cybersecurity Framework 2.0

    Primary authority

  2. NIST SP 1305: Cybersecurity Supply Chain Risk ManagementNIST SP 1305: Cybersecurity Supply Chain Risk Management

    Primary authority

  3. FINMA: Risk Monitor 2025FINMA: Risk Monitor 2025

    Primary authority

Ross BelhommePartner, Svperior / Legal

Jonathan P. De Collibus

Jonathan co-founded Svperior in 2014 and leads its cyber practice. His work sits where adversarial pressure, technical architecture, and consequential decisions meet, with experience across clinical, financial, public-sector, and private-client systems where confidentiality, continuity, and technical correctness carry material consequences.

Cyber strategy / Adversarial assessment / Security architecture / Private systems

Need to apply this to a specific situation?

Send us the initial context. If the matter fits, we will respond directly.

Send private inquiry
The Seller’s Admin Account Is a Closing Risk \