Cybersecurity Due Diligence in Mergers & Acquisitions. Resources

By Ramyar Daneshgar

Disclaimer: This article is for educational purposes only and does not constitute legal advice. If you require legal guidance specific to your organization, consult with a licensed attorney experienced in cybersecurity and data protection law.

Introduction

Cybersecurity due diligence is a critical component of the mergers and acquisitions (M&A) process, particularly as data breaches, regulatory risks, and system vulnerabilities can materially affect the value of a target company. Acquirers must evaluate the cybersecurity posture of a target to avoid inheriting hidden liabilities or compliance failures that may result in future fines, litigation, or reputational damage. In this guide, I outline how cybersecurity assessments are performed across five phases—each targeting specific areas of operational, technical, legal, and human risk.

Phase 1: Pre-Deal Cybersecurity Risk Scoping

Acquirers begin by identifying critical assets such as:

• Structured and unstructured data repositories (databases, CRM systems, file shares)
• Business-critical applications and APIs
• Cloud infrastructure (AWS, Azure, GCP) and associated IAM roles
• IoT or industrial control systems (ICS) for manufacturing firms

The threat model is customized by sector. For example:

• A fintech firm must consider PCI-DSS, banking trojans, and SIM-swapping attacks.
• A healthtech company must plan for HIPAA, ransomware targeting PHI, and insider misuse.

Open-source intelligence gathering involves:

• Reviewing HaveIBeenPwned and leaked credential dumps
• Checking Shodan/Censys for exposed services
• Reviewing VirusTotal for historical malware associations to domains/IPs
• Monitoring dark web mentions for data trade

Phase 2: Technical and Infrastructure Evaluation

Vulnerability Management

• Review automated scans for known CVEs using tools like Tenable, Qualys
• Inspect vulnerability aging reports (e.g., 60+ day unpatched high-severity CVEs)
• Identify weak protocols in use (e.g., SMBv1, Telnet)

IAM Security

• Verify presence of Privileged Access Management (PAM) solutions (e.g., CyberArk)
• Audit Azure AD and on-prem AD group memberships
• Ensure MFA is enforced on VPN, admin panels, and cloud consoles

Network Controls

• Assess presence and configuration of NGFWs and segmentation policies
• Examine internal VLAN isolation between user workstations and production servers
• Identify exposed RDP, SSH, or remote access tools like TeamViewer

Incident Response Maturity

• Review the documented IR playbook and runbooks
• Confirm last date of tabletop simulation or red team engagement
• Examine integration with EDR/XDR tools (e.g., SentinelOne, CrowdStrike)

Logging & SIEM

• Confirm central log ingestion using tools like Splunk, ELK, or Chronicle
• Check log retention duration and coverage (auth logs, DNS logs, firewall events)
• Ensure logs are immutable and follow chain-of-custody principles

Phase 3: Legal and Regulatory Compliance

Regulatory Alignment

• Map data processing activities to applicable frameworks:
  • GDPR Articles 5–32 for processing, storage, breach notification
  • CCPA/CPRA for consumer opt-outs and data sharing disclosure
  • SOX compliance for public companies' internal control assertions

Historical Legal Issues

• Review past breach disclosures under SEC or state law
• Investigate any settlements with regulatory bodies (e.g., FTC, HHS OCR)
• Examine pending litigation related to cybersecurity negligence or privacy class actions

Contractual Commitments

• Review Data Processing Agreements (DPAs) for breach notification timelines (e.g., 24 vs. 72 hours)
• Scrutinize SaaS vendor agreements for sub-processor clauses
• Check indemnification for data loss, ransomware, or APT compromise

Phase 4: Human Risk and Security Culture

Training & Awareness

• Request completion rates for mandatory security awareness training
• Review logs from phishing simulation platforms (e.g., KnowBe4)
• Verify use of developer secure coding modules (e.g., SecureFlag, AppSecEngineer)

Insider Threat Controls

• Monitor for:
  • High-volume downloads from OneDrive/Dropbox
  • Unusual logins from new geographies or devices
• Ensure device control prevents unauthorized USB device usage
• Review DLP policies on sensitive IP (source code, contracts, PII)

Employee Lifecycle Hygiene

• Confirm deprovisioning times for access revocation (<24 hours from termination)
• Require offboarding checklist tied to HRIS platforms (e.g., Workday)
• Audit ghost accounts or stale admin access

Phase 5: Post-Acquisition Security Integration Plan

Remediation Prioritization

• Use risk heatmaps to rank issues by exploitability and impact
• Develop 30/60/90-day remediation plans with budget alignment
• Use CIS Controls or NIST CSF as benchmarks for target state security

Tool Consolidation

• Plan for:
  • Unifying SIEM platforms (e.g., migrating Splunk to Microsoft Sentinel)
  • Rationalizing endpoint protection (e.g., EDR overlap)
  • Standardizing email security and DNS filtering (e.g., Proofpoint, Cisco Umbrella)

Strategic Risk Management

• Transfer high-risk items to cyber insurance with breach, BI, and regulatory liability riders
• Engage legal counsel to establish cyber risk escrows or indemnity caps in deal terms
• Apply risk acceptance frameworks like FAIR for unremediated legacy risks

Red Flags That Should Delay or Kill a Deal

• No endpoint protection or unsupported antivirus (e.g., AVG Free)
• Unencrypted sensitive databases or S3 buckets
• Credentials stored in plaintext configuration files or Git repos
• Ransomware event within the past 12 months with no disclosure
• Absence of vendor risk management for third-party SaaS integrations

Resources

• NIST SP 800-115: Technical Guide to Information Security Testing and Assessment
• ISO/IEC 27001:2022 – Information security management systems
• CISA M&A Cybersecurity Considerations: https://www.cisa.gov/news-events/news/ma-cybersecurity-considerations
• SANS M&A Security Checklist: https://www.sans.org/blog/ma-security-checklist/
• EY Guide: Cybersecurity in M&A – A Business Risk Too Big to Ignore
• ABA Cybersecurity Legal Handbook (2022 Edition)
• FTC: Start with Security – https://www.ftc.gov/business-guidance/resources/start-security-guide-business
• FAIR Institute: https://www.fairinstitute.org/
• Cobalt.io M&A Cybersecurity Diligence Guide

Sponsored Partner: LawDepot

Secure the Deal with the Right Legal Language
In M&A, overlooked contract terms can become cybersecurity liabilities. LawDepot gives you fast access to attorney-drafted templates — including NDAs, breach notification provisions, indemnity clauses, and data processing agreements — so you can assess and patch legal gaps before closing the deal.

A strong paper trail is just as critical as a secure network.

👉 Start your first document free with LawDepot

Disclosure: TCybersecurityAttorney.com may earn a small commission — at no additional cost to you. We only recommend tools we genuinely trust and believe are valuable to our readers.