Cybersecurity Due Diligence in Mergers & Acquisitions

Ramyar Daneshgar

Ramyar Daneshgar

3 min read

By Ramyar Daneshgar
Security Engineer | USC Viterbi School of Engineering

Introduction

Cybersecurity due diligence is a critical component of the mergers and acquisitions (M&A) process, particularly as data breaches, regulatory risks, and system vulnerabilities can materially affect the value of a target company. Acquirers must evaluate the cybersecurity posture of a target to avoid inheriting hidden liabilities or compliance failures that may result in future fines, litigation, or reputational damage. In this guide, I outline how cybersecurity assessments are performed across five phases - each targeting specific areas of operational, technical, legal, and human risk.

Phase 1: Pre-Deal Cybersecurity Risk Scoping

Acquirers begin by identifying critical assets such as:

  • Structured and unstructured data repositories (databases, CRM systems, file shares)
  • Business-critical applications and APIs
  • Cloud infrastructure (AWS, Azure, GCP) and associated IAM roles
  • IoT or industrial control systems (ICS) for manufacturing firms

The threat model is customized by sector. For example:

  • fintech firm must consider PCI-DSS, banking trojans, and SIM-swapping attacks.
  • healthtech company must plan for HIPAA, ransomware targeting PHI, and insider misuse.

Open-source intelligence gathering involves:

  • Reviewing HaveIBeenPwned and leaked credential dumps
  • Checking Shodan/Censys for exposed services
  • Reviewing VirusTotal for historical malware associations to domains/IPs
  • Monitoring dark web mentions for data trade

Phase 2: Technical and Infrastructure Evaluation

Vulnerability Management

  • Review automated scans for known CVEs using tools like Tenable, Qualys
  • Inspect vulnerability aging reports (60+ day unpatched high-severity CVEs)
  • Identify weak protocols in use (SMBv1, Telnet)

IAM Security

  • Verify presence of Privileged Access Management (PAM) solutions (CyberArk)
  • Audit Azure AD and on-prem AD group memberships
  • Ensure MFA is enforced on VPN, admin panels, and cloud consoles

Network Controls

  • Assess presence and configuration of NGFWs and segmentation policies
  • Examine internal VLAN isolation between user workstations and production servers
  • Identify exposed RDP, SSH, or remote access tools like TeamViewer

Incident Response Maturity

  • Review the documented IR playbook and runbooks
  • Confirm last date of tabletop simulation or red team engagement
  • Examine integration with EDR/XDR tools (SentinelOne, CrowdStrike)

Logging & SIEM

  • Confirm central log ingestion using tools like Splunk, ELK, or Chronicle
  • Check log retention duration and coverage (auth logs, DNS logs, firewall events)
  • Ensure logs are immutable and follow chain-of-custody principles

Regulatory Alignment

  • Map data processing activities to applicable frameworks:
    • GDPR Articles 5–32 for processing, storage, breach notification
    • CCPA/CPRA for consumer opt-outs and data sharing disclosure
    • SOX compliance for public companies' internal control assertions

  • Review past breach disclosures under SEC or state law
  • Investigate any settlements with regulatory bodies (FTC, HHS OCR)
  • Examine pending litigation related to cybersecurity negligence or privacy class actions

Contractual Commitments

  • Review Data Processing Agreements (DPAs) for breach notification timelines (24 vs. 72 hours)
  • Scrutinize SaaS vendor agreements for sub-processor clauses
  • Check indemnification for data loss, ransomware, or APT compromise

Phase 4: Human Risk and Security Culture

Training & Awareness

  • Request completion rates for mandatory security awareness training
  • Review logs from phishing simulation platforms (KnowBe4)
  • Verify use of developer secure coding modules (SecureFlag, AppSecEngineer)

Insider Threat Controls

  • Monitor for:
    • High-volume downloads from OneDrive/Dropbox
    • Unusual logins from new geographies or devices
  • Ensure device control prevents unauthorized USB device usage
  • Review DLP policies on sensitive IP (source code, contracts, PII)

Employee Lifecycle Hygiene

  • Confirm deprovisioning times for access revocation (<24 hours from termination)
  • Require offboarding checklist tied to HRIS platforms (Workday)
  • Audit ghost accounts or stale admin access

Phase 5: Post-Acquisition Security Integration Plan

Remediation Prioritization

  • Use risk heatmaps to rank issues by exploitability and impact
  • Develop 30/60/90-day remediation plans with budget alignment
  • Use CIS Controls or NIST CSF as benchmarks for target state security

Tool Consolidation

  • Plan for:
    • Unifying SIEM platforms (migrating Splunk to Microsoft Sentinel)
    • Rationalizing endpoint protection (EDR overlap)
    • Standardizing email security and DNS filtering (Proofpoint, Cisco Umbrella)

Strategic Risk Management

  • Transfer high-risk items to cyber insurance with breach, BI, and regulatory liability riders
  • Engage legal counsel to establish cyber risk escrows or indemnity caps in deal terms
  • Apply risk acceptance frameworks like FAIR for unremediated legacy risks

Red Flags That Should Delay or Kill a Deal

  • No endpoint protection or unsupported antivirus (AVG Free)
  • Unencrypted sensitive databases or S3 buckets
  • Credentials stored in plaintext configuration files or Git repos
  • Ransomware event within the past 12 months with no disclosure
  • Absence of vendor risk management for third-party SaaS integrations

Resources

Read more

The Cybersecurity Information Sharing (WIMWAG) Act at a Crossroads: Renewal, Revision, and Privacy Concerns

By Ramyar Daneshgar Security Engineer | USC Viterbi School of Engineering Disclaimer: This article is for educational purposes only and does not constitute legal advice. Executive Summary The Cybersecurity Information Sharing Act (CISA), originally enacted in 2015, has served as the legal foundation for cybersecurity cooperation between the private sector and

By Ramyar Daneshgar