Cybersecurity Due Diligence in Mergers & Acquisitions

By Ramyar Daneshgar
Security Engineer | USC Viterbi School of Engineering

Looking for a security engineer? Visit SecurityEngineer.com

Disclaimer: This article is for educational purposes only and does not constitute legal advice.

Introduction

Cybersecurity due diligence is a critical component of the mergers and acquisitions (M&A) process, particularly as data breaches, regulatory risks, and system vulnerabilities can materially affect the value of a target company. Acquirers must evaluate the cybersecurity posture of a target to avoid inheriting hidden liabilities or compliance failures that may result in future fines, litigation, or reputational damage. In this guide, I outline how cybersecurity assessments are performed across five phases—each targeting specific areas of operational, technical, legal, and human risk.

Phase 1: Pre-Deal Cybersecurity Risk Scoping

Acquirers begin by identifying critical assets such as:

• Structured and unstructured data repositories (databases, CRM systems, file shares)
• Business-critical applications and APIs
• Cloud infrastructure (AWS, Azure, GCP) and associated IAM roles
• IoT or industrial control systems (ICS) for manufacturing firms

The threat model is customized by sector. For example:

• A fintech firm must consider PCI-DSS, banking trojans, and SIM-swapping attacks.
• A healthtech company must plan for HIPAA, ransomware targeting PHI, and insider misuse.

Open-source intelligence gathering involves:

• Reviewing HaveIBeenPwned and leaked credential dumps
• Checking Shodan/Censys for exposed services
• Reviewing VirusTotal for historical malware associations to domains/IPs
• Monitoring dark web mentions for data trade

Phase 2: Technical and Infrastructure Evaluation

Vulnerability Management

• Review automated scans for known CVEs using tools like Tenable, Qualys
• Inspect vulnerability aging reports (60+ day unpatched high-severity CVEs)
• Identify weak protocols in use (SMBv1, Telnet)

IAM Security

• Verify presence of Privileged Access Management (PAM) solutions (CyberArk)
• Audit Azure AD and on-prem AD group memberships
• Ensure MFA is enforced on VPN, admin panels, and cloud consoles

Network Controls

• Assess presence and configuration of NGFWs and segmentation policies
• Examine internal VLAN isolation between user workstations and production servers
• Identify exposed RDP, SSH, or remote access tools like TeamViewer

Incident Response Maturity

• Review the documented IR playbook and runbooks
• Confirm last date of tabletop simulation or red team engagement
• Examine integration with EDR/XDR tools (SentinelOne, CrowdStrike)

Logging & SIEM

• Confirm central log ingestion using tools like Splunk, ELK, or Chronicle
• Check log retention duration and coverage (auth logs, DNS logs, firewall events)
• Ensure logs are immutable and follow chain-of-custody principles

Phase 3: Legal and Regulatory Compliance

Regulatory Alignment

• Map data processing activities to applicable frameworks:
  • GDPR Articles 5–32 for processing, storage, breach notification
  • CCPA/CPRA for consumer opt-outs and data sharing disclosure
  • SOX compliance for public companies' internal control assertions

Historical Legal Issues

• Review past breach disclosures under SEC or state law
• Investigate any settlements with regulatory bodies (FTC, HHS OCR)
• Examine pending litigation related to cybersecurity negligence or privacy class actions

Contractual Commitments

• Review Data Processing Agreements (DPAs) for breach notification timelines (24 vs. 72 hours)
• Scrutinize SaaS vendor agreements for sub-processor clauses
• Check indemnification for data loss, ransomware, or APT compromise

Phase 4: Human Risk and Security Culture

Training & Awareness

• Request completion rates for mandatory security awareness training
• Review logs from phishing simulation platforms (KnowBe4)
• Verify use of developer secure coding modules (SecureFlag, AppSecEngineer)

Insider Threat Controls

• Monitor for:
  • High-volume downloads from OneDrive/Dropbox
  • Unusual logins from new geographies or devices
• Ensure device control prevents unauthorized USB device usage
• Review DLP policies on sensitive IP (source code, contracts, PII)

Employee Lifecycle Hygiene

• Confirm deprovisioning times for access revocation (<24 hours from termination)
• Require offboarding checklist tied to HRIS platforms (Workday)
• Audit ghost accounts or stale admin access

Phase 5: Post-Acquisition Security Integration Plan

Remediation Prioritization

• Use risk heatmaps to rank issues by exploitability and impact
• Develop 30/60/90-day remediation plans with budget alignment
• Use CIS Controls or NIST CSF as benchmarks for target state security

Tool Consolidation

• Plan for:
  • Unifying SIEM platforms (migrating Splunk to Microsoft Sentinel)
  • Rationalizing endpoint protection (EDR overlap)
  • Standardizing email security and DNS filtering (Proofpoint, Cisco Umbrella)

Strategic Risk Management

• Transfer high-risk items to cyber insurance with breach, BI, and regulatory liability riders
• Engage legal counsel to establish cyber risk escrows or indemnity caps in deal terms
• Apply risk acceptance frameworks like FAIR for unremediated legacy risks

Red Flags That Should Delay or Kill a Deal

• No endpoint protection or unsupported antivirus (AVG Free)
• Unencrypted sensitive databases or S3 buckets
• Credentials stored in plaintext configuration files or Git repos
• Ransomware event within the past 12 months with no disclosure
• Absence of vendor risk management for third-party SaaS integrations

Resources

• NIST SP 800-115: Technical Guide to Information Security Testing and Assessment: https://csrc.nist.gov/pubs/sp/800/115/final
• ISO/IEC 27001:2022 – Information security management systems: https://www.iso.org/standard/27001
• CISA M&A Cybersecurity Considerations: https://www.cisa.gov/news-events/news/ma-cybersecurity-considerations
• SANS M&A Security Checklist: https://www.sans.org/blog/ma-security-checklist/
• EY Guide: Cybersecurity in M&A – A Business Risk Too Big to Ignore
• ABA Cybersecurity Legal Handbook (2022 Edition) - https://www.ey.com/en_us/services/strategy-transactions/cybersecurity-mergers-acquisitions-divestments
• FTC: Start with Security – https://www.ftc.gov/business-guidance/resources/start-security-guide-business
• FAIR Institute: https://www.fairinstitute.org/

Next Steps: Turn Due Diligence Into Defense
Cyber risk in M&A doesn’t end at the closing table. From legacy breach exposure to unpatched systems and vague indemnity clauses, the liabilities you inherit can surface months—or years—later.

Looking for a security engineer? Visit SecurityEngineer.com

Need a Cybersecurity Attorney?
Get top legal guidance in breach response, data privacy, and cybersecurity compliance. Connect with attorneys who know how to defend against audits, investigations, and liability.
👉 Hire a Cybersecurity Attorney