What is M&A cybersecurity due diligence?

M&A cybersecurity due diligence is the discipline of assessing the cyber risk an acquirer takes on when it buys a target company, sized to the access window the seller authorises, tagged for deal impact so the deal team can price the risk into the negotiation, and carried through into the day-one cutover and the post-close integration on a single defensible record. It runs across three phases: pre-close (LOI through signing, when access is constrained to what the seller authorises in the data room and the agreed external assessment scope), day-one (signing through legal close, when the acquirer plans privileged-account containment, credential rotation, network isolation, and third-party access revalidation for the moment of legal close), and post-close (integration through the warranty period, when the acquirer assesses the target with full credentialed access, runs authenticated scanning, completes the integration-specific reviews, and rolls residual findings into the acquirer remediation cadence). The work is owned by the acquirer security team in partnership with corporate development, legal, and the integration leads, and it sits alongside financial, operational, legal, regulatory, and HR due diligence rather than substituting for any of them.

How is M&A cyber due diligence different from third-party vendor risk assessment?

Third-party vendor risk assessment governs an ongoing supplier relationship: the acquirer buys a service from the vendor on an ongoing basis, the vendor remains a separate legal entity, and the assessment cadence repeats annually or on a material-change trigger. M&A cybersecurity due diligence governs a one-off transactional event: the acquirer is buying the target itself, the target ceases to be a separate counterparty at legal close, the security debt and posture history of the target become the security debt and posture history of the acquirer, and the assessment is constrained to the access window the seller authorises rather than to a full audit. The two disciplines share evidence sources (third-party pentest reports, audit packs, scanner exports, prior questionnaire responses) but the decision shape is different: vendor risk asks "do we keep buying from this supplier", deal cyber DD asks "do we close, renegotiate, or walk, and what does the integration roadmap look like on day one and through the warranty window".

When does the acquirer security team get involved in an M&A transaction?

The acquirer security team should be involved no later than the letter of intent (LOI) stage, when the deal becomes specific enough to scope diligence work and when the seller is signing exclusivity. Earlier involvement, during target screening, is valuable on portfolio-style deals where the corporate development team is evaluating multiple targets and wants a security signal alongside the financial and operational signals. Late involvement (after exclusivity, after diligence has started, after a price has been negotiated) compresses the assessment window, leaves the deal team without a security signal for the price negotiation, and routinely produces post-close discoveries that should have been surfaced during the data-room window. The pattern that fails is "security gets notified after legal needs the SPA security schedule": by the time the schedule is being drafted, the seller has already framed the disclosure perimeter and the acquirer security team is reacting to seller-controlled artefacts rather than driving the assessment plan. The pattern that works is "security is at the LOI signing meeting": the engagement is opened, the deal team has a named security lead, and the assessment plan is sequenced against the agreed access window.

What are the common cybersecurity red flags in M&A due diligence?

Seven recurring red flags trigger deeper assessment or renegotiation. (1) Material incident in the trailing 36 months that the target cannot evidence as fully contained, including the after-action review, the regulator notifications made, and the residual remediation status. (2) No current external pentest or vulnerability assessment, or the most recent assessment is older than 12 months for an in-scope production estate. (3) No demonstrated MFA enforcement on administrative interfaces, including the identity provider, cloud admin consoles, and source-code platform. (4) No current data-flow map and no documented data inventory; the target cannot answer "where is customer data" with a defensible record. (5) Significant contractor or contractor-style account population without a documented offboarding cadence, producing a leaver-account backlog at the moment of close. (6) Third-party SaaS sprawl without an inventory, particularly when the target operates customer-data-bearing SaaS without a vendor-risk discipline. (7) Source-code custody questions: code in personal repositories, secret-leak history, source-code access not bound to the identity provider, or the absence of basic code-scanning hygiene. Any one of these does not necessarily fail the deal, but each maps to a specific SPA representation and warranty, an escrow trigger, or a day-one runbook step the acquirer security team has to plan for.

How does the diligence report translate into the SPA representations and warranties?

The diligence findings flow into the SPA security schedule and into the representations and warranties (R&Ws) the seller makes. A defensible chain runs as follows: every material finding on the diligence record carries a deal-impact tag (price-affecting, escrow trigger, day-one must-fix, post-close integration item, disclosure-only). The legal team uses the diligence record as the source for the negotiated R&Ws, the disclosure schedule the seller signs, and the indemnity and escrow structures the deal team agrees. Common cybersecurity R&Ws include (a) representations on the absence of material breach in a defined trailing window, (b) compliance with applicable cybersecurity laws and regulations, (c) compliance with the target operative cybersecurity policies, (d) the existence and currency of named compliance certifications (SOC 2, ISO 27001, PCI DSS), (e) the disclosure of all material third-party assessments and material findings, and (f) the disclosure of any pending or threatened regulatory inquiry related to cybersecurity. The diligence record is the evidence that supports the R&W chain. After close, when a post-close finding contradicts a seller representation, the diligence record is what the legal team reads to determine whether the seller breached an R&W. The diligence work that lives only in a slide deck cannot evidence the R&W chain when it matters.

What goes into a day-one cybersecurity runbook?

The day-one cybersecurity runbook is the sequenced set of controls that fire at the moment of legal close. Core elements include: (1) privileged-account containment on the target identity provider, source-code platform, cloud admin consoles, and high-blast-radius SaaS tenants, with the target legal-close access list pre-approved and the seller-side privileged accounts revalidated; (2) credential rotation for shared service accounts, infrastructure keys, code-signing keys, third-party API tokens, and any credentials the data-room access window exposed; (3) network isolation decisions on the target VPN, VPCs, and corporate network, with the agreed isolation posture documented so the integration team executes a known plan rather than improvising; (4) third-party access revalidation against the target supplier inventory, with the agreed cutover plan for shared-with-seller third parties (legal services, accounting, advisory) that should no longer hold target access; (5) MFA enforcement breadth verified across the operative identity provider footprint; (6) detection-content readiness: the acquirer SOC takes routing for target alerts, alert sources are inventoried, and the acquirer SOC has a working hypothesis on the target detection coverage gaps; (7) communications: customer notification posture, employee notification posture, regulator notification posture for any required disclosures; (8) evidence custody: the seller-side artefacts the diligence team relied on are preserved with provenance so the legal team can defend the R&W chain through the warranty period. The runbook lives on the same engagement record as the pre-close diligence so the closing team reads what the diligence team learned.

How does sell-side cyber readiness affect the deal?

A target that has prepared a cyber-evidence pack before going to market measurably affects deal velocity and price. Sell-side readiness typically includes: a current SOC 2 Type 2 report or ISO 27001 certificate with the operative scope clearly documented, a current external pentest report from a reputable provider, a current vulnerability management summary including the operative SLA discipline and the backlog age distribution, a documented data inventory and data-flow map for the in-scope estate, the operative cybersecurity policy set, the incident register for the trailing 36 months with disclosure history where applicable, the third-party vendor inventory with risk classifications, the operative identity and access posture (MFA enforcement, SSO breadth, privileged-account discipline, leaver hygiene), and the operative compliance evidence pack mapped to the frameworks the target carries. A target with this pack moves faster through diligence, takes fewer R&W discounts, and is more likely to close on the originally agreed price. A target without this pack burns the access window on basic discovery, takes price impact on every gap the diligence assessment cannot resolve in time, and routinely retrades during the diligence period as findings surface. Sell-side cyber readiness is the same operating discipline a mature security programme runs anyway; M&A is the moment the work becomes legible to the deal team.

← Back to Blog

Enterprise16 May 202618 min read

M&A Cybersecurity Due Diligence: A Practical Guide

M&A cybersecurity due diligence is the discipline of assessing the cyber risk an acquirer takes on when it buys a target company, sized to the access window the seller authorises, tagged for deal impact so the deal team can price the risk into the negotiation, and carried through into the day-one cutover and the post-close integration on a single defensible record. For CISOs, GRC and compliance leaders, corporate development teams, integration leads, internal security teams, AppSec teams, and the deal-team lawyers who draft the SPA security schedule, the diligence shape is now the operating norm on transactions where the target holds regulated data, runs customer-data-bearing software, or carries a non-trivial external attack surface. This guide covers the three-phase lifecycle (pre-close, day-one, post-close), the diligence scope contract, evidence sources, deal-impact tagging, walk-away thresholds, SPA representations and warranties, the day-one runbook, integration roadmap sequencing, sell-side readiness, and the audit-grade evidence trail that makes the diligence work defensible against the next external audit and the next post-close discovery item. It pairs with the operational workflow on M&A security due diligence on platform.

What M&A Cybersecurity Due Diligence Actually Is

M&A cybersecurity due diligence is one of the assessment workstreams the acquirer runs in parallel with financial, operational, legal, regulatory, tax, and HR diligence on a target. It exists to answer three questions for the deal team. What cyber risk is the acquirer buying. What evidence does the seller provide that the risk is bounded. What does the integration roadmap look like from the moment the deal closes through the end of the warranty period.

Three constraints shape the work and separate it from the rest of the acquirer security programme. First, the access window is finite. The seller authorises a specific scope, a specific window, and a specific set of activities through the data room and the agreed external assessment plan. Diligence work outside that window is out of scope until the seller extends the authorisation. Second, the evidence the acquirer can verify pre-close is constrained to what the seller surfaces and to what external assessment can independently observe. The credentialed assessments the acquirer security team would run on its own estate are not authorised pre-close. Third, the work feeds a transactional decision and a legal instrument (the SPA) rather than a steady-state operating record. The output has to be legible to the deal team, the legal team, and the integration leads, not just to the security team.

The discipline sits inside a wider corporate-development process the security team participates in rather than owns. Corporate development drives the deal calendar. Legal owns the SPA and the disclosure schedule. The integration leads own the post-close roadmap. The acquirer security team owns the cyber assessment, the deal-impact tagging on cyber findings, the day-one cybersecurity runbook, and the post-close cyber integration backlog. The work runs cleanly when these boundaries are explicit at the LOI stage and runs poorly when they are not.

The Three-Phase Lifecycle

Every M&A cyber DD engagement runs in three phases. Each phase has its own access posture, its own deliverable, and its own audience.

Phase 1: Pre-close (LOI through signing)

The pre-close phase is constrained by the data-room access window the seller authorises and by the external assessment scope the parties agree. The deliverable is a diligence summary the deal team and the legal team can read against the SPA negotiation, with material findings tagged for price impact, escrow trigger, R&W carve-out, day-one must-fix, post-close integration item, or disclosure-only. The audience is the corporate-development lead, the deal-team lawyers, the CFO, and the acquirer CISO. Pre-close is the phase where the acquirer decides whether to proceed, renegotiate, or walk; the cybersecurity input has to be available before the price is locked.

Phase 2: Day-one (signing through legal close)

The day-one phase is the operational handover from a target the acquirer cannot touch to a target the acquirer is responsible for. The deliverable is a day-one cybersecurity runbook the acquirer security team executes within hours of legal close, with named owners, sequencing, dependency map, and verification checkpoints the integration leads sign off on. The audience is the integration project management office, the acquirer SOC, the target IT operations team if they are staying, and the closing team. Day-one is the phase where credential rotation, privileged-account containment, network isolation, third-party access revalidation, and detection routing happen.

Phase 3: Post-close (integration through warranty period)

The post-close phase is where the acquirer learns what the data-room access window did not show. The deliverable is an integration evidence pack for the next external audit cycle, a residual-risk register for the security committee, and a remediation roadmap sequenced by integration risk rather than raw severity. The audience is the acquirer security committee, the acquirer audit committee, the external auditor, and the long-term integration steering group. Common gate milestones are 30 days, 90 days, 180 days, and 12 months, with explicit acceptance criteria at each.

The Diligence Scope Contract

Cyber DD that does not start with an explicit scope contract burns the access window on negotiation rather than assessment. The scope contract is six fields agreed between the acquirer and the seller before the assessment begins. Each field, if missing, becomes a friction point during the assessment window.

Scope field	What it pins down
Deal stage and access window	The current stage (LOI, due diligence, exclusivity, signing, closing) and the date range during which the seller authorises data-room access and external assessment activity. Two to six weeks is typical; longer on regulated transactions, shorter on competitive auctions.
Authorised assessment activity	The activities the seller permits during the diligence window. External scanning against named target domains is common; authenticated scanning is rare pre-close; code-level review is rare and usually requires a clean-room arrangement.
In-scope target assets	The verified target domains, the cloud properties the seller exposes for review, the repositories the seller is willing to share, the third-party SaaS the target operates that the seller introduces, and the carve-out boundary on partial-acquisition deals.
Seller-provided artefacts	The third-party pentest reports, audit packs, scanner exports, prior security questionnaire responses, compliance certifications, and incident-response history captured on the engagement with date received, source contact, and artefact reference.
Deal-team and target-side counterparts	Named deal-team members on the acquirer side (corporate development, legal, integration leads, security leadership) and named target-side counterparts (CISO, head of IT, head of engineering, deal sponsor) so questions route to a person and not to a deal lawyer for every clarification.
Deliverable cadence and audience	The interim deliverable cadence (typically weekly during the access window), the final deliverable date relative to the signing milestone, and the named audience for each deliverable. Misalignment here is the largest source of timing friction.

The scope contract sits on the engagement record alongside the assessment findings so the deal team, the legal team, and the integration leads all read the same boundary. Activities outside the contract are out of scope until the seller extends the agreement; the engagement record carries the extension trail.

The Six Question Clusters That Drive Most Outcomes

Mature cyber DD organises around six question clusters. The prioritisation policy across these clusters against the agreed access window is the diligence plan; everything else is execution.

1. Incident history (trailing 36 months)

Has the target experienced a material cybersecurity incident in the last 36 months. What was the scope, what was disclosed, and what regulatory or contractual notifications were made. The answers map directly to SPA disclosure obligations and to escrow and indemnity structures. The cluster also drives the practitioner read of the target maturity: a target that can produce after-action reviews, a documented decision register, and the regulator notification trail signals a different posture than a target whose incident history lives in tribal knowledge. SEC Item 1.05 materiality applies to US public-company targets and to subsidiaries where in scope.

2. Regulated-data exposure and compliance posture

What regulated data classes does the target hold (PCI cardholder data, PHI under HIPAA, EU personal data under GDPR, US state-regulated data, sector-specific data). What compliance evidence does the target carry (SOC 2 Type 2, ISO 27001, PCI DSS attestation, HITRUST). Where does the data reside. The cluster drives whether the deal triggers regulatory notification or change-of-control obligations, and whether the integration changes the acquirer compliance scope. SOC 2, ISO 27001, and PCI DSS are the most common compliance frames the target carries.

3. Third-party and supply-chain exposure

Which third-party providers does the target rely on for critical paths. What is the contractual notification posture, and is there a current third-party incident history. The cluster reads against the wider operating discipline of third-party vendor risk assessment, and the answers feed both the SPA disclosure and the day-one third-party access revalidation runbook.

4. Intellectual-property and source-code custody

Where is the source code. Who has access. Are there prior secret-leak incidents. What code-scanning hygiene has the target operated. The cluster drives the IP-leakage assessment that often sits at the centre of the deal rationale on technology acquisitions, and it drives the day-one source-code access revalidation and the post-close code-scanning baseline.

5. Identity and access posture

MFA enforcement breadth, privileged-account discipline, leaver-account hygiene, OAuth grant lifecycle, federation and SSO posture. The cluster is the largest single driver of the day-one runbook scope and the cluster the acquirer security team can most directly verify during the access window through MFA enforcement attestation, named privileged-account list, and federation configuration review.

6. Infrastructure exposure and vulnerability programme

The external attack surface, cloud configuration posture, vulnerability management cadence and backlog age, patch SLA discipline, and the operational evidence the security team can produce on each. The cluster reads against the wider vulnerability management programme guide and produces the bulk of the residual-risk register that flows into post-close integration planning.

Seven Cybersecurity Red Flags That Trigger Renegotiation

Across most enterprise transactions, seven red flags recur. Any one does not necessarily fail the deal, but each maps to a specific SPA representation, an escrow trigger, a day-one runbook step, or a post-close integration commitment the acquirer security team has to plan for and the deal team has to price.

Material incident in the trailing 36 months that the target cannot evidence as fully contained, including the after-action review, the regulator notifications made, and the residual remediation status.
No current external pentest or vulnerability assessment or the most recent assessment is older than 12 months for an in-scope production estate. The gap maps to an external assessment commitment in the post-close integration plan and often to a price impact.
No demonstrated MFA enforcement on administrative interfaces including the identity provider, cloud admin consoles, and source-code platform. The gap maps to a day-one MFA enforcement runbook step and to a representation question on the SPA security schedule.
No current data-flow map and no documented data inventory the target cannot answer the basic question of where customer data lives with a defensible record. The gap maps to a post-close data discovery commitment and often to a regulatory notification risk.
Contractor population without offboarding cadence producing a leaver-account backlog at the moment of close that the acquirer security team inherits. The gap maps to a day-one access-revocation runbook step.
Third-party SaaS sprawl without an inventory particularly when the target operates customer-data-bearing SaaS without a vendor-risk discipline. The gap maps to a post-close SaaS inventory and vendor-risk catch-up commitment.
Source-code custody concerns code in personal repositories, secret-leak history, source-code access not bound to the identity provider, or the absence of basic code-scanning hygiene. The gap maps to a day-one source-code access revalidation step and to a representation question on IP custody.

Deal-Impact Tagging on Cyber Findings

Pre-close cyber findings are not just severity-tagged; they are deal-impact tagged so the deal team can extract the negotiation-relevant findings without re-reading the full backlog and the integration team can sequence the day-one runbook directly from the diligence output. The standard tag set has five categories.

Tag	What it means
Price-affecting	The finding is material enough that the deal team should adjust the purchase price, the indemnity structure, or the escrow basket to compensate for the risk.
Escrow trigger	The finding maps to a specific escrow basket: an amount the seller leaves in escrow until a defined post-close milestone (remediation complete, audit clear, no regulator action) is reached.
Day-one must-fix	The finding requires action at the moment of legal close: credential rotation, privileged-account containment, third-party access revocation, MFA enforcement, network isolation.
Post-close integration item	The finding becomes part of the acquirer remediation backlog after close, with a defined target milestone (30/90/180/365 days).
Disclosure-only	The finding is documented in the SPA disclosure schedule but does not require pricing, escrow, day-one action, or active integration; it is captured so the seller cannot later claim non-disclosure.

The tagging is what makes the diligence record useful to four different audiences from the same source. The CISO reads severity and remediation sequencing. The corporate-development lead reads price-affecting and escrow triggers. The legal team reads the disclosure schedule and the R&W evidence chain. The integration lead reads day-one must-fix items and the post-close integration roadmap. A diligence record that carries severity but not deal-impact tagging produces three reconciliations later: one for the deal team, one for legal, and one for the integration team.

Translation From Diligence Record to SPA

The diligence findings flow into the SPA security schedule and into the representations and warranties the seller makes. The chain is direct: every material finding on the diligence record carries a deal-impact tag, the legal team uses the diligence record as the source for the negotiated R&Ws, the disclosure schedule the seller signs, and the indemnity and escrow structures the deal team agrees. Common cybersecurity R&Ws on enterprise transactions include:

Representations on the absence of material breach in a defined trailing window, typically 24 to 36 months, with carve-outs scheduled for events the target has disclosed.
Compliance with applicable cybersecurity laws and regulations, with named regimes (HIPAA, GLBA, GDPR, state breach laws, sector-specific) where the target operates.
Compliance with the target operative cybersecurity policies and with published commitments (privacy policy, security page, contractual customer commitments).
Existence and currency of named compliance certifications (SOC 2 Type 2, ISO 27001, PCI DSS attestation, HITRUST) with copies attached to the disclosure schedule.
Disclosure of all material third-party assessments and material findings, including third-party pentests, internal audits, and consultant assessments in the trailing assessment window.
Disclosure of any pending or threatened regulatory inquiry, customer breach claim, or contractual cybersecurity dispute related to the target.

The diligence record is the evidence that supports the R&W chain. After close, when a post-close finding contradicts a seller representation, the diligence record is what the legal team reads to determine whether the seller breached an R&W and to support an indemnity claim against the escrow basket. The diligence work that lives only in a slide deck cannot evidence the R&W chain when it matters; the diligence work that lives on a structured record with date stamps, evidence files, and decision capture can.

The Day-One Cybersecurity Runbook

The day-one cybersecurity runbook is the sequenced set of controls that fire at the moment of legal close. It is planned during the signing-to-close window and executed within hours of legal close. The standard runbook covers eight workstreams, with explicit owners and verification checkpoints on each.

Privileged-account containment on the target identity provider, source-code platform, cloud admin consoles, and high-blast-radius SaaS tenants, with the target legal-close access list pre-approved and the seller-side privileged accounts revalidated.
Credential rotation for shared service accounts, infrastructure keys, code-signing keys, third-party API tokens, and any credentials the data-room access window exposed. The rotation plan is sequenced so dependent systems do not break at the moment of rotation.
Network isolation decisions on the target VPN, VPCs, and corporate network, with the agreed isolation posture documented so the integration team executes a known plan rather than improvising under time pressure.
Third-party access revalidation against the target supplier inventory, with the agreed cutover plan for shared-with-seller third parties (legal services, accounting, advisory) that should no longer hold target access.
MFA enforcement verification across the operative identity provider footprint, with a named owner for any tenant where MFA enforcement was pending at signing.
Detection-content readiness: the acquirer SOC takes routing for target alerts, alert sources are inventoried, and the acquirer SOC has a working hypothesis on the target detection coverage gaps that the post-close assessment will quantify.
Communications: customer notification posture, employee notification posture, regulator notification posture for any disclosures the deal triggers (change of control, sector-specific notifications, customer-contract notifications).
Evidence custody: the seller-side artefacts the diligence team relied on are preserved with provenance so the legal team can defend the R&W chain through the warranty period.

The runbook lives on the same engagement record as the pre-close diligence so the closing team reads what the diligence team learned and the activity log captures every state change. A day-one runbook that lives in email and chat is the single largest source of operational failure at close: the credential list, the access-removal list, the isolation decisions, and the third-party revalidation list scatter across threads and the closing team cannot execute without a multi-hour reconstruction.

Post-Close Integration Sequencing

Post-close is where the acquirer learns what the data-room access window did not show. The acquirer security team now has full credentialed access and can run the assessments the seller would not authorise during diligence: authenticated scanning against target applications, code scanning against target repositories connected to the acquirer source-code platform, repository-level secret scanning, full credentialed vulnerability scanning on target infrastructure, configuration review on target cloud accounts, identity-and-access review against the acquirer policy, and the integration-specific compliance review (does the target SOC 2 boundary need to be amended, does the ISO 27001 statement of applicability need to be redrafted, does the PCI DSS scope change).

Standard post-close milestones are 30 days, 90 days, 180 days, and 12 months. At each gate, the acquirer security committee reviews the residual-risk register, the integration backlog progress, the audit-evidence pack for the next external audit cycle, and the items that have surfaced post-close but were not visible during diligence. The deal-impact tagging from pre-close travels through to post-close so the integration roadmap is sequenced by integration risk rather than raw severity; some critical-severity findings on the target estate are not integration-critical and some medium-severity findings on shared systems become integration-critical because the acquirer already runs the same system on a higher trust boundary.

The engagement record stays open through the warranty period so post-close discovery items land on the same record as the original diligence findings. When a post-close finding contradicts a seller representation, the legal team reads the diligence record, the seller-provided artefacts, and the dated activity log to assess whether the seller breached an R&W and to support an indemnity claim against the escrow basket. The audit lookback reads one trail rather than three.

Walk-Away Thresholds

Most cyber DD findings inform price, escrow, R&W carve-outs, and integration scope rather than killing deals. A small number of patterns recurringly produce a walk-away recommendation from the acquirer security team. The threshold is context-specific and ultimately a deal-team decision, but the patterns below are the ones where security leads typically escalate to the deal sponsor and the CFO rather than absorb the finding into price.

Active, undisclosed incident evidence of an ongoing compromise the seller has not disclosed, including pre-close external assessment that finds active indicators on target infrastructure.
Material misrepresentation in the data room the seller-provided pentest report, audit pack, or questionnaire response materially diverges from what external assessment or interviews surface.
Regulatory exposure that exceeds deal value pending or imminent regulatory action where the realistic settlement or fine would exceed the deal value or materially compromise the deal rationale.
IP custody chain broken on a technology acquisition, the source code custody, contributor chain, or third-party licence posture cannot be evidenced to a level that supports the IP-driven deal rationale.
Customer-contract notification cascade the deal triggers a notification cascade across material customer contracts that the deal team is not equipped or willing to manage in the integration window.

Sell-Side Cyber Readiness

A target that has prepared a cyber-evidence pack before going to market measurably affects deal velocity and price. Sell-side readiness is the same operating discipline a mature security programme runs anyway; M&A is the moment the work becomes legible to the deal team. A defensible sell-side pack typically includes:

A current SOC 2 Type 2 report or ISO 27001 certificate with the operative scope clearly documented.
A current external pentest report from a reputable provider, dated within the trailing 12 months and covering the in-scope estate.
A current vulnerability management summary including the operative SLA discipline and the backlog age distribution.
A documented data inventory and data-flow map for the in-scope estate, with regulated-data classes called out.
The operative cybersecurity policy set and the operative compliance evidence pack mapped to the frameworks the target carries.
The incident register for the trailing 36 months with disclosure history where applicable.
The third-party vendor inventory with risk classifications and the operative vendor-risk discipline.
The operative identity and access posture: MFA enforcement, SSO breadth, privileged-account discipline, leaver hygiene.

A target with this pack moves faster through diligence, takes fewer R&W discounts, and is more likely to close on the originally agreed price. A target without it burns the access window on basic discovery, takes price impact on every gap the assessment cannot resolve in time, and routinely retrades during the diligence period as findings surface. The companion workflow on platform is the customer security evidence room use-case, which is the same packaging discipline applied to inbound vendor and customer evidence requests rather than to an M&A transaction.

Six Failure Modes That Recurringly Show Up

Most deal-side security failures do not look like failures at the moment they happen. They look like sensible defaults: ship the diligence as a deck, run day-one off email, let the integration team rebuild the inventory after close. The cost arrives at the next surveillance audit, the next board read-out, or the next post-close discovery item that contradicts a seller representation.

Diligence lives in a deck rather than on a record. The pre-close findings land in a slide deck circulated to the deal team, then nothing flows into the integration phase. The acquirer security team rediscovers the same findings post-close.
Day-one runbook lives in email and chat. The credential-rotation list, the access-removal list, the network-isolation decisions, and the third-party revalidation list scatter across deal-team threads and the closing team cannot execute under time pressure.
Seller artefacts not preserved with custody chain. Third-party pentest reports, audit packs, prior questionnaire responses, and scanner exports sit in a shared drive without provenance. When a post-close finding contradicts a seller representation, the legal team cannot evidence what the seller disclosed.
Pre-close scope creep burns the access window. The data-room access window is finite. When pre-close scope expands without an explicit decision, the assessment runs out of access budget before the priority items are covered.
Post-close inherits wrong remediation cadence. Pre-close severity is calibrated by the assessment team rather than the acquirer programme. When the post-close integration adopts the diligence severity verbatim, half the queue ages incorrectly and the integration backlog cannot be meaningfully compared to the rest of the acquirer programme.
Deal-impact tagging is missing or inconsistent. A pre-close finding can be price-affecting, an escrow trigger, a day-one must-fix, a post-close integration item, or disclosure-only. Without the tag, the deal team cannot extract the negotiation-relevant findings and the integration team cannot sequence the day-one runbook from the diligence output.

Adjacent Programmes That Connect

M&A cyber DD is one workstream inside a wider corporate-development process and one engagement inside a wider security programme. The connections worth wiring early are:

M&A security due diligence is the operational workflow page that pairs with this guide; this is where the deal opens as an engagement and the findings live.
Third-party pentest report intake handles seller-provided pentest reports as structured findings rather than as PDFs in a shared drive.
Breach notification and regulator readiness covers the parallel notification queue model when the deal close itself triggers regulator or customer notifications.
Cyber insurance readiness addresses how the acquirer cyber insurance policy needs to be amended for the new entity and how the seller pre-close insurance posture affects deal negotiation.
Asset criticality scoring is how the post-close integration backlog gets sequenced by integration risk rather than raw severity.
Control mapping is what the integration team uses when the target SOC 2, ISO 27001, or PCI DSS scope has to be reconciled with the acquirer existing framework posture.

How SecPortal Reads Against M&A Cyber DD

Cyber DD lives or dies on the recordkeeping. The diligence findings, the seller-provided artefacts, the deal-impact tags, the day-one runbook, and the post-close integration backlog all need to live on the same record so the deal team, the legal team, the integration leads, and the acquirer security committee read one trail rather than four.

SecPortal is the consolidated operating record for an M&A cyber DD engagement. The deal opens as an engagement on the acquirer workspace through engagement management with the target as the client. Scope, deal stage, access window, deal-team counterparts, target-side counterparts, and seller-provided artefacts all live on the engagement so every team member operates against the same record. Findings management captures every diligence finding under a unified schema with CVSS 3.1 calibration, evidence, and the deal-impact tag the deal team reads against the negotiation. Document management holds the seller-provided artefacts (third-party pentest reports, audit packs, scanner exports, prior questionnaire responses, compliance certifications, incident-response history) with provenance for the SPA representation chain. Bulk finding import lands Nessus, Burp, and CSV exports from the diligence assessment onto the engagement record so seller-provided assessments flow into structured findings rather than sitting as PDFs.

On the assessment side, external scanning runs authorised pre-close scans against the target domains once domain verification confirms ownership and the seller authorises the assessment. Authenticated scanning and code scanning run post-close once the acquirer has the credential and repository access the seller would not authorise during diligence. Repository connections via GitHub, GitLab, and Bitbucket OAuth bring target repositories into the acquirer scanning posture after legal close. Encrypted credential storage holds the credentials for the authenticated assessments. Continuous monitoring schedules the recurring assessments through the integration window.

On the governance side, the activity log captures every state change across pre-close, day-one, and post-close so the audit lookback and any future R&W challenge reads one trail rather than three. AI report generation produces the diligence summary the deal team reads against the SPA negotiation. Team management with RBAC scopes who can read, edit, and approve diligence findings (deal teams routinely run M&A engagements with a tighter access perimeter than the wider security programme). MFA enforcement on the workspace itself protects the operating record the deal team depends on. Compliance tracking maps target and post-close findings to ISO 27001, SOC 2, PCI DSS, and NIST framework controls so the integration-side compliance scope is legible from the same record.

Scope and Limitations

This guide describes the operating shape of M&A cybersecurity due diligence as it is consumed on mainstream enterprise transactions. Specific deal structures (auction processes, carve-outs, take-privates, hostile transactions, distressed deals, cross-border deals with foreign-investment review) introduce additional constraints on access, timing, regulator notice, and disclosure that are not covered in detail here. The diligence shape on heavily regulated targets (financial services, defence, critical infrastructure, healthcare) is shaped by sector-specific regulator review of change of control. Programmes operating in those contexts should consult deal counsel and the sector regulator early on the cyber assessment plan.

SecPortal is not a substitute for the financial, operational, legal, regulatory, tax, or HR diligence disciplines, and it is not a substitute for the seller-side data room. It is the consolidated security operating record for the acquirer side of the transaction. Programmes evaluating dedicated M&A platforms or virtual data rooms should benchmark cyber-evidence handling and use SecPortal as the consolidated security operating record that integrates the deal-side cyber assessment into the wider security programme for the warranty period and beyond.

Related Resources

Third-party vendor risk assessment is the ongoing-supplier sibling discipline; M&A cyber DD is the transactional one-off.
Cyber insurance readiness guide covers the policy lifecycle and the underwriting evidence model the deal-side insurance review reads against.
SEC cybersecurity incident materiality applies on US public-company transactions and on subsidiary deals in scope.
Board-level security reporting covers the read-out shape post-close to the audit committee and the security committee.
SecPortal for CISOs covers the CISO-facing platform shape across the wider operating programme.
SecPortal for GRC and compliance teams covers the GRC-facing platform shape, which is the audience that owns the compliance posture reconciliation post-close.
Vendor security risk assessment template is the buyer-side assessment workbook that runs against the inherited vendor portfolio post-close to surface concentration risk and to score third-party suppliers brought in by the acquired entity.

Run M&A cyber due diligence on SecPortal

Stand up the operating record in under two minutes. Free plan available, no credit card required.

Get Started Free M&A security DD workflow