Cybersecurity Due Diligence Checklist for M&A: A Working Guide

Why a cybersecurity due diligence checklist matters

A cybersecurity due diligence checklist is the working document used by PE sponsors, corporate acquirers, and investment banks to assess a target company's security posture during an M&A transaction. The output isn't a technical audit. It's deal intelligence — valuation impact, SPA negotiation positions, reps-and-warranties insurance scope, post-close remediation budget, and the red flags that reshape the deal or kill it.

Cyber risk in M&A has moved from "nice to have" to material. Three forces drove the shift. First, breach economics: a data exposure event mid-deal can drop valuation 15–30% overnight and break the deal entirely. Second, regulatory exposure: GDPR, HIPAA, state privacy laws, and SEC disclosure rules flow to acquirers and don't care that you didn't know. Third, RWI underwriting: reps-and-warranties insurance carriers now require credible cyber diligence as a condition of clean coverage, and they price exclusions ruthlessly when the work is thin.

The checklist below is the version a working deal team uses. It's not exhaustive — no checklist is — but it covers the categories that determine 90% of deal-relevant cyber findings. Each category has questions to ask, evidence to request, and a "what good looks like" benchmark. For the engagement structure that wraps around this checklist, see our M&A cybersecurity due diligence service page.

The cybersecurity due diligence checklist (9 categories)

1. External attack surface

What an attacker can see about the target without insider access — the same view a ransomware operator has when picking a victim. This is the cleanest pre-LOI category because it requires no management cooperation.

• Public-facing IP ranges, domains, subdomains — including forgotten dev/test environments
• Internet-exposed services (RDP, SSH, VPN, admin panels) and known vulnerabilities on each
• SSL/TLS certificate posture (expired, weak ciphers, mismatched names)
• Email security configuration (SPF, DKIM, DMARC, BIMI)
• DNS hygiene and zone history
• Source code, credentials, or API keys leaked in public repositories (GitHub, npm, PyPI, GitLab)
• Dark-web exposure: credentials, customer data, employee records
• Brand impersonation (typosquatting domains, fake social accounts)

What good looks like: a small attack surface with active certificate hygiene, fully configured email authentication, no credential leaks in the last 24 months, and no known exploited vulnerabilities (CISA KEV) on internet-facing services.

2. Control maturity

The structural strength of the security program. Most targets benchmark against NIST CSF — the framework that maps cleanly to compliance requirements and to insurance underwriting questions.

• NIST CSF maturity assessment across the five functions (Identify, Protect, Detect, Respond, Recover)
• Documented security policies that match actual operations (not aspirational)
• Security organization structure: who owns what, where the gaps are, named CISO or equivalent
• Security spend as % of IT budget; comparison to industry benchmarks
• Tooling inventory: EDR, SIEM, identity, vulnerability management, DLP, email security
• Tabletop exercise history and after-action reports
• Penetration test history (annual minimum) and remediation closure rates

What good looks like: NIST CSF score of 3+ across all functions, current pen test within 12 months with closed findings, named security leader with operator experience, security spend in line with industry norms (typically 5–10% of IT for mid-market software companies).

3. Regulatory and compliance posture

The regulatory frameworks the target is bound by, and whether their attestations are real or theatrical. This is the category where deal liability flowing to the acquirer gets quantified.

• SOC 2 Type II report — current, with material exceptions noted, scoped to actual operations
• ISO 27001 certification, scope, and surveillance audit results
• PCI-DSS attestation if the target processes payment card data; AOC version and scope
• HIPAA Security Risk Analysis if PHI is in scope; documented privacy program
• GDPR / CCPA / state privacy law compliance: DPIAs, processor agreements, breach notification readiness
• Industry-specific regulations: NYDFS Part 500, FFIEC, FedRAMP, ITAR, GLBA
• Data Processing Agreements with key vendors and customers
• Customer-facing privacy policy and terms — current with actual operations

What good looks like: current attestations across all relevant frameworks, no material exceptions in the most recent SOC 2, and a clean privacy program with documented breach notification procedures aligned to applicable regulatory windows.

4. Incident disclosure history

What the target has experienced and how they handled it — both for the breaches they disclosed and the near-misses they probably didn't volunteer. Pattern matters more than individual events.

• All disclosed security incidents (last 5 years minimum) — with timeline, scope, regulator notifications, customer notifications, and remediation status
• Near-miss incidents and tabletop scenarios — how the team performed, what changed afterward
• Regulatory inquiries or investigations related to security (SEC 8-K filings, state AG inquiries)
• Active or resolved security-related litigation (class actions, contract disputes)
• Cyber insurance claims history — what was filed, what was paid, what was denied
• Public reporting and media coverage of the target's security events
• Independent verification: dark web for indicators of unreported compromise, leaked credentials tied to the target's domains

What good looks like: no material undisclosed events, a documented response to each historical incident with quantified scope, and active monitoring for ongoing exposure. The disclosure pattern matters: companies that disclosed incidents transparently and responded well are less risky than those with no public disclosures (which often means worse hygiene, not better, on closer review).

5. Third-party and supply-chain dependencies

The risk that flows in from vendors, partners, contractors, and the open-source dependencies sitting in the target's products. Supply-chain compromise has become the modal breach vector — the checklist needs to address it directly.

• Vendor inventory tiered by criticality (which vendors, if compromised, would materially affect the target's operations or data?)
• Vendor security review process — questionnaires, SOC 2 collection, contract security clauses
• Critical-vendor incidents that affected the target (any in last 24 months?)
• Software supply-chain posture: SBOM coverage, dependency vulnerability management, third-party-code reviews
• Open-source license and security risk in shipped products
• Cloud provider configuration and the shared-responsibility-model boundaries
• Sub-processor disclosure to customers (especially for SaaS targets in regulated industries)

What good looks like: documented vendor tiering with annual security reviews on Tier 1 vendors, automated dependency scanning in the SDLC, and an SBOM available for any product shipped to enterprise customers.

6. Identity, access, and privileged accounts

The control plane of modern security. Identity sprawl is the most reliable indicator of a security program that hasn't kept up with company growth.

• Identity provider (Okta, Azure AD, Google Workspace) coverage across all in-scope applications
• SSO + MFA enforcement — including for engineering, admin, and contractor accounts
• Privileged access management (PAM) — break-glass accounts, vault rotation, just-in-time access
• Service account inventory and credential rotation discipline
• Joiner-mover-leaver process: how fast does access actually get revoked when someone leaves?
• Cloud IAM posture: over-permissive roles, public S3 buckets, exposed service accounts
• Customer access controls: tenant isolation, data segregation in multi-tenant systems

What good looks like: 100% SSO + MFA coverage on production access, sub-24-hour leaver-revocation, no over-permissive cloud IAM roles, and a documented break-glass procedure with quarterly testing.

7. Data classification, exposure, and protection

Where the regulated data lives and how exposed it is. Discovery of undisclosed sensitive data is routine in M&A diligence and routinely changes deal terms. (See our sensitive data discovery guide for the technical depth on this category.)

• Data classification policy and the actual implementation against it
• PII / PHI / payment card / IP inventory across cloud and SaaS environments
• Shadow data: copies of regulated data in test, dev, backup, or analytics environments
• Data retention policy and actual retention practice (often divergent)
• Data residency and cross-border transfer compliance
• Encryption at rest and in transit; key management posture
• Data Loss Prevention (DLP) coverage — which channels (email, USB, upload), which categories
• Customer-data deletion capability for DSAR and opt-out compliance

What good looks like: documented data inventory matching reality, encryption at rest for all regulated data, customer DSAR fulfillment within regulatory windows, and shadow data actively managed (or actively removed when discovered).

8. Key-person risk and security-team continuity

Many security programs at mid-market companies depend on one or two operators who hold the institutional memory. If they leave during deal close, the program can collapse before the acquirer has time to backfill.

• Security org chart and tenure of each role
• Documented runbooks for incident response, vendor management, audit cycles
• Key-person dependencies: which roles, if vacated, would the program struggle without?
• Retention plans through close (RSU vesting, retention bonuses, post-close commitment)
• Knowledge-transfer state: written documentation vs tribal knowledge
• Outsourced security functions (MSSP, MDR, SOC) and contract continuity through close

What good looks like: a documented program independent of any single operator, written runbooks and playbooks across the major operational categories, retention agreements in place for key security staff through 90-day post-close.

9. Cyber insurance and liability posture

Insurance coverage as deal protection. Material gaps in coverage, recent claims, or pending underwriter inquiries become valuation issues — and reps-and-warranties insurance underwriting will ask about all of them.

• Current cyber insurance policy: limits, deductibles, sub-limits, exclusions
• Renewal status — and any underwriter-imposed remediation conditions on renewal
• Claims history (last 5 years) — filed, paid, denied, with reason
• Coverage match against the target's actual risk profile (PII volume, regulatory scope, ransomware vectors)
• Reps-and-warranties insurance posture for the deal — cyber-specific exclusions, retention amounts
• D&O coverage for cyber-related claims (post-Caremark, this is a real protection)
• Errors-and-omissions coverage if the target ships software to enterprise customers

What good looks like: coverage limits matching the target's risk profile, no material claims denied in last 24 months, and a clean renewal trajectory without underwriter intervention.

How to use the checklist in a real deal

The checklist becomes useful when sequenced against the deal timeline. Three phases tend to dominate in mid-market and enterprise transactions.

Pre-LOI: external review (5-day Initial Review)

Categories 1, 4, and 9 (external attack surface, incident history, insurance posture) can be assessed without target cooperation. This is the phase where you decide whether to bid, where to set the bid, and whether headline cyber issues should kill the deal entirely. A 5-day Initial Review produces a go/no-go memo for the IC suitable for time-pressured competitive processes.

Post-LOI: management-access deep dive (2–4 weeks)

With LOI signed, the rest of the checklist becomes accessible. Management interviews, control walks, documentation review, and tooling-output verification produce the materially better quantification needed for SPA negotiation, RWI underwriting, and the 100-day post-close plan. This phase generates the diligence memo that lives in the data room alongside the financial and legal work.

Post-close: 100-day remediation plan

Diligence findings convert into prioritized remediation work. The remediation plan has to be sequenced against integration milestones, regulatory exposure, and budget — and someone has to own driving it. For PE-backed assets, the plan typically includes interim CISO support to bridge the gap until the portfolio company hires a permanent security leader.

Six red flags that change deal terms

Across hundreds of M&A engagements, six recurring patterns surface that materially change deal economics. Any of these on its own warrants a price adjustment, an SPA carve-out, or escalation; multiple together justify reconsidering the deal.

1. Undisclosed prior incidents. The seller minimizes, omits, or technically hedges around historical breach events that materially affected customer data or regulatory standing. Independent dark-web and threat-intel searches surface these routinely. Once discovered, everything else the seller said becomes suspect.
2. PII or PHI in shadow databases. Sensitive data sitting in test environments, analytics warehouses, or deprecated services that the privacy program never documented. Common finding; almost always changes the GDPR/HIPAA/state-law exposure calculation.
3. Source code or credentials in public repositories. Engineering teams accidentally push API keys, customer database connection strings, or proprietary code to public GitHub. Cleans up easily once found, but indicates the secrets-management discipline is weak — which suggests other findings.
4. Lapsed cyber insurance or material coverage gaps. Renewal in question, recent claim denials, or sub-limits that don't match the target's actual risk profile. RWI underwriters will spot this immediately and price accordingly.
5. Single-point-of-failure operator dependency. One CISO or security engineer owns the entire program with minimal documentation. Their departure during deal close (a common pattern under acquisition uncertainty) collapses the security function before the acquirer can stabilize it.
6. Compliance attestations that don't match operations. SOC 2 Type II report covering a scope narrower than the target represents to customers, ISO 27001 certification with a stale surveillance audit, or PCI attestation that excludes the actual cardholder-data systems. These get disclosed in audit reports but routinely missed in casual diligence.

Using the checklist for sell-side preparation

Most discussion of cyber due diligence focuses on the buy side. The same checklist is increasingly valuable on the sell side — used 6–12 months pre-sale to surface and remediate the issues that would otherwise show up in buyer diligence and depress valuation.

Sell-side cyber prep typically produces three deliverables: a clean, current data room cyber package (attestations, assessments, incident documentation organized for buyer review); a remediation roadmap for the items that can't be fixed pre-close, with budgets and timelines; and an independent third-party assessment ready to share under NDA — which protects valuation by pre-empting buyer findings rather than reacting to them.

The economics work even for mid-market sellers. A Fortune-500 acquirer that finds three undisclosed cyber issues during diligence will almost always retrade the deal terms or create RWI exclusions that effectively reduce purchase price. Spending $50K–$150K on sell-side cyber prep typically protects 10× that in valuation. The investment-banking side of the market has noticed; cyber-prepared sellers go to market faster and close cleaner than unprepared ones.

vCSO.ai is the operator-led cybersecurity advisory firm of Nick Shevelyov, former 15-year Chief Security Officer at Silicon Valley Bank — where the cyber due diligence checklist ran on hundreds of bank-acquisition transactions. Our cybersecurity due diligence service delivers 5-day Initial Reviews, post-LOI deep diligence, and post-close 100-day remediation plans to PE sponsors, corporate acquirers, and investment banks. The full checklist as an operator-grade PDF — built from the working version used in real deals — is available on request via our contact page. Nick's book on cybersecurity strategy, Cyber War…and Peace, draws on three decades of operator experience defending the bank of the innovation economy.