Before entering into a business agreement with another entity, organizations must identify incompatible business processes, potential integration problems, or unexpected liabilities through a due diligence process.

Traditionally, due diligence focused on business operations, legal concerns, and financial statements; however, with companies increasingly reliant on data and technology and cyber risks proliferating, it’s imperative to the security and reputation of an organization that cybersecurity posture, governance, and practices also be regarded.

Consider the following framework and questions when evaluating an acquisition or merger target. Depending on the nature of the business, some areas may pose a larger threat than others and require greater scrutiny.

Cyber Risk Management

What digital assets are we protecting, and what are the greatest risks to those assets?

Organizations should possess a clear understanding of critical digital assets, top cyber threats and risks, and all legal and regulatory requirements impacting the company. They will also maintain documented formal processes and leverage systems and automation where possible to identify and monitor threats and vulnerabilities.

Due diligence questions to consider:

  1. Digital assets “crown jewels” identification
  • What are the most business-critical data, systems, and digital assets?
  • Is there an inventory of these critical digital assets and is it maintained?

2. Cyber risk identification, prioritization, and reporting

3. Cyber regulatory compliance

Cyber Governance

Does the organization have the right baseline cyber plans, policies, and behaviors?

Organizations must maintain documented and well-communicated cybersecurity policies and procedures, with mandatory training for all users and role-based training for their cyber professionals. Cybersecurity roles and responsibilities are established, coordinated, and aligned with internal employees and third-party stakeholders (suppliers, customers, partners). All cybersecurity projects and initiatives align with the organization’s goals and aim to continually strengthen their security posture.

Due diligence questions to consider:

  1. Cyber strategy and planning
  • Does the company have any major cyber-related priorities/initiatives/activities planned over the next year?
  • Have any major initiatives been recently completed? How were these initiatives determined and managed?

2. Cyber budget and staffing

  • What are the key organizational roles with cyber-related accountability or responsibility?
  • Approximately how many full-time equivalent (FTE) resources work cyber?
  • What is the annual spend on cybersecurity, and how is the cyber budget determined?

3. Cyber policies and procedures

  • What formal, documented cyber-related policies exist?

4. Cyber awareness and training

  • Do employees undergo security awareness training?
  • What is the frequency/scope of trainings, and to what extent is role-based training utilized?

Cyber Controls

What key technical controls are in place to secure our data, systems, and networks?

Organizations adhering to best practices utilize multifactor authentication (MFA) integrated into all authentication workflows and maintain automated monitoring and enforcement of encryption and data protection configurations for all servers and devices. Automated processes are implemented for monitoring and alerting of vulnerability/security threats, non-compliant devices, and application code scans. The organization will also maintain recurring, scheduled penetration testing and formalized assessments of its technical security controls. 

Due diligence questions to consider:

  1. Overall protective controls
  • What processes, tools, and vendors are utilized? Responses should cover:
    • Identity and access management (including role-based access control), multifactor authentication, and password rotation.
    • Network and endpoint security: EDR, VPN, firewalls, anti-virus, content filtering, email security, device encryption, and mobile device management.
    • Vulnerability management and patch management.
    • Data protection, data lifecycle management, and data loss protection.
    • Application security, security of custom-built (in-house or customer-facing), and third-party applications.

2. Controls testing

  • Does the company utilize penetration testing or other technical security controls testing? If so, what is the frequency and scope?

Cyber Response and Resilience

Can the organizations effectively respond to and recover from a cyberattack?

Organizations should maintain well-documented continuity and disaster recovery plans, including supporting scenario playbooks and communication templates, which are tested and revised on a scheduled basis. Additionally, it’s vital to procure right-sized insurance coverage and sign cyber incident response retainers with at least one external firm.

Due diligence questions to consider:

  1. Business continuity and disaster recovery

What plans, procedures, and playbooks exist to ensure business continuity and rapid recovery from a cyber (or other adverse) event, and to what extent and how are these tested?

2. Incident response

  • What cyber incident response plans, procedures, and playbooks exist, and to what extent and how are these tested?
  • Does the company have retainer agreements with cyber incident response firms and if so, what firm(s)?

3. Cyber insurance

  • Does the company have cyber insurance and if so, who is the underwriter, what is the extent of coverage, and what are the main exclusions?

Failing to assess the cybersecurity risk posture of an M&A target can expose companies to tremendous financial, data, and reputational damage. By asking these questions during the diligence process, organizations will better understand the threats and vulnerabilities of the M&A candidate. For expert cybersecurity and M&A due diligence, contact CrossCountry Consulting.

Connect with an expert

Cameron Over

Cyber and Privacy Lead

See Bio

Contributing authors

Paul Goode

Kirk Lane