Continue your mission
Cybersecurity due diligence is the assessment of a target company's cybersecurity posture, data protection practices, regulatory compliance status, and historical security incidents as part of a merger, acquisition, or investment transaction.
# Cybersecurity Due Diligence for M&A
Cybersecurity due diligence is the assessment of a target company's cybersecurity posture, data protection practices, regulatory compliance status, and historical security incidents as part of a merger, acquisition, or investment transaction. The assessment identifies cybersecurity risks that could affect the target's valuation, create post-closing liabilities, or introduce vulnerabilities into the acquiring organization's environment upon integration.
When an organization acquires another company, it acquires everything: the target's customers, revenue, and intellectual property, but also the target's vulnerabilities, compliance gaps, undisclosed breaches, and the attacker who may already be inside the target's network. Cybersecurity due diligence discovers these risks before the transaction closes, enabling informed valuation, contractual protections, and integration planning.
The Marriott-Starwood acquisition (2016) is the definitive case study. Starwood's reservation system had been compromised since 2014, two years before the acquisition. The breach was not discovered until 2018, two years after the acquisition closed. The breach affected approximately 500 million guest records. Marriott inherited the breach, the regulatory exposure (GDPR fines, FTC investigation, class action lawsuits), and the reputational damage. Cybersecurity due diligence that included network assessment and threat hunting could have discovered the existing compromise before the acquisition closed.
Cybersecurity due diligence evaluates the target across six areas that map directly to the PDM domains:
Security governance and compliance (RGA). What is the target's security program maturity? Does a CISO or equivalent role exist? Are security policies documented, current, and enforced? Which compliance frameworks apply (SOC 2, ISO 27001, HIPAA, PCI DSS, CMMC)? Is the target currently certified or compliant? Are there outstanding audit findings? Has the target received regulatory enforcement actions? Are there pending or anticipated regulatory investigations?
The compliance assessment determines whether the acquiring organization inherits compliance obligations (the target's HIPAA-covered operations become the acquirer's HIPAA-covered operations) and whether the target's compliance status creates liability (expired SOC 2 certification that customers relied on, outstanding PCI DSS non-compliance findings).
Data protection and privacy (DPS). What personal data does the target collect and process? Where does it reside (geographic jurisdictions, cloud providers, third parties)? How is it classified and protected? What privacy laws apply? Are data processing agreements in place with vendors? Are data subject rights processes operational? What is the target's data retention posture (is there data that should have been deleted under applicable retention policies)?
The data assessment determines whether the acquisition introduces new privacy obligations (the target processes EU resident data, subjecting the combined entity to GDPR), new data categories (the target holds health data that the acquirer has never handled), or data liabilities (retained data that violates the target's own privacy notice or applicable law).
Vulnerability and attack surface (VSD). What is the target's external attack surface? Are there exposed services, unpatched critical vulnerabilities, misconfigured cloud resources, or orphaned infrastructure? What is the target's patch management cadence? What is the current vulnerability density?
CDA's approach: conduct an external attack surface assessment of the target's internet-facing infrastructure using the same ASM techniques used for the FRM (VSD-R01). This assessment can be conducted without the target's cooperation (external reconnaissance does not require internal access) and provides an objective, evidence-based view of the target's exposed vulnerabilities. An external scan that reveals 15 critical CVEs on internet-facing systems tells you more about the target's security maturity than their self-reported questionnaire.
Identity and access management (IAT). How does the target manage user identities and access? Is MFA deployed (and on which systems)? Does PAM exist for privileged accounts? Are there shared administrative accounts? What is the state of Active Directory (stale accounts, excessive privileged group membership, AD CS misconfigurations)? How will the target's identity infrastructure be integrated with the acquirer's (forest trust, tenant merger, identity federation)?
The identity assessment identifies both current risk (compromised or over-privileged accounts) and integration complexity (merging two Active Directory environments is one of the most technically complex and security-sensitive aspects of M&A integration).
Threat detection and incident history (TID). What detection capabilities does the target have? Does a SIEM exist? What log sources are connected? What is the detection coverage (ATT&CK percentage)? Has the target experienced security incidents in the past 3 to 5 years? How were they handled? Are there indications of ongoing compromise?
The incident history assessment is critical. The acquirer must determine whether the target has had breaches that were not publicly disclosed (which may create retroactive notification obligations), incidents that were mishandled (creating litigation risk), or ongoing compromises that the target has not detected (the Starwood scenario).
For high-value acquisitions, CDA recommends threat hunting engagement: deploying threat hunters in the target's environment (with appropriate authorization) to search for indicators of existing compromise. The investment of 40 to 80 hours of hunting time can discover a pre-existing compromise that would cost millions post-closing.
Third-party and supply chain risk (RGA/VSD). What third parties does the target depend on? What access do those third parties have? Are Business Associate Agreements, Data Processing Agreements, and vendor security assessments in place? Does the target have concentration risk (critical dependency on a single vendor)?
The third-party assessment identifies inherited vendor relationships and their associated risk. The acquirer inherits the target's vendor contracts, the target's vendor access to combined systems, and the risk that the target's vendors were not adequately assessed.
Due diligence operates under transaction constraints: limited time (weeks, not months), restricted access (the target may limit what the acquirer can examine before closing), and confidentiality (the transaction itself may not be public).
Pre-LOI (Letter of Intent). External-only assessment. The acquirer conducts external reconnaissance of the target's internet-facing infrastructure without the target's participation. Attack surface discovery, DMARC/SPF status, externally visible vulnerabilities, and security rating service scores (BitSight, SecurityScorecard) provide an initial risk indicator.
Post-LOI, pre-closing. The target grants the acquirer access to internal information through a data room. The acquirer reviews security documentation (policies, audit reports, SOC 2 reports, incident records, compliance certifications), conducts interviews with the target's security leadership, and may perform limited technical assessment (with the target's cooperation). Questionnaire-based assessment (using standardized M&A cybersecurity questionnaires) supplements document review.
Post-closing. Full technical assessment. The acquirer conducts comprehensive security assessment of the target's environment: vulnerability scanning, configuration review, Active Directory assessment, cloud security review, and (recommended) threat hunting. Post-closing assessment informs the integration security plan and identifies risks that pre-closing diligence did not discover.
Due diligence findings inform the integration security plan: how the target's environment will be connected to, migrated into, or isolated from the acquirer's environment.
Day one controls. Minimum security controls that must be in place before any integration begins: MFA on the target's VPN and cloud applications, endpoint protection deployed to target endpoints, target domain segregated from acquirer domain (no trust relationship until assessment is complete), and monitoring of traffic between target and acquirer networks.
Identity integration. The most security-sensitive integration workstream. Options: establish a forest trust between the two Active Directory environments (fastest but exposes both environments to each other's vulnerabilities), migrate the target's users to the acquirer's directory (most thorough but most complex), or federate through a cloud IdP (modern approach for cloud-first environments). Each option has different security implications and timelines.
Network integration. Connecting the target's network to the acquirer's network creates cross-environment attack paths. Network integration should follow the principle of least connectivity: connect only what is operationally necessary, with firewall rules controlling all cross-network traffic, and monitoring on the connection points. A flat merge (connecting the two networks without segmentation) inherits every vulnerability in both environments simultaneously.
Data integration. Merging the target's data into the acquirer's systems requires data classification, access control mapping, and privacy compliance review. The target's customer data may be subject to different privacy notice terms than the acquirer's customer data. Merging the data without harmonizing the privacy practices creates compliance risk.
The acquirer inherits the target's cybersecurity liabilities: undisclosed breaches (notification obligations that have not been satisfied), compliance gaps (regulatory exposure from the target's non-compliance), pending litigation (class actions from prior incidents), and ongoing compromises (the attacker who is already inside the target's network now has access to the combined environment).
The Marriott-Starwood breach cost Marriott over $120 million in direct costs plus ongoing litigation and regulatory action. The breach originated in Starwood's environment before the acquisition. Marriott paid the price because Marriott completed the acquisition without discovering the breach. Cybersecurity due diligence is the process that discovers these liabilities before the purchase price is set and the contract is signed.
Cybersecurity findings affect transaction valuation. A target with significant security gaps, pending compliance obligations, or historical breaches is worth less than a target with a mature security program. Findings can result in purchase price reduction, escrow holdbacks (funds held to cover remediation costs), or indemnification provisions (the seller covers cybersecurity liabilities discovered post-closing).
In some cases, cybersecurity findings kill the deal entirely. An acquisition target with an active, undisclosed breach and material compliance gaps may represent more liability than value. The due diligence finding is the kill shot that saves the acquirer from inheriting a disaster.
Connecting the target's environment to the acquirer's environment creates new attack paths. If the target's environment is compromised, integration connects the compromised environment to the acquirer's clean environment. Integration security planning (informed by due diligence findings) ensures that integration does not introduce the target's vulnerabilities into the acquirer's environment.
Cybersecurity due diligence for M&A spans RGA (governance assessment, compliance evaluation, liability analysis), VSD (external attack surface, vulnerability assessment), IAT (identity infrastructure assessment, integration planning), DPS (data inventory, privacy assessment), and TID (detection capability assessment, threat hunting for existing compromise).
CDA's FRM (Foundational Recon Mission) methodology applies directly to M&A due diligence. The FRM assesses security posture across all six PDM domains and produces a quantified Posture Score. Applied to an acquisition target, the FRM produces the same assessment that CDA provides to prospective clients: a comprehensive, scored view of the target's security posture that informs the transaction decision.
Three TOP missions connect to M&A due diligence:
CDA approaches M&A due diligence with one emphasis: conduct external reconnaissance before relying on the target's self-reporting. The target's security team has an incentive to present their posture favorably (the deal depends on it). External attack surface assessment provides objective, evidence-based findings that the target's self-assessment cannot influence. A target that claims strong vulnerability management but has 12 critical CVEs on internet-facing systems has a credibility gap that due diligence should identify.
Word count: 2,036
CDA Theater missions that address topics covered in this article.
Written by Evan Morgan
Found an issue? Help improve this article.