Cybersecurity Due Diligence: A Practical Guide Every major business decision — acquiring a company, onboarding a vendor, entering a new partnership — carries embedded cyber risk that stays invisible until it becomes your liability. By then, you're negotiating from a position of weakness.

According to Forescout's M&A cybersecurity research, 52% of organizations discovered a major undisclosed cyber risk after closing a deal. That's not a security failure — it's a due diligence failure. And it's entirely preventable.

This guide is written for boards, executive teams, audit committees, general counsel, and deal teams who need to make sound decisions about cyber risk without necessarily being technical experts. Most published guidance on this topic stops at the technical layer. This one starts where decisions actually get made.

TL;DR

  • Cybersecurity due diligence evaluates an organization's security posture before M&A transactions or vendor onboarding decisions
  • Scope includes security controls, compliance status, incident response capability, and third-party exposure
  • Undisclosed breaches, missing IR plans, and compliance gaps can reduce deal value or delay closing
  • Diligence that ends at signing leaves post-close integration — the riskiest period — without oversight
  • Boards need findings translated into business risk and financial exposure — not raw technical output

What Is Cybersecurity Due Diligence?

Cybersecurity due diligence is the investigative review of an organization's security posture, governance, and risk exposure conducted before a consequential business decision. Its purpose is to replace assumptions and self-disclosures with verified risk data.

This is distinct from ongoing security operations. Due diligence is time-bounded and event-triggered — initiated by an acquisition, merger, or vendor engagement. Ongoing security maintenance is continuous. Both are necessary, but they serve different functions.

The two primary contexts where cybersecurity due diligence applies:

  • M&A transactions — findings surface before the deal closes, where they can inform valuation, deal structure, or closing conditions
  • Third-party and vendor risk — suppliers, contractors, and technology partners get assessed before they receive access to your systems or data

Both contexts carry real financial and legal consequences when the process is skipped or rushed. The Yahoo/Verizon acquisition illustrates what that looks like in practice. After Yahoo's breach history surfaced mid-deal, Verizon reduced the purchase price by $350 million and restructured liability allocation. The breach wasn't discovered during diligence — it was disclosed afterward, under pressure.

Yahoo Verizon acquisition cyber risk 350 million deal price reduction case study

Key Components of Cybersecurity Due Diligence

Effective due diligence covers five distinct areas. Focusing on only the most visible ones is how acquirers end up inheriting risks they never priced in.

Security Controls Assessment

Evaluate whether fundamental defenses are in place and actually functioning. This includes:

  • Access controls and multi-factor authentication
  • Endpoint protection and patch management
  • Encryption at rest and in transit
  • Network segmentation

The goal isn't just confirming controls exist — it's finding evidence they work. A policy requiring MFA means nothing if admins still use shared accounts. A backup standard is irrelevant if no one has tested a restore on revenue-critical systems.

Policies, Governance, and Compliance

Start by confirming the organization has documented security policies aligned with recognized frameworks — NIST CSF, ISO 27001, or CIS Controls. The harder question is whether those policies are enforced and understood, not just filed.

Compliance verification also belongs here. Depending on the target's sector:

  • HIPAA — healthcare organizations with patient data
  • PCI-DSS — retail and payment processing environments
  • SEC cybersecurity rules — public companies required to disclose material incidents within four business days of determining materiality
  • GDPR/CCPA — any organization handling personal data at scale

Flag open violations, lapsed certifications, or pending regulatory investigations. These don't just affect deal timing — they can create post-close indemnification disputes that are difficult and expensive to resolve.

Incident Response Capability

An organization without a tested incident response plan has a governance gap, not just an operational one. Assess:

  • Whether a documented IR plan exists
  • Whether it has been exercised through tabletop simulations or real activations
  • How past incidents were detected, how long they went undetected, and what remediation followed

The numbers here matter. IBM's 2025 Cost of a Data Breach Report puts the average breach cost at $4.44 million and the mean time to identify and contain a breach at 241 days. An acquired organization with weak detection and response capability carries that exposure directly into the combined entity from day one.

Third-Party and Supply Chain Exposure

A target's cybersecurity posture includes its vendor ecosystem. The Verizon 2025 Data Breach Investigations Report found third-party involvement in 30% of analyzed breaches — double the prior year's figure.

During diligence, assess:

  • Which third parties have access to sensitive systems or data
  • Whether vendor relationships are governed by contractual security requirements
  • Whether fourth-party dependencies (the target's vendors' vendors) have been considered
  • Whether there are audit trails for privileged vendor activity

Four-point third-party vendor cybersecurity due diligence assessment checklist infographic

Third-party exposure is also where diligence timelines get compressed most aggressively — which is exactly when a gap in vendor oversight creates post-close liability.

How Cybersecurity Due Diligence Works in Practice

The process divides into two phases: pre-transaction assessment and post-transaction integration. Organizations that treat due diligence as ending at close consistently underestimate their exposure during the highest-risk window of any deal.

Step 1: Scope the Assessment

Define what is in scope before gathering a single document. Specify which systems, data types, geographies, business units, and vendor relationships will be reviewed. Tailor depth to risk profile — a healthcare acquisition with patient data warrants deeper scrutiny than onboarding a low-access SaaS vendor.

Scoping decisions made poorly at this stage produce gaps that surface post-close.

Step 2: Gather and Verify Information

Collect documentation including:

  • Security policies and governance documents
  • Audit reports (SOC 2, penetration test results, vulnerability assessments)
  • Incident logs and breach history
  • Cyber insurance coverage and claims history
  • Third-party agreements and security requirements

Use structured questionnaires as a starting point, but supplement them with independent technical review. Self-disclosure is insufficient — organizations may not know what they don't know, or may omit unfavorable findings. What a questionnaire captures is what an organization chooses to report; independent verification reveals what is actually present.

Step 3: Analyze and Quantify Risk

Technical findings that stay in security language never reach the decision-makers who need to act on them — and that gap is where most assessments fail.

Effective risk analysis translates findings into business terms:

  • Financial exposure — estimated cost of identified vulnerabilities, by severity
  • Deal-breakers vs. conditions — which issues require resolution before close vs. which can be addressed through price adjustment, escrow, or post-close remediation
  • Remediation costs — what it will take to close each gap, and who owns it

Tyson Martin works specifically at this intersection — translating technical findings into board-ready, risk-rated inputs that deal teams can act on rather than defer.

Step 4: Report and Act

Produce findings in a format boards and deal teams can use. That means:

  • Risk-rated issues with financial implications
  • Recommended actions, owners, and timelines
  • Clear distinction between pre-close requirements, price-adjustment items, and post-close remediation plans

The Marriott/Starwood case is instructive. Starwood's systems were compromised in 2014. Marriott acquired Starwood in September 2016. The breach wasn't detected until September 2018 — two years post-close. The ICO subsequently fined Marriott £18.4 million. The risk existed before the deal. The governance to surface it didn't.

Four-step cybersecurity due diligence process flow from scoping to reporting

Red Flags and Deal-Breakers to Watch For

Not every finding is a deal-breaker. But some are. Here's what warrants immediate escalation:

Undisclosed or unresolved breaches If a target cannot provide a clear account of past incidents — or shows signs of active compromise — this is a material liability risk. Acquirers may inherit legal exposure for incidents they didn't cause. The Yahoo and Marriott cases both demonstrate this in documented, costly detail.

No incident response plan, or an untested one An organization that has never run a tabletop exercise has a fundamental governance gap. Having a document matters far less than whether the people responsible know their roles, have practiced them, and can execute under pressure.

Excessive or unmonitored third-party access Vendors, contractors, or legacy integrations with broad access and no audit trails represent systemic risk. Particularly when there are no contractual security requirements and no access reviews.

Regulatory non-compliance without a credible remediation roadmap Open violations, lapsed certifications, or outdated data processing agreements can delay close, trigger post-close regulatory scrutiny, or fuel indemnification disputes. Sector-specific flags — HIPAA, PCI-DSS, SEC disclosure rules — each carry distinct financial exposure that requires expert interpretation, not just a compliance checklist.

Common Pitfalls and Misconceptions

Treating It as a Checkbox Exercise

Reviewing a SOC 2 summary or completing a vendor questionnaire and calling it due diligence is one of the most common and costly mistakes. Certifications confirm that an organization met a defined standard at a point in time. They say nothing about current control effectiveness or actual threat exposure.

As Tyson Martin frames it for the boards he advises: when teams treat a security assessment like an audit drill, they optimize for passing audits. Policies look complete, controls look mapped — meanwhile real paths to material loss stay open.

Stopping at Transaction Close

The post-merger integration window is when cybersecurity risk peaks. Systems are being connected, staff are distracted, and threat actors specifically target companies mid-acquisition. That period creates genuine exposure across several fronts:

  • Identity sprawl from merged user directories
  • Unreviewed admin accounts inherited from the target
  • Inconsistent logging across newly connected systems
  • Rushed network integrations that bypass change controls

Post-merger integration cybersecurity risk factors identity sprawl admin accounts logging network

Boards should expect a 90-day security integration backlog with owners and dates — not a handoff to whoever manages IT post-close.

Conflating Compliance Certification with Security Maturity

A SOC 2 Type II report or ISO 27001 certification says nothing about whether controls are working today. Maturity means something more specific: controls perform consistently next month as they do now, a named owner can demonstrate it, and gaps get escalated — not buried in the backlog.

Frequently Asked Questions

What is cybersecurity due diligence?

It's the structured process of evaluating an organization's security posture, controls, and risk exposure before a significant business decision — most commonly M&A or vendor onboarding. The goal is to ensure decision-makers understand the risks they're taking on before they're locked in.

What are the key components of cybersecurity due diligence?

Five core areas: security controls, policies and governance, regulatory compliance, incident response capability, and third-party and supply chain exposure. Effective diligence addresses all five . Focusing only on the most visible areas is how material risks get missed.

What is included in vendor cybersecurity due diligence?

Vendor due diligence assesses the security posture of third parties with access to your systems or data : controls, certifications (SOC 2, ISO 27001), incident history, data handling practices, and contractual security obligations. Depth of review should scale with access level and data sensitivity.

What are red flags in cybersecurity due diligence?

The most critical warning signs: undisclosed or unresolved breaches, the absence of a tested incident response plan, excessive unmonitored third-party access, and open regulatory compliance violations without a credible remediation plan.

What is a good example of cybersecurity due diligence?

A private equity firm scopes the review against CIS Top 18 controls, collects and independently verifies policies and audit reports, then identifies an undisclosed breach in the incident logs. That finding gets used to negotiate remediation costs — via escrow or purchase price adjustment — into the deal structure before close.

How long does cybersecurity due diligence typically take?

A focused M&A assessment typically takes two to four weeks; a complex organization with extensive third-party relationships can require six to eight. Time-boxing the process without adequate scope creates gaps that surface post-close, and those gaps are always more expensive than the time saved.