Cybersecurity Due Diligence for M&A: A Practitioner's Framework
By Dritan Saliovski
Cybersecurity due diligence in M&A has evolved through three generations, from IT audit checkbox to compliance framework to the risk-based, quantitative value protection model that now determines deal outcomes. This practitioner's framework covers the eight assessment domains, three-tier investment structure, and Expected Annual Loss methodology that PE firms and corporate acquirers use to make defensible investment decisions.
Key Takeaways
- An eight-domain framework, governance, infrastructure, applications, data protection, identity, incident response, third-party risk, and compliance, provides complete coverage for middle-market M&A cybersecurity assessment
- Three-tier investment structure optimizes ROI: pre-LOI screening ($5K-15K, 24-72 hours) eliminates deal-breakers; comprehensive assessment ($50K-150K, 3-4 weeks) informs valuation and structure; post-close monitoring ($15K-30K annually) protects value through the hold period
- Expected Annual Loss (EAL), breach probability × expected impact across identified scenarios, translates technical findings into the $2-8M financial risk figures that drive purchase price adjustments and holdback sizing
- Technical assessment uncovers 65-75% of material findings that document-only review misses: vulnerability scanning, configuration analysis, and architecture review reveal risks invisible in management-prepared documentation
- Industry-specific requirements vary significantly: healthcare requires HIPAA and medical device security focus; financial services demands regulatory examination review; SaaS requires SOC 2 and multi-tenancy assessment; manufacturing requires OT/IT segmentation evaluation
How the Assessment Has Evolved
Third-generation cybersecurity due diligence differs fundamentally from its predecessors. The defining feature is quantification, translating technical findings into financial figures that inform valuation models and deal structure.
| Generation | Period | Approach | Primary Limitation |
|---|---|---|---|
| First | 2000-2010 | IT audit checklist | No financial quantification; treated as IT-only issue |
| Second | 2010-2018 | Compliance-focused | Framework coverage without deal integration |
| Third | 2018-present | Risk-based value protection | Quantitative, deal-integrated, board-level visibility |
| Fourth (emerging) | 2024+ | AI-enhanced intelligence | Continuous pipeline monitoring; predictive risk modeling |
Without quantification, even technically excellent diligence fails to influence deal outcomes. A report identifying 312 vulnerabilities is not actionable. A report translating those vulnerabilities into a $3.2M expected annual loss that drives a $4M holdback is.
The Eight Assessment Domains
A complete cybersecurity assessment evaluates these domains. For middle-market transactions, total expert assessment time runs 40-60 hours; industry-specific overlays add 8-16 hours for healthcare, financial services, or OT environments.
| Domain | Primary Evaluation Focus | Assessment Time |
|---|---|---|
| Governance | CISO reporting line, board oversight, security policies | 4-6 hours |
| Infrastructure | Patch management, EDR, network segmentation, cloud config | 8-12 hours |
| Applications | SDLC security, API controls, vulnerability tracking | 6-8 hours |
| Data protection | Encryption, data classification, DLP, cross-border transfers | 4-6 hours |
| Identity management | MFA adoption, PAM, access reviews, third-party access | 4-6 hours |
| Incident response | IR plan maturity, test frequency, historical incident review | 4-6 hours |
| Third-party risk | Vendor inventory, risk assessments, critical vendor coverage | 4-6 hours |
| Compliance | Active certifications, audit findings, regulatory history | 4-6 hours |
The gap between document review findings and technical assessment findings is typically largest in infrastructure and identity management, exactly the domains where exploitable vulnerabilities originate.
Expected Annual Loss: Translating Risk to Deal Economics
EAL methodology is the translation layer between technical findings and deal terms:
EAL = Σ (Breach Probability × Expected Impact) across all material scenarios
For a SaaS target with inadequate access controls and 150,000 customer records:
| Scenario | Annual Probability | Expected Impact | EAL Contribution |
|---|---|---|---|
| Ransomware | 25% | $3.5M | $875K |
| Data breach (customer records) | 15% | $8.2M | $1.23M |
| Regulatory enforcement (GDPR) | 10% | $4.0M | $400K |
| Total EAL | $2.5M |
This $2.5M annual exposure informs a $3-5M holdback over 18-24 months and a $10-15M cybersecurity indemnification cap, numbers both investment committee and counterparty can negotiate around. Without EAL methodology, cybersecurity findings remain a narrative risk list with no deal structure anchor.
The Three-Tier Investment Structure
The three-tier approach eliminates the false choice between thorough-but-slow and fast-but-superficial:
| Tier | Timing | Investment | Output |
|---|---|---|---|
| Pre-LOI screening | Before LOI submission | $5K-15K | Go/no-go, preliminary risk summary, key diligence flags |
| Comprehensive assessment | Post-LOI, pre-close | $50K-150K | Full report, EAL, deal structure recommendations |
| Post-close monitoring | Ongoing through hold | $15K-30K/year | Remediation validation, emerging risk alerts |
The screening tier protects against wasted confirmatory diligence investment, material issues surface before the $50K-150K commitment is made. Across a firm evaluating 200 annual opportunities, eliminating 15-20% of problematic targets through screening avoids $1.5-3M in misdirected diligence costs annually.
Industry-Specific Assessment Requirements
Standard framework coverage provides the foundation; industry-specific overlays address sector risk concentrations that generic assessment misses.
| Sector | Primary Additional Focus |
|---|---|
| Healthcare | HIPAA Business Associate Agreements, medical device FDA cybersecurity documentation, OCR enforcement history |
| Financial services | FFIEC examination ratings, PCI-DSS QSA audit reports, fraud detection system architecture |
| SaaS / Technology | SOC 2 Type II report and exception analysis, multi-tenancy isolation architecture, open source component management |
| Manufacturing | OT/IT network segmentation, ICS/SCADA patch management, remote access controls to production systems |
Healthcare receives particular scrutiny because cybersecurity findings can prevent deal close, HHS OCR requires corrective action plans before permitting ownership changes in companies with material HIPAA violations.
What This Means in Practice
Deal teams that apply this three-tier framework from the start of a process, rather than commissioning diligence as a confirmatory exercise post-LOI, make structurally better decisions. They price more accurately, structure holdbacks around quantified risk, and avoid post-close surprises that erode hold-period returns. For how findings translate into specific deal structure and valuation adjustments, see how cybersecurity due diligence protects deal value. For rapid external assessment in competitive processes, see digital due diligence in 24-72 hours. For how GenAI is accelerating due diligence workflows with appropriate governance, see GenAI in tech and cyber due diligence.
The M&A Cybersecurity Due Diligence Checklist covers the complete evaluation framework for all eight domains, EAL calculation templates, industry-specific assessment overlays, and deal structure templates for translating findings into holdbacks, indemnification caps, and insurance requirements.
For how AI-augmented vulnerability discovery is reshaping what counts as a competent cybersecurity assessment, see our analysis of Project Glasswing and the new assessment baseline. Deal teams commissioning cybersecurity due diligence should expect acquirers and insurance markets to begin asking whether AI-augmented methods were used.
Download the M&A Cybersecurity Due Diligence Checklist
Reach out and we'll send the M&A Cybersecurity Due Diligence Checklist directly to your inbox.
Request M&A Cybersecurity Due Diligence ChecklistFrequently Asked Questions
What are the eight domains of a comprehensive M&A cybersecurity assessment?
A complete assessment covers governance (CISO reporting line, board oversight, security policies), infrastructure (patch management, EDR, network segmentation), applications (SDLC security, API controls), data protection (encryption, data classification, DLP), identity management (MFA adoption, PAM, access reviews), incident response (IR plan maturity, test frequency), third-party risk (vendor inventory, risk assessments), and compliance (certifications, audit findings, regulatory history).
What is Expected Annual Loss (EAL) and how is it used in M&A transactions?
Expected Annual Loss (EAL) is calculated by multiplying breach probability by expected impact across all material risk scenarios. For example, a SaaS target with inadequate access controls might have a 25% annual ransomware probability at $3.5M impact ($875K EAL contribution) plus a 15% data breach probability at $8.2M impact ($1.23M contribution), producing a total EAL of $2.5M. This figure directly informs a $3-5M holdback and $10-15M cybersecurity indemnification cap that both parties can negotiate around.
How much does M&A cybersecurity due diligence cost?
The three-tier investment structure covers: pre-LOI screening at $5K-15K (24-72 hours), which eliminates deal-breakers before significant resources are committed; comprehensive confirmatory assessment at $50K-150K (3-4 weeks), which informs valuation and deal structure; and post-close monitoring at $15K-30K annually, which validates remediation and protects value through the hold period.
What do technical assessments find that document reviews miss?
Technical assessment uncovers 65-75% of material findings that document-only review misses. The gap between documented controls and actual implementation is typically largest in infrastructure and identity management - exactly the domains where exploitable vulnerabilities originate. External vulnerability scanning, configuration analysis, and architecture review reveal risks invisible in management-prepared documentation and self-reported questionnaires.
Related Insights
Sources
- IBM - Cost of a Data Breach Report 2023
- HHS OCR. HIPAA Enforcement and Corrective Action Plans. hhs.gov. 2025.
- AICPA - SOC 2 Type II Reporting Framework
- PCI Security Standards Council - PCI-DSS Compliance
- FFIEC - IT Examination Handbook
- FDA - Cybersecurity in Medical Devices