M&A Cyber Due Diligence: The Checklist for Target Companies

Companies entering a sale process regularly encounter an uncomfortable surprise: in the course of technical due diligence, buyers uncover security problems that the company's own management was unaware of. What works internally often turns out to be the basis for a price reduction when viewed through an external examination lens.

The problem is avoidable. The prerequisite is that the target company knows and addresses the same checkpoints that professional buyers apply as standard.

What Buyers Systematically Examine Today

The following checklist reflects the standard that PE investors, strategic buyers, and their technical advisors apply in M&A processes. It is not exhaustive — but it covers the areas where transactions regularly stall or lose value.

1. Documented Information Security Management System (ISMS)

Does an ISMS exist? Is it documented in writing? When was it last updated? An ISMS does not need to be ISO 27001-certified — but it must visibly exist and be maintained. The absence of any documentation signals structural maturity deficits that weigh on the acquisition price.

2. Current Penetration Tests

When was the last external penetration test conducted? Were the results documented, and have identified vulnerabilities demonstrably been remediated? Buyers want to see not just the report — but the measures that followed from it.

3. External Attack Surface

Which systems, services, subdomains, and ports are reachable from the internet? Is there an inventory of this attack surface? Exposed services with outdated software or expired certificates are directly flagged as risk items.

4. Access Management and Identity Security

Is there a structured Identity and Access Management approach? Are access rights reviewed regularly? Are privileged accounts specifically protected (MFA, logging)? How are departing employees removed from systems?

5. Critical Third-Party Vendors and Supply Chain Security

Which external partners have access to company systems or data? Do security requirements exist for these partners? Are they verified? Supply chain compromises are one of the most common attack vectors — buyers examine them accordingly.

6. Backup and Business Continuity

How is data backed up? How frequently? Where are backups stored — including offsite? Are restorations tested? Companies without offsite backups or documented recovery procedures carry heightened ransomware risk in buyers' assessment.

7. Incident Response Capability

Does an incident response plan exist? Has it ever been tested? Who is responsible in the event of a security incident, and within what timeframe can response occur? A documented plan is not a luxury — it is a prerequisite for most cyber insurance policies.

8. Regulatory Compliance Position

Which compliance obligations apply — NIS2, ISO 27001, SOC 2, DORA, GDPR? Which are fulfilled, which are open? Are there ongoing audits or known violations? Open compliance gaps are regularly negotiated as risk assumption in purchase agreements.

9. Data Protection and Data Classification

Where is personal data stored, and of what type? Are data processing agreements in place with service providers? Have there been known data breaches or GDPR reporting obligations? Structural GDPR deficits have been a standard topic in European transactions since 2018.

10. Security Culture and Awareness

Are there regular security training sessions for employees? Are phishing simulations conducted? How is security culture embedded in the company? Buyers understand that technical measures provide little protection when employees remain the weakest link.

11. Logging and Monitoring

Are security-relevant events logged? Is there a SIEM or at minimum structured log aggregation? How long are logs retained? Without monitoring, the company has no visibility into attacks — and therefore no ability to detect an ongoing incident.

12. Known Open Risks

Are there known, unpatched vulnerabilities in production systems? Is there technical debt in security that has been documented but left unaddressed? What is the plan to close these gaps? Open risks that were known internally but not communicated are potentially a warranty breach in due diligence processes.

Why Preparation Before the Process is Decisive

Most of these points can be remediated — if sufficient time is available. A penetration test requires lead time. Building an ISMS takes weeks. Cleaning up access rights is work, not just a decision.

Those who address these checkpoints only under buyer pressure negotiate from the weaker position. Those who proactively work through them position themselves as a mature, well-managed company — and prevent security gaps from becoming a purchase price argument.

---

Woodlands Advisory conducts preparatory cyber due diligence for target companies — as a structured readiness process ahead of the sale. The outcome: documented security posture, closed gaps, a position that holds up in negotiation.

Learn more about the M&A Security Audit →