Mergers and acquisitions (M&A) are heating up.

Below is a list of things you might consider requesting from an investment or acquisition target. It’s probably too comprehensive for a minority stakeholder, but might make sense for a full buyout.

I’ll update this over time, so feel free to bookmark. And please comment with anything I missed!

1. Access to:

   1. company risk register.

   2. asset inventory (with disclosure of known gaps).

   3. software bills of material (SBOM) for all assets, in CycloneDX format.

      1. at a minimum include all known vulnerabilities in the relevant field and complete at least the analysis-state and analysis-justification field for every entry.

      2. include all security tools (endpoint detection and response, etc.) deployed to each asset as part of the SBOM.

   4. documentation of security and privacy practices integrated into the Software Development Life Cycle (SDLC) including:

      1. type and % code coverage of all application security tools in use.

      2. % of code development subjected to:

         1. threat modeling

         2. peer developer review

2. Copies of all:

   1. security policies.

   2. information security risk assessments.

   3. attestations (audit reports, questionnaires) received from or provided to third parties in the past 2 years.

   4. penetration test reports from the past 2 years and remediation actions taken.

   5. cyber insurance claims made in the past 5 years.

3. Lists of all:

   1. security incidents in the past 5 years.

      1. a security incident is any known or suspected violation of a security policy.

      2. also provide all documented steps taken following each incident

   2. data access provided to third parties and its classification (exclude anything authorized for public release).

   3. individuals with administrative access to one or more company systems.

4. Business continuity/disaster recovery (BC/DR) plan.

   1. documentation, including after-action reviews, of all drills in the past 2 years.

5. Lists of:

   1. full-time equivalents (FTE) working in cybersecurity, their responsibilities, and their skills.

   2. security awareness training programs in place, topics covered, tools used, and quantitative metrics detailing their effectiveness (participation rates, % click on phishing email tests over time, etc.).

Refer a friend

Inspiration for the list came from this LinkedIn post.