M&A security: due diligence checklist
Buying or investing in a company? Get clear on the cyber risk picture.
Mergers and acquisitions (M&A) are heating up.
Below is a list of things you might consider requesting from an investment or acquisition target. It’s probably too comprehensive for a minority stakeholder, but might make sense for a full buyout.
I’ll update this over time, so feel free to bookmark. And please comment with anything I missed!
company risk register.
asset inventory (with disclosure of known gaps).
software bills of material (SBOM) for all assets, in CycloneDX format.
at a minimum include all known vulnerabilities in the relevant field and complete at least the
analysis-justificationfield for every entry.
include all security tools (endpoint detection and response, etc.) deployed to each asset as part of the SBOM.
documentation of security and privacy practices integrated into the Software Development Life Cycle (SDLC) including:
type and % code coverage of all application security tools in use.
% of code development subjected to:
peer developer review
Copies of all:
information security risk assessments.
attestations (audit reports, questionnaires) received from or provided to third parties in the past 2 years.
penetration test reports from the past 2 years and remediation actions taken.
cyber insurance claims made in the past 5 years.
Lists of all:
security incidents in the past 5 years.
a security incident is any known or suspected violation of a security policy.
also provide all documented steps taken following each incident
data access provided to third parties and its classification (exclude anything authorized for public release).
individuals with administrative access to one or more company systems.
Business continuity/disaster recovery (BC/DR) plan.
documentation, including after-action reviews, of all drills in the past 2 years.
full-time equivalents (FTE) working in cybersecurity, their responsibilities, and their skills.
security awareness training programs in place, topics covered, tools used, and quantitative metrics detailing their effectiveness (participation rates, % click on phishing email tests over time, etc.).
Inspiration for the list came from this LinkedIn post.