Skip to main content
Intarmour
Resources • Checklist

M&A Cyber Due Diligence Checklist

Over 50 evaluation items across eight critical domains. Developed from direct experience across European PE transactions, this checklist provides deal teams with a systematic methodology for identifying cyber liabilities before capital commitment.

Overview

Cyber risk is one of the most material and frequently underassessed liability categories in M&A transactions. Acquirers inherit undisclosed breaches, regulatory non-compliance, and technical debt that erodes enterprise value — yet most deal teams lack a structured framework for evaluating these exposures within compressed auction timelines.

This checklist provides a comprehensive, prioritised assessment framework integrating with standard diligence workflows. Each item is categorised by domain, risk severity, and assessment methodology, enabling deal teams to scope evaluation proportionate to transaction size, sector, and available target access. Refined across transactions spanning technology, financial services, healthcare, and industrial sectors, with particular attention to GDPR, NIS2, and DORA liability exposure.

What's Included

Eight assessment domains with detailed evaluation criteria, scoring methodology, and risk classification guidance.

Domain 1

Security Architecture

  • Network segmentation and topology review
  • Firewall configuration and rule set audit
  • Endpoint detection and response (EDR) deployment coverage
  • Encryption standards for data at rest and in transit
  • Cloud infrastructure security posture (AWS, Azure, GCP)
  • Security monitoring and SIEM implementation status
Domain 2

Regulatory Compliance

  • GDPR compliance posture and Data Protection Officer status
  • NIS2 entity classification and compliance readiness
  • Sector-specific regulatory obligations (DORA, PSD2, MiFID II)
  • Cross-border data transfer mechanisms and adequacy decisions
  • Data Processing Agreement inventory and audit status
  • Privacy Impact Assessment completion for high-risk processing
Domain 3

Incident History

  • Historical breach disclosure and notification records
  • Regulatory investigation history and outcomes
  • Insurance claim history related to cyber events
  • Dark web credential exposure assessment
  • Prior penetration testing findings and remediation status
  • Security incident trending and root cause analysis
Domain 4

Data Protection

  • Data classification framework and implementation
  • Personal data processing inventory and legal bases
  • Data retention policies and enforcement mechanisms
  • Backup architecture and recovery time objectives
  • Data loss prevention controls and monitoring
  • Cross-jurisdictional data flow mapping
Domain 5

Third-Party Risk

  • Critical vendor inventory and dependency mapping
  • Vendor security assessment methodology and cadence
  • Supply chain concentration risk analysis
  • Fourth-party risk visibility and monitoring
  • Contractual security requirements in vendor agreements
  • SaaS application inventory and shadow IT assessment
Domain 6

Technical Debt

  • Legacy system inventory and end-of-life software
  • Patch management cadence and vulnerability backlog
  • Infrastructure modernisation requirements and cost estimates
  • Custom application security review status
  • Database version currency and migration requirements
  • Hardware lifecycle management and refresh planning
Domain 7

Access Management

  • Identity and access management architecture
  • Privileged access management controls and monitoring
  • Multi-factor authentication deployment coverage
  • Joiner-mover-leaver process maturity
  • Service account inventory and credential rotation
  • Remote access architecture and zero-trust readiness
Domain 8

Business Continuity

  • Business continuity plan documentation and testing cadence
  • Disaster recovery architecture and RTO/RPO validation
  • Incident response plan maturity and tabletop exercise history
  • Crisis communication framework and stakeholder notification
  • Cyber insurance coverage adequacy and policy terms
  • Operational resilience testing and scenario planning

Why It's Valuable

For deal teams, this checklist replaces ad-hoc assessments and generic vendor questionnaires with a structured methodology validated across real transactions and calibrated to the risk categories that most frequently cause post-acquisition value erosion.

For Investment Committees, it provides a governance framework demonstrating systematic cyber risk evaluation before capital commitment. Outputs translate directly into identified liabilities, estimated remediation costs, regulatory penalty exposure, and warranty negotiation recommendations.

For portfolio operations teams, the completed checklist establishes a baseline informing the first 100 days of post-acquisition security improvement — priority items identified, budgets quantified, and integration risks documented for immediate action upon deal completion.

Download the Checklist

Provide your professional email to receive the complete M&A Cyber Due Diligence Checklist, including scoring methodology and risk classification guidance.

We respect your privacy and will never share your information.

Related Services

Advisory Service

Technical Due Diligence

Full-scope pre-acquisition cyber risk assessment with quantified liability reporting for Investment Committees, warranty negotiation support, and post-acquisition remediation roadmaps. Calibrated to deal timelines with phased delivery.

Learn More →

Ready for institutional-gradecybersecurity?

Confidential assessments for qualified Private Equity and Family Office entities requiring sovereign defense infrastructure.

Schedule Assessment →View Services