M&A Security Due Diligence Checklist: What to Audit Before You Close the Deal

Request these documents at the earliest stage where it is commercially appropriate. Some sellers will not provide full documentation pre-LOI; start with the documents that inform your initial risk posture assessment.

Documents to request:

Questions to ask before document review:

1. When was your last security incident, and what was the nature of it?
2. Have you ever paid a ransom to a threat actor?
3. Are you aware of any active security investigations, regulatory inquiries, or pending breach notifications?
4. What is your single biggest security concern with the business right now?
5. Has any customer raised a security-related complaint or contractual concern in the last 12 months?

The answer to question 4 is often the most useful thing you hear in the entire diligence process. The target's CISO, if they are honest, will tell you exactly what they are worried about.

After LOI, request access for a more detailed technical review. Depending on deal size and sensitivity, this may include an independent third-party technical assessment.

Identity and access review

Request an export from the target's identity provider:

• Total user count vs. active employee count (gap indicates stale accounts)
• MFA enrollment rate and enforcement status
• List of users with admin or elevated access to production systems
• Date of last access review
• Offboarding tickets for the last 10 departures -- did access get revoked within 24 hours?

Red flags:

• More IdP accounts than employees (orphaned accounts common after layoffs)
• MFA available but not enforced
• Admin list includes contractors, consultants, or former employees
• No documented access review in the last 12 months

Cloud environment review

Request read-only access to cloud accounts (or a trust-but-verify: have the target run the AWS Security Hub findings report and share it):

• Security Hub score and critical finding count
• GuardDuty enabled and active finding count
• CloudTrail coverage (all regions? cross-account logging?)
• Public S3 buckets (any?)
• RDS instances with public access
• Root account MFA status
• IAM users with programmatic access and no rotation

Red flags:

• No cloud security tooling in place (no GuardDuty, no Security Hub, no CSPM)
• Active GuardDuty findings that have not been investigated
• Public S3 buckets they cannot explain
• Root account used for day-to-day operations (access keys present)

Endpoint and network review

• EDR coverage: what percentage of endpoints have EDR deployed?
• Patch management: what is the current unpatched critical CVE count and average age?
• Network segmentation: is production separated from corporate?
• VPN or zero trust architecture in use for remote access?

Red flags:

• Less than 90% EDR coverage on production systems
• Critical CVEs more than 30 days old on internet-facing systems
• Corporate laptops on the same network segment as production databases

Data inventory and classification

• What categories of PII does the company collect and process?
• What regulated data types are present? (PHI, PCI, GDPR-regulated data, CCPA)
• Where is customer data stored? Is it in systems the target controls?
• Are there data retention and deletion policies? Are they enforced?

Red flags:

• Company collects PII but has never done a GDPR or CCPA assessment
• Customer data found in SaaS tools the target forgot about (Zendesk, Mixpanel, Segment, HubSpot) without appropriate DPAs
• No data deletion capability -- cannot honor customer deletion requests

Incident history is the most underinvestigated area in security due diligence. Sellers have incentives to downplay incidents. Acquirers rarely push hard enough.

What to request:

• Full incident log for the last 36 months, including minor incidents and near-misses
• For any incident involving customer data or regulated data: the incident report, timeline, customer notification record, and regulatory notification record
• Evidence of cybersecurity insurance claims filed in the last 5 years
• Any legal matters, regulatory inquiries, or customer complaints related to data security or privacy

The questions that reveal undisclosed incidents:

1. Have you ever received a ransomware demand? What happened?
2. Have you ever had a data exposure where customer data was accessible externally?
3. Have you ever rotated credentials org-wide due to a suspected compromise?
4. Has your cyber insurance carrier ever raised premiums or required remediation following a claim?
5. Have you received any notifications from threat intelligence services or law enforcement about your systems?

Question 5 is particularly revealing. FBI Ic3, CISA, and threat intel vendors frequently notify companies that their credentials or data appear in criminal forums. Companies that received such notifications may have had a breach they did not fully investigate.

Technical indicators of undisclosed past compromise:

If you get read-only access to the target's environment, look for:

• CloudTrail events showing unusual API activity in the prior 12-24 months (mass S3 downloads, bulk IAM changes)
• EDR or AV alerts that were dismissed without investigation
• Active scheduled tasks, cron jobs, or startup scripts that cannot be attributed to known software
• Outbound connections to unusual destinations in firewall or flow logs
• Accounts created at unusual times (late night, weekends) that are still active

These are not proof of compromise -- they are indicators that warrant further investigation before close.

Not all security findings are equal. The question is not 'are there security issues?' -- there are always security issues. The question is: which issues are priced into the deal, which require remediation escrow, and which are deal-breakers.

Price into the deal (common, remediable):

• Missing SOC 2 (but a credible roadmap to achieve it within 12 months)
• Vulnerability backlog that is large but has no evidence of exploitation
• Missing security tools (EDR gaps, no CSPM, limited logging)
• Policy gaps (undated policies, missing sections)
• No formal vendor security review process
• Moderate pentest findings with no active exploitation

Structure as: remediation cost estimate in the purchase price adjustment, or a post-close remediation plan with defined milestones.

Remediation escrow (significant, fixable with resources):

• Active critical vulnerabilities on internet-facing systems
• Significant data in uncontrolled SaaS tools without DPAs
• Regulatory exposure from undisclosed potential breach (GDPR, HIPAA)
• Known security debt requiring 6-18 months to remediate at material cost
• Cyber insurance lapse or coverage dispute

Structure as: holdback or escrow equal to the estimated remediation cost, released on defined milestones post-close.

Deal-breakers or require re-pricing:

• Active, ongoing compromise that the target has not remediated
• Undisclosed breach that should have triggered regulatory notification but did not
• Ransomware payment in the prior 24 months with no confirmed eradication of the threat actor
• Material misrepresentation of security posture in representations and warranties
• Regulatory investigation currently underway that was not disclosed
• Customer data stored in jurisdictions that create immediate compliance violations

Representations and warranties to require in the purchase agreement:

1. Target represents no undisclosed security incidents in the prior 36 months involving customer data
2. Target represents compliance with all applicable data protection laws in the jurisdictions where it operates
3. Target represents all customer data processing agreements (DPAs) are in place with all sub-processors
4. Cyber R&W insurance is available and recommended for material deals -- covers undisclosed pre-close liabilities

Cyber R&W insurance:

For deals above $50M, consider representations and warranties insurance with a cyber endorsement. This covers undisclosed pre-close security liabilities discovered post-close. Premiums: typically 2-4% of deal value for the insured limit.

Closing the deal creates new risk. Network interconnection before security review, inherited credentials, and legacy systems now connected to your environment are the vectors of most post-acquisition breaches.

Day 1 to Day 30: Isolation and Inventory

Before any network interconnection:

• Complete asset inventory of the acquired company's systems
• Identity audit: export all IdP users, identify duplicates with your environment, flag elevated access accounts
• Revoke all administrative access until it can be reviewed and re-granted through your provisioning process
• Do not connect the acquired company's network to yours until a segmentation review is complete
• Deploy your EDR to all acquired endpoints before any connection

Day 30 to Day 60: Access and Credential Hygiene

• Force password reset for all inherited accounts
• Enforce your MFA policy on all acquired accounts before they access your systems
• Migrate secrets from the target's secrets manager to yours
• Audit and close the target's SaaS subscriptions that are not being retained
• Review all shared credentials (service accounts, API keys) and rotate

Day 60 to Day 100: Security Program Integration

• Include the acquired company's systems in your vulnerability management scanning
• Include acquired systems in your next pentest scope
• Bring acquired employees through your security awareness training
• Update your incident response plan to include the acquired company's systems and contacts
• Report inherited security risk to your board as part of the post-acquisition integration update

The interconnection gate:

Do not merge networks until you can answer yes to all of these:

• EDR deployed to 100% of acquired endpoints?
• All admin and elevated accounts reviewed and re-provisioned?
• MFA enforced on all inherited accounts?
• No active critical vulnerabilities on internet-facing systems?
• No active GuardDuty or equivalent findings in the inherited environment?