Cybersecurity Due Diligence MA

Pre and Post-transaction assessment can uncover costly risks.

Contact Cyber Experts
/en-ca/services/cyber-risk/assessments-testing/cybersecurity-due-diligence-ma service

Kroll’s cyber due diligence services help you make better better-informed M&A decisions

  • Identify actual cyber security lapses or potential at-risk areas in your targets
  • Quantify remediation costs and help restructure investments if needed
  • Demonstrate data security commitment to stakeholders and regulators

Cybersecurity Due Diligence for M&A

1 - sample cybersecurity due diligence steps in pre- and post-transaction

Even Sophisticated Companies Can Be Unprepared
The acquisition target looks great on paper — It has an innovative product, a great sales team and a lean approach to expenses. But when it comes to understanding cybersecurity risk, investors should look deeper than self-disclosures.

Around the world, private equity firms, hedge funds, investment banks and venture capital investors are turning to Kroll’s cybersecurity due diligence services to help make better-informed M&A decisions.

Cybersecurity Due Diligence Overview
Independent cyber due diligence from Kroll can help assure that the cybersecurity history and outlook at your target company is strong. Our experts can also help identify material cyber-related weaknesses that must be addressed if you are to avoid or fully account for potential post-transaction risks, fines and costly remediation:

  • Identify information security risks and shortfalls in governance, operations and technology
  • Research undisclosed or unknown data breaches
  • Assess the target’s ability to detect and respond to a cybersecurity incident
  • Quantify potential remediation costs from multiple angles: operational, financial and reputational based on previous or unknown exposures

Pre- and Post-Transaction Services
To provide the most comprehensive coverage, Kroll offers four cyber due diligence modules to help you uncover, assess and address information security risks, both pre- and post-transaction. Each module is customizable for every transaction; additionally, you can select and deploy the combination of services that best matches your risk concerns, speed of the deal, and level of access to the buy-side company.

For organizations seeking to be acquired, positive findings or timely remediation based on these assessments – especially Modules 3 and 4 – can allay potential buyers’ concerns and accelerate a deal's close.

Module #1 – Deep and Dark Web Exposure
Kroll’s patent-protected CyberDetectER® DarkWeb contains over 13 years of indexed dark web data that is supplemented every day by more than 3 million files. This enables us to conduct a deep and dark web assessment of unprecedented scope to identify any exposed data or to uncover previously unknown breaches.

This high-level screening does not need access to an organization's network, so it can be completed quickly and efficiently. This ultimately paves the way for determining how to best remediate any risks.

Module #2 - Compromise Assessment*
Kroll Responder can be quickly deployed across all endpoints in the target organization to search and monitor for known bad and unusual behaviors. When endpoint data identifies existing malware or infection points, Kroll’s cyber security experts stand ready to take appropriate steps to contain and respond to threats.

Module #3 – Cyber Risk Assessment
Risk assessments are performed using Kroll’s proprietary methodology built from years of incident response and investigations work. We can also adapt our assessments to include industry standard frameworks, such as ISO, NIST, PCI-DSS, HIPAA/HITECH, GLBA, CIS and others to help ensure compliance with all stated regulatory requirements in your sector.

Our framework allows for agile assessments that require minimal input from the target company, but can also include a deeper review given access to internal systems.

Module #4 – Vulnerability Assessment / Penetration Testing*
Our professional penetration testing teams will carry out simulated attacks that include examining systems for exploitable vulnerabilities as well as gauging employee awareness by means of social engineering exercises. These tests will provide measurable insight into the real-world risks your organization faces.

*Assessment is often conducted immediately post-transaction or can be performed pre-transaction by those seeking to be acquired.

Case Study: Agile Cyber Due Diligence for Global Investment Firm
A leading global investment firm with over $150 billion in assets under management, aware of the wide-ranging consequences of data security and privacy incidents, sought Kroll’s assistance for the development of a cyber due diligence framework to evaluate the maturity of its mergers and acquisitions targets.

To support a large number of fast-moving investments, the cyber diligence framework had to be as accurate as possible given time constraints and limited access to internal systems.

Our Cyber Risk experts developed a security evaluation based on the CIS Top 20 Critical Security Controls™ to determine a company’s propensity to be breached and overall cyber posture. The light-touch evaluation provided a high-level overview and included three core areas:

  • A review of the existing policies and procedures of the investment target, including incident response plans
  • The completion of a written questionnaire or phone interview
  • An analysis of previous assessment reports (such as SOC 2) when available

Once implemented, Kroll’s cyber due diligence framework required less than two hours from the investment company’s Information Security team, providing the key insights needed for a more judicious valuation on each deal.

Key Deliverables
Irrespective of which modules are part of the cybersecurity due diligence exercise, Kroll experts will assist you in evaluating the risks associated with a planned acquisition. Deliverables from each of these assessments will provide a detailed analysis of the security posture of the organization and help you to plan a successful integration strategy based on our expert guidance.


Joel Bowers is a managing director
Joel Bowers
Managing Director
Cyber Risk
Gregory Michaels
Greg Michaels
Managing Director and Global Head of Proactive Services
Cyber Risk

How we can help

Cyber Vulnerability Assessment

Proactively identify vulnerable systems and devices that may be exploited by an attacker or malicious software, often resulting in data loss or breach.

Cyber Risk Assessments

Kroll's cyber risk assessments deliver actionable recommendations to improve security, using industry best practices & the best technology available.

HIPAA Security Risk Assessments

Kroll’s HIPAA security risk assessments are unique in how they help you meet HIPAA standards.

CCPA Compliance Assessment

Our data privacy and compliance experts translate the technical into practical and cut through less-than-specific legal requirements to navigate the complex compliance with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

CMMC Preparedness Assessment

Kroll’s Cybersecurity Maturity Model Certification (CMMC) preparedness assessment leverages frontline expertise to examine organizations’ maturity in accordance with its desired CMMC level and deliver actionable steps to satisfy U.S. Department of Defense (DoD) requirements.

Data Mapping for GDPR, CCPA and Privacy Regulations

Cyber security and privacy experts from Kroll lead CCPA and GDPR data mapping exercises to identify and catalog crucial data categories, elements and processing activities, helping meet different regulatory requirements.

Remote Work Security Assessment

Kroll’s remote work security assessment identifies vulnerabilities of work-from-home employees and networks, and provides guidance on minimizing the risks posed by a decentralized network often complicated by personal devices and unstructured environments


Case Study: Global Software Leader Leverages CyberClarity360™ For GDPR Compliance

May 17, 2019

by Imran Jaswal


Case Study: Third-Party Cyber Risk Assessment Velocity Increased 400%

May 16, 2019

by Imran Jaswal