Cybersecurity Due Diligence for M&A

A comprehensive assessment can reveal costly risks.
Contact Us

Kroll’s cyber due diligence services help companies make better better-informed M&A decisions

  • Uncover existing cyber security lapses or potential at-risk areas in acquisition targets
  • Determine remediation costs and help restructure investments if needed
  • Demonstrate to stakeholders and regulators a commitment to data security


1 - sample cybersecurity due diligence steps in pre- and post-transaction

Even the Most Sophisticated Companies Can Be Unprepared
The acquisition target may look great on paper. An innovative product, a great sales team and an immaculate balance sheet.  But when it comes to understanding cybersecurity risk, investors should not rely solely on self-disclosures. 

Equity firms, hedge funds, investment banks and venture capital investors all over the world use Kroll’s cybersecurity due diligence services to make better-informed M&A decisions. 

Cybersecurity Due Diligence Overview
Independent cyber-focused due diligence from Kroll can help determine whether the target company’s cybersecurity outlook is an asset or liability. Our experts identify material cyber-related weaknesses that must be addressed to fully assess potential post-transaction risks, fines and costly remediation:

  • Identify lapses in governance, operations and technology that may present information security risks
  • Reveal any undisclosed or unknown data breaches
  • Assess the target company’s ability to detect and properly respond to a potential cybersecurity incident
  • Calculate potential remediation costs from operational, financial and reputational perspectives based on previous or unknown exposures

Pre- and Post-Transaction Services
To provide the most comprehensive coverage, Kroll offers four cyber due diligence modules to help clients uncover, assess and address information security risks, both pre- and post-transaction. We customize each module for every transaction. Clients can select and deploy any combination of services to accommodate their risk concerns, the timing of the transaction and/or the level of access afforded to the buy-side company.

For organizations looking to be acquired, a positive assessment or timely remediation of potential risks – especially any revealed under Modules 3 and 4 – can assuage potential buyers’ concerns and help close a deal. 

Module #1 – Deep and Dark Web Exposure
Kroll’s patented CyberDetectER® DarkWeb contains troves of dark web data indexed over 13 years and supplemented every day by more than 3 million files. This lets us perform a deep and dark web assessment of unprecedented scope to identify any exposed data or uncover previously unknown breaches. 

Our high-level screening does not require access to an organization's network, so we can perform it quickly and efficiently to identify risks and create a plan for remediation.  

Module #2 - Compromise Assessment*
We can deploy Kroll Responder quickly across all endpoints in an acquisition target to search and monitor for known bad and unusual behaviors. When endpoint data reveals any existing malware or infection points, Kroll’s cyber security experts can readily step in to contain and respond to any discovered threats.

Module #3 – Cyber Risk Assessment
Kroll performs risk assessments using proprietary methodology built from many years and thousands of responses to cyber incidents. We adapt our assessments to incorporate industry standard frameworks, such as ISO, PCI-DSS, NIST, HIPAA/HITECH, GLBA, CIS and others to help ensure compliance with any applicable regulations. 

Our approach allows us to conduct agile assessments with minimal input from the target company, with the potential for a more thorough review if given access to internal systems. 

Module #4 – Vulnerability Assessment / Penetration Testing*
Our penetration testing teams carry out simulated attacks to examine systems and identify exploitable weaknesses and assess employee awareness using social engineering exercises. These simulations provide measurable insight into the real-world risks any company might face.  

*Assessment is often conducted immediately post-transaction but can also be performed pre-transaction for companies looking to be acquired. 

Case Study: Agile Cyber Due Diligence for Global Investment Firm
A leading global investment firm managing over £115 billion in assets, aware of the potentially devastating impact of data security and privacy incidents, sought Kroll’s assistance in the creation of a cyber due diligence framework to evaluate the maturity of potential acquisition targets. 

To accommodate a massive number of fast-moving investments, the cyber diligence framework had to be as accurate as possible under the inherent time constraints and limited access to internal systems.

Our experts developed a standardized cyber risk evaluation based on the CIS Top 20 Critical Security Controls™ to assess a company’s data breach risks and overall cyber posture. The light-touch assessment tool offered a high-level overview in three core areas: 

  • Review an investment target’s existing policies and procedures, including any incident response plans 
  • The completion of a written questionnaire or phone interview
  • Examination of any previous assessment reports (such as SOC 2) when available

Once implemented, Kroll’s customized cyber due diligence framework could be completed by the investment company’s information security team in less than two hours, providing key insights on each potential deal in an extremely short window of time.

Key Deliverables
Regardless of which modules are used in a specific due diligence exercise, Kroll experts help clients conduct a more thorough evaluation of the risks associated with a planned acquisition. Deliverables from each assessment provide a detailed analysis of the target company’s security posture and expert guidance to help companies on both sides of a transaction plan a successful integration.

Stay Ahead with Kroll

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Kroll Responder

Stop cyberattacks. Kroll’s managed detection and response services are powered by an elite team of seasoned cyber risk experts and frontline threat intelligence to deliver unrivaled response.

Incident Response and Litigation Support

Kroll’s elite security leaders deliver rapid responses for over 3,200 incidents per year and have the resources and expertise to support the entire incident lifecycle.

Cyber Governance and Risk

Manage cyber risk and information security governance issues with Kroll’s defensible cyber security strategy framework.

Data Protection Officer (DPO) Consultancy Services

Kroll's data privacy team offers DPO consultancy services to help companies comply with a growing number of regulatory mandates.

Notification, Call Centers and Monitoring

Kroll’s data breach notification, call centers and monitoring team brings unique expertise to global incident response to help clients efficiently manage regulatory and reputational needs.

Virtual CISO (vCISO) Advisory Services

Our Virtual CISO (vCISO) services help a company’s executives as well as its security and technology teams safeguard information assets and enhance business operations with augmented cyber expertise, reducing risk, signaling a commitment to data security, and enhancing the overall security posture.