Cybersecurity Due Diligence for M&A

Pre- and Post-Transaction Assessment Can Uncover Costly Risks


The company looks great on paper — it has an innovative product, a great sales team and a lean approach to expenses. Whether the business model is centered around customer data, intellectual property or proprietary information, a key question often overlooked by investors is: “Has management really recognized the issues and risks posed by insecure data protection?”


1 - sample cybersecurity due diligence steps in pre- and post-transaction

Even Good Companies Can Be Unprepared

Cybersecurity due diligence for M&A can help identify and assess the risks an acquisition would represent. These risks can include undisclosed deep and dark web data leaks, insufficient technical controls, policies, and procedures and untested and deficient incident response plans required to protect a company’s most valuable information assets. Cybersecurity due diligence can help quantify remediation costs and identify potential exposures to help restructure an investment due to insufficient controls or latent breaches be discovered.

For more than 40 years, Kroll has advised private equity firms, hedge funds, investment banks and venture capital investors on reputational due diligence matters. Our cyber experts provide the same high level of care and attention in conducting your cyber due diligence, enabling us to:

  • Identify information security risks and shortcomings in governance, operations and technology
  • Research undisclosed or unknown data breaches
  • Assess the company’s ability to detect and respond to a cybersecurity incident

Pre- and Post-Transaction Support

Kroll’s team can help companies assess risks and vulnerabilities throughout the entire M&A process, including implementing the proper systems, policies, and governance post-transaction.


Using four customizable modules, described below, to assess a firm’s cyber strengths and weaknesses, Kroll’s thorough gap analysis provides actionable information for management to sharpen their practices and procedures.


A thorough deep and dark web assessment is conducted to help the investment firm better understand possible exposures impacting the organization or their vendors. This pre-transaction evaluation can be completed remotely with minimal input from the organization and does not require internal system access, shedding light on potential leaks or previous breaches for a more transparent due diligence assessment.


Kroll’s patent-protected CyberDetectER® DarkWeb contains over 13 years of indexed dark web data that is supplemented every day by more than 3 million files. Our team will build a Dynamic Signature Profile containing a set of key terms and IP addresses related to the target company which will help identify any exposed data that could be lurking on the dark web or previously unknown breach incidents and determine the best way to mitigate and remediate any threats.




Kroll CyberDetectER® Endpoint can be quickly deployed across all endpoints in the target organization to search for known bad and unusual behaviors, continuously monitoring virtually all endpoint activity and feeding the data through the unique detection engine of our strategic partner, Red Canary.


Endpoint data will help identify any existing malware or infection point, and Kroll’s cyber security experts will work with the team to determine appropriate steps to contain and respond to threats.




Kroll’s Cyber Risk Assessment evaluates an organization's information security program to identify vulnerabilities and assess risks the acquisition would represent. Our assessment is performed by information security experts and includes a comprehensive review of the policies, procedures and technical controls that comprise the program to determine the organizations ability to mitigate threats, detect malicious activity and effectively respond to a security incident.


Risk assessments are performed using Kroll’s proprietary methodology built from years of incident response and investigations work and can be adapted to include industry standard frameworks such as ISO, NIST, PCI-DSS, HIPAA/HITECH, GLBA, CIS, and others to help evaluate the risk the acquisition would represent and ensure compliance with all stated regulatory requirements.




In this module our professional penetration testing teams will evaluate the effectiveness of an organizations technical controls, processes, and procedures to ensure they are performing as expected and to identify any lapse in defenses that could lead to a breach or system compromise.


Kroll will conduct simulated attacks that include examining systems for exploitable vulnerabilities and social engineering exercises of employees to determine the level or risk each represents to the organization. Findings from this exercise will provide measurable insight into the real world risks the organization faces.



CASE STUDY: Agile Cyber Due Diligence for Global Investment Firm

A leading global investment firm with over $150 billion in assets under management, aware of the wide-ranging consequences of data security and privacy incidents, sought Kroll’s assistance for the development of a cyber due diligence framework to evaluate the maturity of their mergers and acquisitions targets.

To support a large number of fast-moving investments, the cyber diligence framework had to be as accurate as possible given time constraints and limited access to internal systems.


Our Cyber Risk experts developed a security evaluation based on the CIS Top 20 Critical Security Controls™ to determine a company’s propensity to be breached and overall cyber posture. The light-touch evaluation provided a high-level overview and included three core areas:

  • A review of the existing policies and procedures of the investment target, including incident response plans
  • The completion of a written questionnaire or phone interview
  • An analysis of previous assessment reports (such as SOC2) when available


Once implemented, Kroll’s cyber due diligence framework required less than two hours from the investment company’s Information Security team providing the key insights needed for a more judicious valuation on each deal.

Key Deliverables

Irrespective of which modules are part of the cybersecurity due diligence exercise, Kroll experts will assist you in evaluating the risks associated with a planned acquisition. Deliverables from each of these assessments will provide a detailed analysis of the security posture of the organization and help you to plan a successful integration strategy based on our expert guidance.