Cyber Due Diligence: Benefits and Best Practices

18 Oct 2023

Cyber due diligence: benefits and best practices

cover img for articles

Published on

Bob Nicolson | Head of Consultancy

It is becoming increasingly important for deal teams to understand the level of cyber security risk being taken on as part of the acquisition process.

In 2016, Marriot International Inc (Marriot) acquired Starwood Hotels & Resorts Inc (Starwood) for c$13.6b.  Unknown to them at the time, the Starwood guest booking system was insecure and had suffered a cyber breach in 2014, exposing the details of 339 million guests, 7 million from the UK.

On discovery of the attack in 2018, Marriot was fined £18.4m by the Information Commissioner’s Office (ICO).

With cyber crime on the rise and an increase in geopolitically motivated attacks, it is becoming increasingly important for deal teams to understand cyber risks and manage them accordingly.

Cyber due diligence is an effective and efficient way of doing this.

The value of cybersecurity due diligence

Whilst some of the benefits of cybersecurity due diligence may be obvious, others are less straightforward:

  • Gaining visibility of cyber threats: Delving deep into a company’s digital DNA to uncover latent vulnerabilities and ongoing attacks.
  • Informing negotiations: Resolving cyber issues can be costly.  Awareness of issues pre-acquisition allows for remediation costs to be built into the deal price or resolved prior to acquisition.
  • Minimising deal disruptions: Unexpected cyber issues discovered mid-deal can delay the process, leading to additional costs and changes to the investment lifecycle.
  • Highlighting future investment requirements: Identifying vulnerabilities and associated costs for pre- or post-acquisition remediation.
  • Laying strategic foundations: Establishing a robust cybersecurity strategy for the deal lifecycle.

When to carry out cyber due diligence?

Cyber due diligence can be carried out at three key stages in the deal lifecycle.

Pre-acquisition: Illuminating hidden vulnerabilities

Traditionally, pre-acquisition due diligence zeroes in on financials, operations, legal, and, more commonly now, technology and IT.

However, for high-value and complex deals, when dealing with highly digitised businesses or businesses that inherently are under increased cyber threat, such as those that process a large amount of personally identifiable information (PII), more robust cybersecurity due diligence should be intertwined into traditional due diligence processes.

In a recent engagement, a client was concerned by the storage of credit card information by an acquisition target and associated Payment Card Industry Data Security Standard (PCI DSS) compliance risk.

On carrying out cybersecurity due diligence, more deep-seated problems came to light in addition to the PCI DSS risk. Legacy systems, believed to be reliable, revealed several significant security vulnerabilities. 

More alarmingly, sensitive guest (PII) lay exposed, vulnerable to potential breaches. These insights weren't mere data points. They were powerful negotiation tools, ultimately compelling the target company to address and rectify these issues.

By integrating cybersecurity due diligence into pre-acquisition checks, not only did the deal proceed, but it did so with significantly reduced financial and reputational cyber risks.

Post-acquisition: Addressing issues to align systems

Once the acquisition is complete, practical work begins to address identified issues. The insights gained from cyber due diligence play a defining role in shaping the company's technological trajectory.

This phase plans business and technology strategies for the next three to five years, rooted in cybersecurity best practices.

Pre-divestment: Preparing for deals to strengthen positions

Pre-divestment cyber security due diligence can be key to ensuring that cyber issues do not delay a deal or, worse, impact disposal valuation.

Recently Nicolson Bray was engaged by a SaaS provider in the education sector for a pre-divestment security review.  On inspection, their software development processes were robust, and their product secure. However several significant issues were discovered in the infrastructure the product was hosted on, again putting highly sensitive PII at risk. 

Having gained a detailed understanding of the business and technology architecture, we were able to recommend key cyber security improvements, which they implemented prior to beginning the disposal process. 

The outcome was a smooth divestment six months later.

Whether it's pre-acquisition, post-acquisition, or on the eve of divestment, timely and comprehensive cyber security scrutiny can prevent disruption and preserve deal value.

Key components

The following steps describe the cyber due diligence process.

1: Business-level risk identification

Initially, it is key to identify business-level risks related to the industry sector and relevant regulations, geography, sensitive R&D and business operations.

For instance, where a company’s intellectual property is core to its value, relevant protections should be implemented.

2: Cybersecurity governance evaluation

To understand if a business manages its cyber or information security risk properly, it is important to understand the governance structures that have been put in place.

How robust is the approach? What reporting is provided to senior management and the board?  Are information security responsibilities defined and understood at all levels in the business?

Lack of transparency and consistency here can lead to unknown information security risks.

3: Third-party and supplier evaluation

Recent high-profile supply chain attacks such as Solar Winds have highlighted that potential risk is not solely held within internal business operations.

Understanding the cybersecurity risk stemming from vendors, suppliers, and business partners is now crucial.

Reviewing a business’s key third-party relationships forms a core part of cyber security due diligence.

4: Technical security review

Every company's cyber framework has its strengths and weaknesses. Pinpointing control gaps, outdated systems, and other vulnerabilities clearly identify where remediation is required.

By reviewing technical controls, it is possible to understand the technical improvements that will be required and their associated costs.

5: Technical testing

Going further than an architectural review, high-risk areas can benefit from in-depth technical testing. This can reveal unknown coding and configuration errors, which could lead to a data breach.

For instance, in the case of SaaS providers, it can be beneficial to carry out a penetration test on the core product to identify vulnerabilities and weaknesses.

6: Final analysis

The final analysis brings together the output from the preceding steps and comprehensively describes the target company's cyber risk landscape.  The key is a prioritised list of the actions needed to bolster its defences and mitigate cyber risks.

How Nicolson Bray supports cyber security due diligence

Nicolson Bray’s tailored cyber health check penetrates business and technical aspects to provide deal teams with first-class insight into target company and PortCo cyber threats.

Focusing on analysis-driven real-world business risks, our due diligence assessments are instrumental in shaping pre- and post-acquisition cyber strategy and give concrete and pragmatic advice.

We deliver to tight deadlines, suiting deal timelines without sacrificing precision and detail.

When it comes to translating complex cyber findings, our reporting is crystalline, and we’ll work with you to gauge the practical next steps.

For more information about our expertise and offerings, learn more here.


  • What is cyber security due diligence? Cyber security due diligence is a rigorous assessment of a company's cyber risk landscape before making pivotal investment decisions. It’s often conducted in tandem with traditional due diligence (DD).
  • What value does cyber security due diligence bring before a merger or acquisition? The process is instrumental in unearthing cyber risks, shaping negotiation strategies, reducing deal disruptions, pinpointing areas for future cyber investments, and crafting a strategic cybersecurity blueprint.
  • How time-intensive is the cyber security due diligence process? While the time frame can vary based on the company's intricacies, at Nicolson Bray we have honed their expertise to align with the demanding timelines of fast-moving, high-stakes deals.
  • What spectrum of security risks can the assessment highlight? The range is expansive - from legacy system vulnerabilities to potential regulatory non-compliances and latent data protection gaps.

In today's digitised investment landscape, due diligence in cyber security has evolved beyond financials and operations.

Cyber due diligence guards against the hidden pitfalls that can compromise an investment's value and the work and reputational damage that can ensue.

For PE firms or businesses considering M&A deals, this process is indispensable. It informs negotiations, pre-empts cyber setbacks, and serves as the foundation for future cyber strategies.

Nicolson Bray offers detailed, timely and cost-effective cyber security health checks tailored to PE deals, M&As, and other forms of investment and divestment.

Find out more here or contact us today to discuss your requirements.

Published on

Bob Nicolson | Head of Consultancy