Cyber Due Diligence: The 7 Questions Investors Are Asking Now
PE investors are systematically integrating cybersecurity into their M&A processes. Target companies that arrive unprepared risk price reductions – or the collapse of the deal entirely.
Private equity firms have understood what their lawyers and auditors have long known: cybersecurity risks are business risks. And business risks affect the purchase price.
What three years ago was still an exception – an explicit cyber assessment within the due diligence process – is today standard practice among professional investors.
Why Cyber Due Diligence Is Now Standard
Three developments have accelerated this shift:
Regulatory liability: NIS2 and DORA create personal liability for security incidents. An investor acquiring a company with unknown compliance gaps inherits that liability.
Insurance market: Cyber insurance is becoming more expensive and selective. Insurers increasingly demand documentation of security maturity for new policies and renewals.
Post-merger integration risk: Connecting two IT infrastructures is the most common attack vector for breaches targeting newly merged companies. Investors want to understand that risk before the transaction closes.
The 7 Questions Investors Ask
1. Is there a documented ISMS?
An Information Security Management System does not need to be ISO 27001 certified – but it must exist. Companies that cannot produce documentation signal structural immaturity.
2. When was the last external penetration test?
Ideally no more than 12 months ago. And: were the identified vulnerabilities demonstrably remediated?
3. What does the attack surface look like?
External Attack Surface Management – which systems, services and subdomains are reachable from the internet? How are they monitored?
4. Which critical third-party vendors have access to systems or data?
Supply chain risks are real risks. A compromised vendor can expose the entire company.
5. Is there a demonstrable incident response capability?
Not whether an attack happens, but how quickly and in what structured manner it can be responded to. Investors want to see playbooks – not improvisation.
6. What regulatory obligations exist?
ISO 27001, SOC 2, NIS2, DORA, EU AI Act – depending on sector and customer base, different requirements apply. Unmet obligations are purchase price risks.
7. Are there known open security incidents or vulnerabilities?
Due diligence teams actively search for data breach histories, outstanding vulnerabilities and unresolved security incidents.
What This Means for Target Companies
Companies expecting a transaction in the next 12–24 months should proactively document their cyber maturity now – not as a reaction to buyer requests, but as strategic positioning.
A structured security assessment ahead of a sales process offers two advantages: it eliminates known gaps before they become negotiating points. And it provides management with the documentation investors will demand regardless.
Woodlands Advisory conducts M&A security audits from both sides of the transaction – as adviser to investors assessing target companies and as adviser to companies preparing for transactions.
Let us discuss your specific situation.
30 minutes. Confidential. Non-binding.
Schedule initial consultation →← Back to all articles