What is Cyber Due Diligence?

What Cyber Due Diligence Evaluates

A comprehensive cyber due diligence assessment evaluates: External attack surface — what internet-facing systems and services are exposed, what vulnerabilities they carry, and what an attacker with no prior knowledge could access. Identity and access management — the configuration of Active Directory or cloud identity, MFA deployment, privileged account management, and the controls preventing unauthorized access. Cloud security posture — the configuration of cloud environments against security best practices, including storage access, IAM policies, and logging coverage. Endpoint security — what endpoint protection is deployed, on what percentage of systems, and whether it is effectively monitored. Vulnerability management maturity — how the organization identifies and remediates vulnerabilities, and what the current vulnerability landscape looks like. Compliance posture — whether the organization meets relevant regulatory requirements and what gaps exist. Incident response capability — whether the organization could effectively respond to a significant cyber incident.

The PE Due Diligence Challenge

Traditional financial and legal due diligence has developed established methodologies over decades of practice. Cyber due diligence is newer, less standardized, and requires specialized technical expertise that most deal teams lack internally. The consequence is that cyber risk is either underweighted in acquisition assessments, evaluated through questionnaire-only approaches that miss technical reality, or delegated to generalist technology consultants who lack the offensive security and detection engineering background required to identify actual exploitable exposure.

When to Conduct Cyber Due Diligence

Pre-Letter of Intent screening using OSINT and security rating tools provides rapid external exposure assessment for early-stage deal evaluation. Full technical diligence — including internal network access, active directory assessment, and penetration testing — should be conducted after LOI and before close, structured as a standard component of technical due diligence alongside technology stack assessment and IP review. Post-close integration assessment validates that security posture has not changed during the close process and establishes the baseline for post-acquisition security improvement.

Real-World Example: Marriott Acquires a Breach

When Marriott International acquired Starwood Hotels in 2016, Starwood's reservation database had already been compromised by Chinese threat actors — a breach that began in 2014 and would not be discovered until 2018. Marriott inherited the breach and, when discovered two years post-close, faced an ICO fine of £18.4 million and total exposure including US regulatory actions and litigation. Thorough cyber due diligence would have identified indicators of the ongoing compromise. The case permanently changed how major acquirers approach cybersecurity in M&A.