Cybersecurity Due Diligence for Private Equity: A Practitioner's Checklist

Three forcing functions converged.

The SEC's 2024 incident disclosure rule. Material cyber incidents at public companies — and the public companies that PE-backed targets eventually exit to — became time-bound disclosure events. A target with a chronic, undisclosed cyber issue that materialises post-close is now a Form 8-K event with a four-business-day window, which produces a categorically different kind of legal and reputational exposure than the same incident in 2023.

NIS2 personal liability. The EU's 2024 NIS2 implementation introduced personal liability for senior management cybersecurity governance failures in covered sectors. That has two PE consequences. First, individuals being acquired into operating-company leadership roles inherit personal-risk exposure that most LOIs and indemnification structures don't cleanly cover. Second, the documentation of "reasonable governance" — board minutes, evidence of independent review, demonstrable risk-reduction trajectory — becomes part of the asset being acquired or absent, which is itself a finding.

Threat-actor downshift. Capability that used to require nation-state resources now operates routinely against mid-market industrials, regional logistics, regional healthcare networks, MSPs, and the long-tail SaaS layer where most PE-backed companies operate. The 2023 MoveIt incidents demonstrated that a single supply-chain compromise can produce cross-portfolio exposure for a PE firm — multiple companies in the firm's portfolio, each affected through the same dependency, none of which surfaced in their respective pre-close DD reports.

The combined effect is that cyber DD is no longer a procedural step that can be safely outsourced to whichever firm wrote the technology DD report. It is a value-shaping question that affects pricing, integration planning, and post-close indemnification structure.

The same five questions that move a board cyber discussion forward also do most of the work in DD. The deal-team adaptation is mostly about whose answers you trust and what the absence of an answer tells you.

1. What does the target own, and how do they know? Asset inventory accuracy is the foundation. The follow-up to a "we have a CMDB" answer is: built how, last reconciled when, and what's the variance between the CMDB and an independently-passive-discovered network footprint? In the diligence engagements I've run, the gap between asserted inventory and discovered inventory has been a reliable inverse indicator of overall security maturity. Targets that can produce a current inventory within 5% accuracy and explain how it was built are usually more mature across other dimensions; targets that can't are usually less mature elsewhere too, even if their other answers sound right.

2. Who has remote access to production environments, and how does that list change? Third-party access is the single most-cited entry point in incident post-mortems. The DD-specific question: how many integrators, vendors, and contractors currently have credentialed access to production, what is the recertification cadence, and what happens when a third-party engagement ends? Production access counts that haven't reduced over the past 12 months — particularly when the target says they have a privileged-access management solution — usually mean PAM is deployed but not driving access lifecycle.

3. How segmented is the production environment from corporate and from the supply chain? Segmentation tells you the blast radius of a successful compromise. Number of network zones, number of crossing points, and the controls at each crossing point — ideally referenced against Purdue (industrial), zero-trust architecture (SaaS), or the relevant sector framework. The finding that matters is variance: targets with explicit, documented zone boundaries usually contain incidents; targets with "we have firewalls" usually don't.

4. What does the target monitor, and what's the alert-investigation discipline? Detection is harder than it looks because operational engineers train themselves to ignore noise. The DD question: what's the ratio of alerts investigated to alerts generated? When was the last suspected incident, even if it turned out benign? Targets with a "we haven't had any incidents" answer either have unusually mature defences or — far more commonly — have monitoring that isn't working. The diligence implication is the same in both cases: ask for the last ten investigated alerts, anonymised.

5. If something happens during integration, what's the first hour? Incident response in PE-backed companies is uniquely fragile because the operating-company team is often understaffed for IR while integration changes are happening simultaneously. The DD question: is there a current playbook, has it been tabletop-exercised in the last 12 months with the people who would actually run the response, and does it contemplate the specific complications of integration (new tooling, changed identity stack, new third-party access)? The "we'd call our cyber insurer" answer is necessary; it's not sufficient.

This is where most deals lose money on the cyber dimension and almost no DD reports describe.

Pre-close, the target's environment is bounded. Their CMDB approximates their production. Their IR playbook references their tooling. Their access controls reflect their vendor relationships. Cyber DD reports against this environment.

Post-close, integration begins. New identity provider rolls out. Email tenant gets merged. Endpoint security gets standardised on the platform's preferred tooling. Network segmentation gets opened up to enable shared services. Each of these is a deliberate operational change with a cyber consequence — often an initial increase in attack surface, before the new control set fully reaches steady state. The window where this matters is typically months 2-9 post-close.

The integration trap is that the cyber DD report describes the static, pre-integration environment, and the integration plan is owned by IT or the platform CTO who is rarely incentivised to surface cyber implications of the integration sequence. The result: the DD report becomes a snapshot of an environment that no longer exists by the time the major incident risk is highest.

The mitigation is not more pre-close DD. It is integration-phase cyber risk planning that explicitly maps each integration step to its transient cyber exposure. This rarely appears in DD reports. It should appear in the 100-day plan, with a named owner who is not the platform CIO and reports separately to the audit committee or operating partner.

Material cyber findings in DD don't usually kill deals; they should change them. The framework I use:

Walk when: the target has had a material undisclosed incident in the past 24 months and the disclosure was a representation in the LOI; asset inventory and access management both fail at the basic-hygiene level (this combination signals systemic operational weakness, not isolated cyber failure); the target's primary product has a fundamental architectural cyber issue (hard-coded credentials in shipped firmware, plaintext PII transit on customer-visible APIs) that requires breaking changes to remediate; or regulatory exposure is higher than disclosed and the target hasn't begun remediation — this is usually a sign of management style as much as cyber maturity.

Renegotiate price or structure when: specific findings carry quantifiable remediation cost (typical: $250K - $5M, scaling with target size); the insurance market won't underwrite cleanly without remediation milestones; compliance posture is materially behind and creates a ramp-up cost in the first 12 months; or customer-facing cyber risk affects retention assumptions in the model.

Insure or indemnify when: findings are material but bounded with clear remediation paths; the seller has begun remediation but completion lands in the integration window; or a specific known issue has acceptable residual risk after a defined investment.

The pattern most worth avoiding: papering over a material finding with a vague representation about "industry-standard security practices." That language is unenforceable, and the underlying issue surfaces post-close anyway.

Five patterns I see repeatedly:

Vendor incumbency. The target's existing security vendor is hired to write the DD report on the target's own posture. This produces a clean report regardless of underlying maturity. The conflict is structural; the only mitigation is independent review.

SOC-2-equivalence. A SOC 2 Type II report is treated as equivalent to cyber DD. They overlap maybe 40% in scope. SOC 2 verifies that controls described exist and operate; it does not verify that they're sufficient against current threat actors, that the control set covers the asset inventory, or that the architecture is defensible. Treating SOC 2 as cyber DD is the single most-cited reason post-close findings surface.

Compliance ceiling. The DD scope is calibrated to compliance frameworks (HIPAA, PCI, ISO 27001) rather than threat-actor capability. Compliance frameworks are floors; they don't describe ceiling capability. A target can be fully compliant and trivially compromised, particularly in industrial and OT-adjacent environments.

Tooling inventory ≠ posture. Reports that describe tooling deployed (EDR, SIEM, MDR vendor) without describing how the tooling is operated, tuned, and acted upon are inventory reports, not posture reports. The question is operational discipline, not deployed-product count.

Integration silence. Most reports stop at the pre-close environment. They don't describe what changes during integration, which is when the largest cyber exposure typically emerges.

The diligence record matters because it is the document that will be cited if (a) a material cyber issue surfaces post-close and (b) the LP question becomes "what did the GP know and when did they know it?"

A defensible record has five components:

1. Scope of work that explicitly addresses the five priority questions. Not "general cyber assessment." Named questions, named methods, named output.

2. Evidence of independent review. Either a different vendor or a different report from the seller's tech-DD vendor — and ideally both. Independence is what makes the record defensible.

3. A residual-risk register at close. Not a list of findings — a register of what's still exposed, scored, with named owners and remediation timelines. This becomes the integration-period cyber roadmap.

4. Insurance positioning evidence. Documentation of how cyber findings were communicated to the insurance broker, and how the binding policy reflects the diligence record. This protects against future coverage disputes.

5. Board minutes referencing the DD findings. The acquired company's first post-close board cycle should explicitly reference the cyber findings and remediation plan. This shifts cyber from a deal artifact to a governance artifact, which is what regulators and litigators look for under NIS2 and SEC frameworks.

The combination produces a record that survives both adversarial scrutiny and time. The absence of any one of these is itself a finding.

Most cyber DD I review wasn't bad. It was insufficient — sufficient for the deal as scoped, insufficient for the deal as it actually played out post-close.

Independent review pays for itself in three specific patterns:

Mid-market industrials. OT/ICS environments are a different attack surface than IT, and most cyber DD vendors don't have OT-specific capability. An independent reviewer with industrial-control experience routinely surfaces material findings the IT-focused incumbent missed.

Cross-border targets. Multi-jurisdiction regulatory exposure (NIS2 in Europe, sector-specific in the US, emerging in APAC) compounds in ways that single-jurisdiction reviewers consistently underweight.

SaaS targets with complex tenancy. Multi-tenant architecture with shared infrastructure creates patterns of customer-data exposure that generalist DD vendors often miss. The CISO of a SaaS target may not even know what an IT-focused reviewer should be checking.

A fourth pattern is increasingly common: material LP attention. When the deal is large enough that LP advisory committees will see the cyber DD record, independent review is increasingly an LP expectation rather than a GP option.

The cost is typically 15-30% of the primary cyber DD scope. The return is the difference between a record that holds up under adversarial scrutiny and one that doesn't.