1. Why Cyber Diligence Is Now as Consequential as Financial Diligence
For most of M&A practice's history, cybersecurity appeared in diligence checklists as a single line item near the end of the IT section, addressed by requesting a copy of the target's information security policy and noting whether the company had suffered any known breaches. That approach is no longer adequate, and the deals that produced the most expensive post-close surprises of the last decade illustrate why.
When Verizon agreed to acquire Yahoo's operating business in 2016, the final purchase price was reduced by $350 million after two massive data breaches affecting billions of user accounts came to light during the diligence period. The Marriott International acquisition of Starwood Hotels closed in 2016 without buyers identifying a breach that had resided in Starwood's reservation database since at least 2014. Marriott ultimately disclosed that breach in 2018, affecting approximately 500 million guests, and incurred regulatory fines, class action settlements, and remediation costs that dwarfed what a thorough pre-close cyber diligence program would have cost.
The legal landscape has hardened significantly since those transactions. The SEC's 2023 cybersecurity disclosure rules impose mandatory Form 8-K reporting of material incidents within four business days of a materiality determination. CIRCIA created federal cyber incident reporting obligations for critical infrastructure operators. State attorneys general have pursued enforcement actions against acquirers who failed to notify affected residents of breaches discovered post-close that originated pre-close. The consequence of treating cyber as a secondary diligence category is no longer a modest remediation project. It can be a regulatory enforcement action, a class action, a regulatory fine under GDPR at up to four percent of global annual turnover, or an indemnification dispute that outlasts the deal by years.
The structural change required is straightforward in principle: cyber diligence must run on a parallel track with financial, legal, and operational diligence, beginning when the data room opens and concluding with a written findings report that counsel can translate into negotiated representations, escrow terms, and closing conditions. The sections below explain how to build and execute that workstream.
2. Building the Cyber Diligence Workstream
An effective cyber diligence workstream requires three distinct disciplines working in coordination: legal counsel reviewing contracts, regulatory compliance posture, and incident history; technical security experts assessing the target's infrastructure, architecture, and control environment; and insurance specialists reviewing cyber insurance coverage, claims history, and renewal terms. Each discipline produces findings that inform the others, and all three must be sequenced so that their outputs reach counsel before the purchase agreement is negotiated, not after signing.
On the legal side, the diligence request list should cover privacy policies, terms of service, data processing agreements with vendors and processors, regulatory correspondence with data protection authorities, litigation files involving data or security claims, historical breach notification letters, board-level cybersecurity reports, and cyber insurance certificates and endorsements. These documents establish the regulatory exposure map, the contractual obligation structure, and the baseline incident record. Gaps in documentation are themselves findings: a company that cannot produce a data processing agreement for its primary cloud provider, for example, is likely in violation of GDPR Article 28 requirements.
On the technical side, the assessment scope should address network architecture, endpoint detection and response capabilities, identity and access management, vulnerability management program maturity, patch cadence, multi-factor authentication deployment, encryption at rest and in transit, and backup and recovery procedures. Where the confidentiality agreement and target cooperation permit, active vulnerability scanning or architecture review interviews with the target's security team can supplement document review. The technical findings should be translated into risk-rated findings with estimated remediation costs, because those costs directly inform escrow sizing and price adjustments.
The workstream should culminate in a consolidated findings report that maps each identified gap to the applicable legal regime, quantifies remediation cost where possible, and ranks findings by risk severity. That report becomes the input for counsel's negotiation of representations and warranties, the basis for escrow holdback amounts, and the checklist for pre-closing remediation covenants.
3. Target Data Inventory and Classification Review
Understanding what personal and sensitive data a target company holds is the predicate for every subsequent step in cyber diligence. A company that has not maintained a current data inventory, sometimes called a records of processing activities (ROPA) under GDPR Article 30 or a data map under U.S. state privacy regimes, cannot accurately represent its compliance posture with any privacy regime, cannot accurately size its breach notification obligations in a hypothetical incident, and cannot provide the buyer with reliable information on which to base representations and warranties.
The data inventory review should address at minimum: the categories of personal data collected from each population (customers, employees, contractors, third parties), the purpose of processing for each category, the legal basis for processing under applicable regimes, the systems or applications where each category is stored, the retention period applied to each category, and the third parties with whom each category is shared. Special categories of sensitive data, including health information, financial account data, Social Security numbers, biometric identifiers, precise geolocation data, and data from minors, attract heightened regulatory scrutiny and should be identified separately because they trigger additional legal obligations and higher breach notification exposure.
A common finding in middle-market targets is that the data map either does not exist or was created for a compliance audit several years ago and has not been updated as the business added new products, vendors, or customer segments. Where the data map is outdated or absent, counsel should request that the target commission a current-state data mapping exercise before closing and include a representation that the map produced is accurate as of the closing date. The cost of this exercise is modest relative to the regulatory and indemnification risk it addresses.
Data classification also informs the technical security review. Systems storing sensitive personal data, payment card data, protected health information, or trade secrets should be subject to more rigorous security controls than general business systems, and the technical assessment should verify that the target's security architecture reflects those classification distinctions.
4. Incident History and Undisclosed Breach Risk
The target's incident history is the highest-priority factual inquiry in cyber diligence because breaches that occurred pre-close and were not remediated or disclosed become the buyer's regulatory and litigation exposure the moment the transaction closes. The Starwood example is the definitive cautionary case: the breach had persisted for years inside a network the buyer was acquiring, and the buyer assumed responsibility for all resulting regulatory fines, class action settlements, and notification costs without any price adjustment because the breach was not discovered until after closing.
The diligence request for incident history should cover at least five years and should ask for: all security incidents that were logged by the security operations center or ticketing system, all incidents that triggered a breach assessment under any applicable law, all incidents for which a breach notification was sent to affected individuals or regulators, all regulatory investigations or inquiries arising from security incidents, all litigation or threatened litigation related to security incidents or data privacy, and any incidents that affected third-party systems or vendors that the target was responsible for. The phrasing of these requests matters: sellers sometimes interpret "breach" narrowly to mean incidents that triggered formal notification, when the buyer needs to know about incidents that were investigated and determined not to require notification, because that determination may have been wrong.
Technical indicators of prior incidents include forensic artifacts in system logs, evidence of threat actor persistence, anomalous account creation or privilege escalation in active directory records, and dark web monitoring results showing the target's credentials or data available for purchase. Buyers who engage cyber forensic firms to conduct a technical assessment of the target's environment often find indicators of compromise that the target's own security team had not identified, which is precisely why independent technical review is necessary even when the seller represents that no material incidents have occurred.
When a prior incident is identified, the critical follow-up questions are: what was the scope of affected data, was the legal notification analysis correct given current state law requirements, was remediation completed or is the underlying vulnerability still present, and what residual regulatory exposure remains given the applicable statutes of limitations for enforcement actions and private suits.
Evaluating a Target's Cyber Risk Profile?
Acquisition Stars structures cyber diligence workstreams, maps regulatory exposure across applicable privacy regimes, and negotiates representations, escrow, and indemnity terms that reflect the actual risk profile identified during review.
5. Privacy Regime Mapping: GDPR, CCPA/CPRA, HIPAA, GLBA
A target company processing personal data from multiple populations across multiple jurisdictions may be subject to several privacy regimes simultaneously, each with distinct compliance obligations, enforcement mechanisms, and breach notification timelines. The diligence goal is to produce a complete map of every regime that applies to the target's data processing activities and to assess the target's compliance posture against each.
GDPR applies to processing of personal data of individuals in the European Economic Area, regardless of where the processing company is located. For U.S. targets with European customers, employees, or website visitors, GDPR compliance requires: a lawful basis for each processing activity, a current Article 30 records of processing activities, data processing agreements with all processors, valid cross-border transfer mechanisms (Standard Contractual Clauses, binding corporate rules, or an adequacy decision), documented data subject rights procedures, and a 72-hour breach notification procedure to the lead supervisory authority. GDPR fines can reach four percent of global annual turnover, making even a small EEA data processing footprint a material compliance exposure if the regime has been ignored.
CCPA as amended by CPRA applies to for-profit businesses meeting specified thresholds that process personal information of California consumers. Key compliance obligations include a compliant privacy notice at collection, a "Do Not Sell or Share My Personal Information" opt-out mechanism, consumer rights request handling procedures, data retention schedules, and service provider contracts that restrict secondary use of personal information. Healthcare information subject to HIPAA and financial information subject to GLBA are partially exempt from CCPA, but the exemption is narrow and applies to specific data elements rather than entire categories, so targets that handle mixed data populations need careful regime mapping rather than blanket exemption claims.
HIPAA applies to covered entities (health care providers, health plans, and health care clearinghouses) and their business associates with respect to protected health information. GLBA applies to financial institutions subject to FTC jurisdiction with respect to nonpublic personal financial information. Both impose security requirements in addition to privacy notice obligations, meaning that compliance is assessed against both the safeguards rule (administrative, physical, and technical controls) and the privacy rule (notice, use, and disclosure limitations). The intersection of HIPAA and CCPA, and of GLBA and state privacy laws, requires targeted legal analysis rather than general compliance statements from the seller.
6. State Breach Notification Laws and Cross-Border Implications
All 50 U.S. states, the District of Columbia, and several U.S. territories have enacted data breach notification laws, and the variation among them is significant enough that a single breach affecting residents of multiple states can trigger notification obligations under dozens of different legal regimes simultaneously. The diligence analysis must address which state laws apply to the target's customer and employee populations and whether the target has the systems in place to comply with the fastest applicable notification deadline.
The most demanding deadlines in the current U.S. state landscape include Colorado's 30-day notification requirement, Florida's 30-day requirement, and several states that require notification within 45 or 60 days of discovery. These deadlines are considerably shorter than the prior generation of state breach laws that permitted notification "in the most expedient time possible" without a fixed deadline, and companies that have not updated their incident response procedures to account for current statutory timelines may face regulatory enforcement for late notification even when the substance of their response was otherwise adequate.
Cross-border breach notification adds another layer of complexity when the target processes data from individuals in countries with their own breach notification regimes. GDPR's 72-hour supervisory authority notification requirement is the most stringent major regime currently in force, but Brazil's LGPD, Canada's PIPEDA breach notification requirements, and the breach notification frameworks emerging in Southeast Asian and Middle Eastern jurisdictions create a web of concurrent obligations that a company with international operations must be prepared to manage simultaneously. Buyers acquiring targets with international data footprints should specifically assess whether the target has a breach response procedure that identifies the applicable notification requirements by jurisdiction and has pre-designated the legal counsel or Data Protection Officer responsible for each notification stream.
Historical notification letters, regulator correspondence arising from prior notifications, and any consent orders or corrective action plans imposed by state attorneys general or international data protection authorities are among the most informative documents in a cyber diligence review. They reveal not only past incidents but how the target's management team responds to regulatory pressure and whether underlying vulnerabilities were remediated or merely disclosed.
7. NYDFS 23 NYCRR 500 and Financial Services Requirements
The New York Department of Financial Services Cybersecurity Regulation, codified at 23 NYCRR Part 500 and substantially amended in November 2023, is the most comprehensive U.S. state-level cybersecurity regulation applicable to financial institutions. It applies to covered entities including banks, insurance companies, mortgage servicers, money transmitters, and other entities licensed or registered under New York banking or insurance law, and it extends to third-party service providers that provide services to those covered entities. Acquisitions of New York-licensed financial services businesses, or acquisitions of vendors serving New York-licensed businesses, require specific NYDFS compliance diligence.
The 2023 amendments strengthened several requirements. Class A companies (those with at least 2,000 employees or $1 billion in gross annual revenue from New York operations) face heightened obligations including annual independent audits of their cybersecurity programs, more prescriptive penetration testing requirements, and enhanced governance standards requiring the board to review and approve the cybersecurity program annually. All covered entities must now maintain an asset inventory, implement privileged access management, and submit annual certification of compliance by the senior officer or officers responsible for the cybersecurity program, with personal liability attaching to false certifications.
Incident notification to NYDFS is required within 72 hours of a material cybersecurity event, defined broadly to include any unauthorized access to privileged accounts or critical systems, deployment of ransomware on the covered entity's systems, or any cybersecurity event that requires notification to other government bodies. NYDFS has pursued enforcement actions against financial institutions for untimely notification and for material misstatements in annual compliance certifications, so the diligence review of a New York-licensed target must specifically assess notification history, the completeness of prior certifications, and whether any pending regulatory inquiries relate to cybersecurity program adequacy.
Buyers acquiring a NYDFS-regulated entity must also assess whether the acquisition itself triggers notice to or approval from NYDFS, as changes in control of licensed entities typically require prior regulatory approval that must be factored into the deal timeline and regulatory strategy.
8. SEC Cyber Disclosure: Item 106 and Form 8-K Item 1.05
The SEC's December 2023 cybersecurity disclosure rules created two distinct obligations for public companies that materially affect how buyers in public company acquisitions must approach both diligence and post-close integration. The first is Item 106 of Regulation S-K, which requires annual disclosure in Form 10-K of the company's processes for assessing, identifying, and managing material risks from cybersecurity threats, the role of the board of directors in overseeing those risks, and the role of management in assessing and managing those risks. The second is new Item 1.05 of Form 8-K, which requires disclosure of material cybersecurity incidents within four business days of the company determining the incident is material.
Item 106 disclosures in the target's prior Form 10-K filings are themselves a diligence document. A company whose Item 106 disclosure describes a mature, board-overseen cybersecurity risk management program but whose technical assessment reveals a patchwork of unpatched systems and no effective incident detection capability has made disclosures that may be inconsistent with its actual control environment. That inconsistency is relevant to the accuracy of the target's Exchange Act filings and to the buyer's assessment of management credibility and disclosure risk.
The four-business-day clock for Item 1.05 disclosure begins when the company determines an incident is material. For a public company buyer completing an acquisition, any cyber incident discovered in the target's systems after closing must immediately enter the buyer's materiality assessment process, because a determination that the incident is material to the combined company triggers the four-business-day clock from the date of that determination, not from when the incident occurred. Integration plans that delay security information sharing between the target and the parent company until IT systems are merged can therefore expose the parent to an Exchange Act disclosure violation if an incident that should have been reported was not escalated promptly into the buyer's assessment process.
Buyers should also review whether the target's pre-close 8-K filing history includes any Item 1.05 disclosures, and if so, whether those disclosures were complete and timely. SEC staff have issued comment letters questioning the adequacy of Item 1.05 disclosures, and targets that received such comments may have unresolved disclosure issues that the buyer inherits as the successor reporting entity.
9. CIRCIA Reporting and Federal Contractor Overlays
The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) directed CISA to develop rules requiring covered entities in designated critical infrastructure sectors to report significant cyber incidents within 72 hours and ransomware payments within 24 hours. CISA published its notice of proposed rulemaking in March 2024, and while final rules were not yet in effect as of the date of this guide, the rulemaking is proceeding and buyers acquiring companies in covered sectors must assess whether their targets will be subject to CIRCIA reporting obligations and whether the target's incident response procedures are designed to meet the proposed timelines.
The 16 critical infrastructure sectors designated by Presidential Policy Directive 21 include energy, financial services, healthcare and public health, information technology, transportation, water and wastewater, defense industrial base, and several others. A target company operating in any of these sectors may be a covered entity under CIRCIA, and the buyer's post-close compliance posture must account for CIRCIA reporting as a concurrent obligation alongside NYDFS 72-hour reporting, HIPAA 60-day notification, SEC Item 1.05 four-business-day disclosure, and applicable state breach notification requirements.
Federal contractors and subcontractors face additional cybersecurity obligations that are distinct from CIRCIA. CMMC (Cybersecurity Maturity Model Certification) requirements for defense contractors handling controlled unclassified information have been phased in under DFARS regulations, and targets that hold or are seeking DOD contracts must demonstrate CMMC compliance at the applicable level for the classified or controlled data they handle. A target whose CMMC self-assessment or third-party assessment is inaccurate or whose actual control environment does not match its CMMC certification level represents a significant regulatory exposure for the buyer, including potential False Claims Act liability if the inaccurate certification was used to obtain or maintain federal contracts.
FedRAMP authorization, when applicable to cloud service providers that serve federal agencies, presents similar issues: an authorization based on outdated or inaccurate security documentation is a regulatory liability that the buyer must investigate and remediate to protect both the customer relationship and the company's authorization status.
10. SOC 2, ISO 27001, and Independent Assurance Review
Independent assurance reports, including SOC 2 Type II reports issued under AICPA Trust Services Criteria and ISO 27001 certifications issued by accredited certification bodies, are among the most useful starting points for cyber diligence because they represent an external auditor's or certification body's assessment of the target's control environment. They are not, however, conclusive evidence of low risk, and the limitations of these reports must be understood before they are used to reduce the scope of independent technical review.
A SOC 2 Type II report confirms that the controls listed in the system description were in place and operating effectively during the audit period, which is typically six to twelve months preceding the report date. Several limitations are inherent in this scope. The auditor tests only the controls the service organization chose to include in its system description. The report is retrospective, so controls may have degraded since the audit period ended. The complementary user entity controls section of the report identifies controls that the vendor expects its customers to implement and that are not covered by the vendor's own controls, creating shared-responsibility gaps that a buyer integrating the vendor's services must close. And the trust services categories selected for the audit (security, availability, confidentiality, processing integrity, privacy) may not cover all risks relevant to the buyer's use case.
ISO 27001 certification indicates that an information security management system meeting the standard's requirements has been implemented and maintained, and that the certification body verified this through audit. Like SOC 2, the certification covers only the scope defined in the statement of applicability, which the company itself determines. A narrow scope that excludes key business units or data types may be technically compliant with the standard while leaving significant portions of the company's operations without systematic security governance.
The practical approach in diligence is to treat the SOC 2 report and ISO 27001 certificate as evidence that a baseline security program exists and to use the findings and exceptions in those reports as a roadmap for the technical assessment. A SOC 2 report with multiple qualified opinions or noted exceptions is a material red flag that warrants additional investigation, not a finding that can be accepted at face value because a third party reviewed it.
11. Penetration Testing, Red Team Exercises, and Diligence Sequencing
Penetration testing results are among the most candid security documents a target can produce, because a competent third-party pen test reports findings without the institutional filters that sometimes soften internal security assessments. The diligence request should ask for all penetration test and vulnerability assessment reports from the prior three years, along with the remediation tracking log showing which findings were addressed, at what priority level, and within what timeframe.
The pattern of findings and remediation matters as much as the findings themselves. A target that commissions annual pen tests, receives critical and high-severity findings, and remediates them within 30 to 60 days demonstrates a functioning vulnerability management program. A target that commissions periodic pen tests but whose remediation log shows that critical findings from two years ago remain unaddressed demonstrates either resource constraints, organizational dysfunction, or a security leadership team that is not empowered to drive remediation. The latter pattern is a material risk indicator regardless of the technical severity of the open findings.
Red team exercises, which simulate adversary behavior across the full attack lifecycle rather than testing specific vulnerability categories, produce even more informative results than standard pen tests and are increasingly common among mid-market companies that take security seriously. If the target has conducted red team exercises, the findings reports should be reviewed for evidence of successful lateral movement, credential harvesting, or data exfiltration that the security operations center failed to detect, because detection failures are as significant as the vulnerabilities exploited.
Whether buyers can conduct their own active penetration testing during the pre-close diligence period is a negotiated access question. Most sellers decline active testing pre-close due to operational risk, but buyers can request that the seller commission an independent test using a mutually agreed scope and share the results. When this approach is used, the confidentiality agreement should be structured to protect test findings and the contractual access rights should specify the testing firm's authorization to access target systems, which is legally necessary to avoid Computer Fraud and Abuse Act exposure for the testing firm.
12. Ransomware History and Ransomware Readiness
Ransomware has become a specific sub-category of cyber diligence inquiry because of its distinctive legal, financial, and operational consequences. A prior ransomware incident raises questions that do not arise in other security events: whether a ransom was paid, whether an OFAC sanctions screen was conducted before payment, whether the payment was reported to law enforcement, whether the threat actor actually deleted the exfiltrated data as promised, whether post-incident forensics confirmed full remediation of the access vector, and whether the incident triggered mandatory breach notification obligations that were or were not fulfilled.
On the OFAC sanctions issue, OFAC issued guidance in 2020 and 2021 making clear that companies that pay ransomware demands to sanctioned threat actors may face civil penalties even if the payer was unaware of the sanctioned status. Several major ransomware groups, including Evil Corp, have been designated SDNs, meaning payments to them are prohibited regardless of the circumstances. A target that paid a ransom to a group that was, at the time of payment, on the OFAC SDN list has potential sanctions exposure that the buyer inherits as a corporate successor. This exposure may not be cured by indemnification from the seller if the underlying violation is subject to strict liability enforcement.
Ransomware readiness for future incidents is assessed through a different set of diligence questions: whether the company maintains isolated, tested backups that are not accessible from the production network, whether it has a documented and tested incident response plan that includes a ransomware scenario, whether its cyber insurance policy covers ransomware payments and extortion demands, and whether it has a relationship with a cyber forensics firm that can be engaged within hours of a ransomware detection. A company that has never experienced ransomware but also lacks backups, incident response procedures, and a response retainer is carrying significant unmitigated risk that should be reflected in escrow sizing and closing conditions.
CIRCIA's 24-hour ransomware payment reporting requirement, once finalized, will add a federal reporting obligation to ransomware incidents for covered entities, and buyers whose targets operate in covered sectors should ensure that post-close incident response plans account for this timeline alongside NYDFS and other sector-specific requirements.
13. Vendor, SaaS, and Supply Chain Cyber Review
A target company's own security controls are only as effective as the controls maintained by the vendors and service providers to whom it has granted access to its systems, data, or networks. Supply chain attacks have become one of the most significant threat vectors in enterprise cybersecurity, demonstrated by events like the SolarWinds attack and the MOVEit data breach, in which a single vendor's compromised software or service exposed thousands of downstream customers. Buyers must assess not only the target's own security posture but the security posture of the target's most critical vendors and the contractual structure governing those relationships.
The vendor diligence review should begin with a tiered inventory of the target's technology vendors, ranked by the sensitivity of the data they access, the criticality of the services they provide, and the degree of network access they have been granted. Tier-one vendors, those with access to the most sensitive data or with the broadest network privileges, should be subject to the same scrutiny as the target's own control environment: current SOC 2 reports, completed vendor security questionnaires, contractual obligations regarding security standards and incident notification, and evidence of ongoing compliance monitoring.
Under GDPR Article 28, data processing agreements with vendors who process personal data on the controller's behalf must include specific mandatory terms, including the requirement that processors use the data only for the documented purposes, implement appropriate technical and organizational security measures, and notify the controller without undue delay upon becoming aware of a personal data breach. A target that has not executed compliant data processing agreements with its processors is in violation of GDPR regardless of the security quality of those processors, and remediation requires retroactive contracting with each processor before or as a condition to closing.
SaaS vendor access review should also include an audit of which SaaS applications have been granted OAuth access to the target's core identity provider or email environment, as over-permissioned SaaS integrations represent a persistent attack vector that is frequently overlooked in both security programs and diligence reviews. The buyer's technical team should request a full inventory of SaaS applications with active integrations and assess whether access scopes are consistent with business need.
14. AI Model Training Data and Cyber Governance Review
Targets that develop, train, or deploy artificial intelligence models present a distinct category of cyber and data privacy diligence questions that go beyond the traditional security posture review. The legal and regulatory framework around AI is evolving rapidly, but several categories of liability are already sufficiently defined to require specific diligence inquiry in any acquisition involving AI assets.
Training data provenance is the first inquiry. AI models trained on scraped internet content, purchased data sets, or user-generated content may have been trained on data obtained in violation of copyright law, platform terms of service, or applicable privacy regulations. Litigation over AI training data use is active in multiple jurisdictions, and a target whose training data includes unlicensed copyrighted works or personal data collected without the requisite consent faces potential liability that the buyer will acquire. The diligence request should specifically ask for documentation of the source and licensing status of all training data sets used in models the company has developed or licensed.
Privacy compliance for AI training is a second distinct issue. If training data included personal information from individuals subject to GDPR, CCPA/CPRA, or HIPAA, the use of that data for AI training purposes may have required a separate legal basis, consumer notice, or opt-out mechanism that was not provided. GDPR's prohibition on automated decision-making with legal or similarly significant effects, codified at Article 22, may apply to AI model outputs and requires a specific legal basis and individual notification procedure that many companies have not implemented. The EU AI Act, which entered into force in August 2024 and imposes phased compliance obligations on AI systems by risk classification, will layer additional governance requirements onto AI systems that the target develops or deploys in the EU market.
Cyber governance of AI systems is a third inquiry. AI model weights, inference infrastructure, and training pipelines represent high-value assets that attract threat actor interest and require security controls appropriate to their sensitivity. Buyers should assess whether AI systems are protected by access controls equivalent to the controls applied to the most sensitive production systems, whether model weights are protected from exfiltration (which would allow a competitor or threat actor to replicate the model at no cost), and whether the AI development process includes security testing for adversarial attack vectors such as prompt injection, model poisoning, and membership inference.
15. Cyber Insurance: Coverage, Exclusions, and Tower Structure
Cyber insurance has become a near-universal component of enterprise risk management, but the coverage quality, exclusion structure, and limit adequacy of cyber insurance policies vary substantially across the market, and a policy that appears adequate on its face may provide materially less protection than the insured expects when a claim is submitted. The diligence review of the target's cyber insurance program should be thorough enough to inform both the purchase price allocation of insurance-related risk and the post-close insurance strategy.
The core components of a current cyber insurance policy include first-party coverages (business interruption loss, incident response costs, ransomware payment coverage, data restoration costs, and extortion payments) and third-party coverages (privacy liability, network security liability, media liability, and regulatory defense and penalties). The adequacy of limits for each coverage component should be assessed against the target's data footprint, revenue, and the historical cost of comparable incidents in its industry. An insurer's claims-paying history and financial strength rating are relevant considerations for programs with high limits where prompt payment of a large claim would be critical.
Exclusions are the most consequential provisions in any cyber policy and the most frequently misunderstood. Common exclusions include the war and cyber war exclusion (which may be invoked for nation-state attacks and is currently contested in litigation arising from the NotPetya attack), the infrastructure exclusion (which may limit coverage for losses caused by failure of internet service providers or power grids), the prior acts exclusion (which limits coverage to incidents that first occur after the policy inception date), and the regulatory fine exclusion (which in some jurisdictions renders insurance coverage of regulatory penalties unenforceable as a matter of law). Buyers should have their insurance counsel specifically review the target's policy exclusions for each of these provisions.
The claims history under the target's policy is another key diligence document. A target that has filed multiple claims within recent policy years may face reduced limits, higher retentions, or non-renewal at the next policy term, affecting both the coverage available during the transition period and the buyer's ability to maintain comparable coverage for the combined entity.
16. Data and Cyber Representations and Warranties
The representations and warranties in the purchase agreement are the primary contractual mechanism through which buyers allocate cyber and data privacy risk to sellers. A well-drafted set of cyber and data representations is specific enough to capture the risks identified in diligence, broad enough to cover categories of risk that diligence may not have fully illuminated, and structured with appropriate survival periods and indemnification caps that reflect the regulatory enforcement timelines applicable to the most serious potential exposures.
A standard set of data and cyber representations should address at minimum: the accuracy of the target's privacy policies and their compliance with applicable law, the existence and adequacy of the target's security program, the absence of any material security incident within a specified lookback period (typically three to five years), compliance with applicable data protection laws including GDPR, CCPA/CPRA, HIPAA, GLBA, and NYDFS 500 as applicable, the existence of compliant data processing agreements with all required vendors, the accuracy of the target's representations to its own customers regarding data security and privacy practices, and the absence of any pending or threatened regulatory investigation, audit, or enforcement action relating to cybersecurity or data privacy.
Sellers will push for qualifications on these representations, including knowledge qualifiers (limiting the representation to matters of which the seller has knowledge), materiality qualifiers (limiting the representation to material incidents or material violations), and disclosure schedule qualifiers (carving out items disclosed in the data room). Buyers should resist overly broad knowledge qualifiers because cyber incidents are often unknown to management precisely when they are most severe, resist materiality qualifiers on the incident representation because the materiality threshold is often disputed post-close, and carefully review disclosure schedules to ensure that any disclosed incidents are accompanied by sufficient remediation documentation to assess residual risk.
The survival period for cyber representations should extend at least as long as the applicable statute of limitations for regulatory enforcement actions in the most significant applicable jurisdiction, which under GDPR is three years from the authority's knowledge of the violation and under many U.S. state consumer protection laws is three to five years from the violation. Standard survival periods of 18 to 24 months may not be adequate for regulatory exposures that could be discovered by a regulator years after closing.
Negotiating Cyber Reps and Indemnity Structures?
Acquisition Stars drafts and negotiates data and cyber representations, escrow holdback structures, and indemnification caps that reflect the specific risk profile of each transaction. The goal is protection that matches actual exposure, not boilerplate.
17. Escrow, Indemnity, and Cap Sizing for Cyber Exposures
Sizing the indemnification obligation and escrow holdback for cyber risks requires translating diligence findings into quantified risk estimates, which is a discipline that combines legal analysis of applicable regulatory penalties, actuarial modeling of breach costs, and judgment about the probability that identified gaps will manifest as actual losses. Generic indemnification caps and standard escrow percentages derived from market practice in non-cyber transactions are insufficient when the diligence has identified specific, material cyber exposures.
The starting point for sizing is the cost model for the specific exposures identified. GDPR regulatory fines can reach four percent of global annual turnover for the most serious violations and two percent for less severe violations. State attorney general investigations and class action settlements in data breach cases have reached hundreds of millions of dollars for breaches affecting large consumer populations. Ransomware recovery costs, including forensics, system restoration, legal counsel, and notification, regularly exceed seven figures for mid-market companies. Remediation of a material compliance gap, such as the retroactive implementation of GDPR-compliant data processing agreements across a large vendor ecosystem, carries both direct implementation cost and regulatory risk during the remediation period.
The standard indemnification cap in a middle-market transaction (commonly 10 to 15 percent of purchase price) is frequently insufficient to cover the tail risk of a major data breach regulatory action, particularly for targets with large consumer data populations or operations in high-fine jurisdictions. Buyers should consider negotiating a specific cyber carve-out from the general indemnification cap, with a separate higher cap applicable to claims arising from breaches of the data and cyber representations. An additional separate escrow specifically funded to cover cyber claims, held for a period aligned with the applicable regulatory enforcement statute of limitations, provides a more targeted protection structure than a general indemnification holdback that is depleted by unrelated claims.
Where specific cyber exposures are identified during diligence, the most direct approach is to negotiate a specific remediation obligation as a closing condition (requiring the seller to cure the identified gap before closing) or a specific indemnification obligation (treating the identified issue as a known liability with specific escrow funding), rather than relying on the general representations and warranties framework to provide after-the-fact recovery.
18. R&W Insurance Treatment of Cyber and Data Privacy
Representations and warranties insurance has become a standard component of private M&A deal structure for transactions above a certain size threshold, and buyers increasingly look to R&W insurance as a substitute for seller indemnification rather than a supplement to it. The role of R&W insurance in covering cyber and data privacy representation breaches is significantly more limited than buyers often appreciate, and understanding those limitations before the insurance is placed is essential to avoiding a gap in protection.
The most significant limitation is the known loss exclusion, which is present in virtually every R&W policy. The known loss exclusion bars coverage for any matter that the insured had actual knowledge of at the time the policy was bound. Because cyber diligence is specifically designed to identify gaps and risks, any cyber finding documented in the diligence report becomes a known matter that is excluded from coverage. This creates a perverse incentive that buyers must resist: the temptation to limit the depth of cyber diligence to preserve R&W coverage. That approach trades a broader insurance policy for a higher actual risk exposure, and it is not a sound risk management strategy.
Beyond known losses, R&W underwriters typically impose sublimits on claims arising from data privacy and cybersecurity representation breaches, reflecting their own experience with the frequency and severity of post-close cyber claims. Sublimits of 20 to 30 percent of the total policy limit are common, and in transactions involving healthcare, financial services, or other high-data-sensitivity targets, underwriters may require cyber-specific representations to be backed by separate indemnification rather than R&W coverage. GDPR and other regulatory fines are often expressly excluded from covered losses, either through a blanket regulatory penalty exclusion or a specific jurisdiction exclusion.
Buyers relying on R&W insurance as their primary protection for cyber risk should specifically negotiate with the underwriter for the broadest available cyber sub-coverage during the policy placement process, review all cyber-specific exclusions before binding, and plan to supplement R&W coverage with escrow holdback or seller indemnification for identified risks that fall within the exclusions. Cyber-specific R&W insurance riders are available in some markets and may be worth exploring for transactions where cyber is a particularly significant risk category.
19. Purchase-Agreement Efforts Covenants and Pre-Closing Access
The period between signing and closing a transaction is often three to six months, during which the target continues to operate its business under the ordinary course covenant. For cyber risks, this period is an opportunity to require remediation of identified findings before the buyer assumes ownership, and the purchase agreement should include specific pre-closing covenants tailored to the cyber risk profile identified in diligence.
Efforts covenants in the cyber context typically take one of three forms. A best efforts covenant requires the seller to remediate identified findings to the extent commercially practicable before closing, with the buyer's right to waive or accept a price reduction if remediation is not completed. A commercially reasonable efforts covenant, the more common formulation, requires the seller to take the steps a reasonable party in its position would take to remediate the identified gaps within the available pre-close window. A specific covenant, the most protective structure, designates identified findings by category or severity, requires the seller to complete specific remediation actions by a specified pre-close date, and makes completion a condition to the buyer's closing obligation.
Access rights during the pre-closing period are a negotiated point that affects the buyer's ability to monitor the seller's remediation progress and to continue its cyber assessment. The purchase agreement should specify whether the buyer's technical team has the right to conduct follow-up interviews with the target's security team, review updated documentation as remediation is completed, and conduct a pre-close validation assessment verifying that the agreed remediations are in place. Without contractual access rights, the buyer has no mechanism to verify that represented remediations were actually completed before the indemnification obligations are set at closing.
The ordinary course covenant also creates risk in the cyber context: sellers are typically required to maintain the business in the ordinary course without material changes to operations, which may restrict their ability to undertake major security infrastructure changes between signing and closing. The purchase agreement should include a carve-out from the ordinary course covenant permitting the seller to implement specific security remediations identified by the buyer, so that the obligation to remediate is not in conflict with the obligation to maintain ordinary course operations.
20. Day-One Integration Controls and Ongoing Compliance
The day on which the transaction closes is when cyber risk management becomes a fully operational, not merely a diligence, discipline. The technical and legal vulnerabilities identified during diligence do not disappear at closing. They become the buyer's operational challenges, and the window between closing day and the completion of IT integration is the period of highest inherited risk because security controls have not yet been unified, monitoring coverage may have gaps at the boundary between the buyer's network and the acquired entity's network, and incident response procedures have not yet been fully extended to cover the acquired operations.
Day-one integration controls should be planned and tested before closing. The buyer's incident response retainer should be extended to cover the acquired entity effective on the closing date. The buyer's endpoint detection and response tools should be deployed to the acquired entity's critical systems on day one, not at the end of the integration timeline. The acquired entity's security logging should be integrated into the buyer's security operations center monitoring on day one so that incidents in the acquired network are detected by the same procedures and personnel that cover the rest of the buyer's environment. And a clear internal escalation procedure should be communicated to both the acquired entity's security team and the buyer's team before closing, so that the first incident is handled according to a defined process rather than improvised.
Ongoing compliance after integration requires tracking the diligence findings through to full remediation. The diligence findings report should be converted into a remediation project plan with assigned owners, completion dates, and verification steps, and that plan should be tracked at the CISO and legal levels as an integration milestone with the same rigor applied to financial system integration or workforce integration. Regulatory compliance obligations identified in diligence, including GDPR annual review requirements, NYDFS annual certification, HIPAA risk assessment updates, and state breach notification law updates, should be calendared and assigned to appropriate legal and compliance personnel within the combined organization.
For public company acquirers, the Item 106 disclosure in the next annual Form 10-K must accurately describe the cybersecurity risk management processes of the combined entity, including any material changes resulting from the acquisition. If the acquired business introduced new data types, new regulatory obligations, or new supply chain risks that are not reflected in the current Item 106 disclosure, those must be reflected in the updated annual disclosure. The acquisition is itself a material change in the company's cybersecurity risk profile that Item 106 requires to be described accurately.
Frequently Asked Questions
How long does a thorough cyber diligence workstream take in a typical M&A transaction?
In a middle-market acquisition, a properly resourced cyber diligence workstream typically requires six to ten weeks from data room access to a written findings report that counsel and the deal team can act on. The first two weeks are consumed by document review: policies, incident logs, audit reports, vendor contracts, and insurance certificates. Weeks three through five involve technical assessment, which may include active scanning or interview-based review depending on access rights. Weeks six through eight are reserved for findings synthesis, legal mapping to applicable privacy and security regimes, and quantification of remediation costs and residual risk. Transactions with compressed timelines or targets in highly regulated industries (healthcare, financial services, defense) should budget additional time or accept a higher residual risk posture at closing.
What happens if an undisclosed data breach is discovered after closing?
The consequences of discovering an undisclosed breach post-closing depend on the representations and warranties in the purchase agreement and whether the breach constitutes a material adverse effect. If the seller represented that no material security incidents had occurred within a defined lookback period and that representation was false, the buyer may have an indemnification claim for breach of representation. If the breach triggers mandatory notification obligations under applicable state or federal law, the buyer as the new owner of the business will bear primary compliance responsibility and face regulator scrutiny for notification timing. In transactions covered by R&W insurance, the buyer should notify the insurer promptly upon discovery, as late notice can prejudice coverage. Counsel should also analyze whether the undisclosed breach gives rise to a fraud claim separate from the contractual indemnification framework, which would survive the survival period caps applicable to representation breaches.
When does the SEC's Form 8-K Item 1.05 require disclosure of a cyber incident discovered after a deal closes?
For public company acquirers, Form 8-K Item 1.05 requires disclosure of a material cybersecurity incident within four business days of the company determining that the incident is material, regardless of whether the incident originated at the acquired target or in the acquirer's own systems. If an acquirer discovers post-close that the target suffered a significant breach before the transaction, the acquirer must assess whether the financial impact, operational disruption, or reputational consequences of that breach are material to the acquirer as a combined entity and, if so, file an 8-K within the four-business-day window. The disclosure must describe the nature, scope, and timing of the incident and its material impact or reasonably likely material impact. Acquirers that delay disclosure after forming the materiality determination face SEC enforcement exposure.
How do R&W insurance policies treat cyber and data privacy risks?
Most R&W insurance policies in the current market contain express exclusions for known cyber incidents, meaning any breach or security event that appeared in the diligence process or that the insured had actual knowledge of at policy inception will not be covered. Beyond known matters, insurers increasingly impose sublimits on data privacy and cyber representation breaches, often capping cyber-related R&W coverage at a fraction of the overall policy limit. Some policies exclude GDPR or CCPA regulatory fines from covered losses entirely, on the theory that regulatory penalties are not insurable under applicable law. Buyers relying on R&W insurance for cyber risk mitigation must read the exclusions carefully and consider whether to supplement R&W coverage with a standalone cyber insurance policy, a negotiated indemnity from the seller, or an escrow holdback specifically sized for cyber exposures identified during diligence.
Is it legal to pay a ransomware demand, and how does that affect an M&A transaction?
Whether a ransomware payment is lawful depends on the identity of the ransomware operator. The U.S. Department of Treasury's Office of Foreign Assets Control (OFAC) prohibits payments to individuals or entities on the Specially Designated Nationals list and certain blocked countries, and several ransomware groups have been designated as SDNs. A payment to a designated group violates OFAC regulations regardless of intent, and the victim company bears the risk of enforcement. In an M&A context, a target that made a prior ransomware payment without conducting an OFAC screen may have violated sanctions law, creating regulatory exposure that the buyer inherits unless it negotiates specific indemnification. Buyers should request documentation of all prior ransomware incidents, any payments made, and whether an OFAC sanctions screen was performed before payment was transmitted.
If a target is subject to both GDPR and CCPA, which privacy regime takes priority in diligence?
Neither GDPR nor CCPA takes categorical priority. The two regimes apply based on distinct jurisdictional triggers, GDPR based on the location of the data subject and CCPA based on the California residency of consumers, so a target with European customers and California consumers must comply with both concurrently. Diligence should map each regime independently: GDPR diligence focuses on lawful basis documentation, data processing agreements with vendors, cross-border transfer mechanisms (Standard Contractual Clauses or adequacy decisions), data subject rights procedures, and Data Protection Officer appointment where required. CCPA/CPRA diligence focuses on consumer rights request infrastructure, the opt-out mechanism for sale or sharing of personal information, employee and contractor data handling, and contractual compliance with service providers. Gaps in either regime represent independent regulatory risk and should be reported separately in the cyber diligence findings.
Can a buyer conduct penetration testing on the target during the diligence period?
Buyers can request penetration test results as part of document-based diligence without conducting their own live testing, and most experienced sellers will have recent third-party pen test reports available. Whether a buyer can conduct independent active penetration testing during the diligence period depends entirely on the terms of the confidentiality agreement and any access rights negotiated in the letter of intent or purchase agreement. Most sellers resist granting active pen-test access pre-signing because it creates operational risk and could surface findings that complicate the deal. The practical compromise is to request the most recent third-party pen test report and remediation log, require the seller to commission a fresh test if the existing report is more than twelve months old, and condition a portion of the purchase price on satisfactory remediation of critical and high-severity findings before closing.
How does cyber insurance tail coverage work after a transaction closes?
When a target company is absorbed into a buyer's corporate structure, the target's standalone cyber insurance policy typically ceases to cover incidents that began before closing but are discovered afterward, unless the policy contains an extended reporting period (tail) endorsement. A tail endorsement extends the reporting window under the seller's pre-closing policy for a negotiated period, commonly 12 to 36 months, allowing claims arising from pre-closing incidents to be submitted after the policy's expiration date. Buyers should negotiate for the seller to purchase a tail endorsement as a closing condition and should confirm that the tail period covers the applicable statutes of limitations for regulatory investigations and class actions that could arise from a pre-closing breach. The cost of a tail endorsement is typically borne by the seller and should be factored into the seller's closing cost budget.
What issues arise when a target's AI models were trained on third-party or user-generated data?
AI models trained on third-party data raise at least three distinct legal issues in M&A diligence. First, ownership: if the training data was scraped from publicly available sources or obtained from data brokers, the buyer must assess whether the data was used in compliance with the source's terms of service and applicable copyright law, given pending and settled litigation over unauthorized AI training data use. Second, privacy compliance: if the training data included personal information from individuals who did not consent to AI training use, the training practice may have violated GDPR, CCPA, or HIPAA depending on the nature of the data. Third, output liability: models trained on biased or unlawfully obtained data may generate outputs that create discriminatory impact claims or intellectual property infringement exposure. Each of these issues represents a form of contingent liability that the buyer acquires and that should be addressed in the cyber and IP representations, escrow sizing, and pre-closing remediation planning.
Does SOC 2 Type II certification mean a vendor poses low cyber risk?
SOC 2 Type II certification confirms that a service organization's controls relevant to security, availability, processing integrity, confidentiality, or privacy operated effectively over the audit period, but it does not mean the vendor poses low residual cyber risk. SOC 2 audits test the controls the service organization selected to include in its system description, which are not necessarily comprehensive against current threat vectors. The audit period is historical, typically six to twelve months preceding the report date, so a vendor's control environment may have deteriorated after the report was issued. During M&A diligence, buyers should obtain SOC 2 Type II reports for all critical vendors, read the auditor's exceptions and qualifications, review the complementary user entity controls the vendor expects the client to implement, and assess whether the vendor's control scope covers the data types and processing activities most relevant to the target's business. SOC 2 certification is a floor, not a ceiling, for vendor cyber risk assessment.
What should an incident response playbook integration look like on day one after closing?
Day-one incident response integration requires four elements to be in place before the transaction closes. First, the buyer's incident response retainer must be extended to cover the acquired entity, so that the buyer's outside forensics and legal counsel are authorized to respond to incidents at the target from the moment of closing. Second, the target's reporting chain for security events must be mapped to the buyer's internal escalation procedures, so that target employees know who to call and in what sequence when an incident is detected. Third, the target's notification obligations under applicable state breach notification laws, HIPAA, GDPR, and any sector-specific regimes must be documented and incorporated into the buyer's breach response calendar, since notification deadlines begin running from discovery, not from closing. Fourth, the buyer's general counsel and CISO must jointly approve a day-one incident response communication template that reflects the combined entity's legal obligations, so the first post-close incident is handled consistently with the buyer's regulatory posture.
When can a company delay breach notification under state breach notification laws?
Most state breach notification statutes permit delay when a law enforcement agency determines that notification would impede a criminal investigation and provides the company with a written request to defer notification for a specified period. This law enforcement delay exception is the primary statutory basis for postponing notification beyond the standard deadline, which varies from 30 days (Florida, Colorado, and others) to 72 hours for GDPR and HIPAA breach reporting. Some states also permit a short safe harbor for the time needed to determine the scope of the breach and identify affected individuals, but this period is not open-ended and regulators have taken enforcement action against companies that interpreted it as permission to conduct extended internal investigations before notifying. In an M&A context, a target company that is delaying notification under a law enforcement request at the time of closing must disclose that fact to the buyer, and the parties must negotiate responsibility for the eventual notification, associated costs, and regulatory response.
Related Practice Areas
Our attorneys handle M&A transactions and securities matters nationwide. Alex Lubyansky leads every engagement personally.