M&A Cyber Diligence for Private Equity: The Complete 2026 Guide
The definitive 2026 guide to M&A cyber and tech diligence for mid-market PE: pre-LOI signals, full-scope diligence, carve-out separation, post-close integration, and the 21-day Securem method.
Why mid-market deal teams underprice cyber diligence The structural reason mid-market deal teams underprice cyber diligence is that the diligence stack was designed in an era when cyber was an IT problem and IT was a back-office problem, and the diligence stack has not been rebuilt since. Financial diligence has a hundred-year intellectual tradition, commercial diligence has a forty-year tradition, and quality-of-earnings has a thirty-year tradition that the deal team has internalized to the point that a clean QofE is a precondition to the partner meeting. Cyber diligence, by contrast, is roughly fifteen years old as a discipline, was originated by the same Big Four firms that already owned the financial diligence relationship, and was priced as an add-on to a deal team that had no budget line for it. The result is that the cyber diligence engagement is typically a fixed-fee deliverable of forty to eighty pages, produced in two to three weeks, by a team that does not see the target's environment, does not interview the target's IT lead, and does not test a single control. The deliverable is a posture report against a framework, not an assessment of risk against the thesis. The economic consequence of underpriced cyber diligence is that the cost of a missed finding does not show up in the deal model. The cost shows up in year one of the hold period, on the operating partner's P&L, as an integration line item that was not budgeted, or in year three as an incident-response invoice that lands on a Friday. Across the engagements we have run in the last four years on mid-market PE targets in the seventy-five-million to four-hundred-million enterprise-value range, the median post-close cyber integration cost has been roughly four times the diligence-phase estimate, and the modal cause has been a finding that was visible in the data room and was not flagged because the diligence team was running a framework checklist instead of a risk inquiry. The diligence dollars protect the IRR; the integration dollars erode it. The math is unforgiving and it does not appear in any deal model we have ever been shown. The IRR erosion compounds when the post-close incident arrives. A mid-market portfolio company at one hundred fifty million in revenue that suffers a credential-stuffing incident or a business-email-compromise event in year two of the hold period typically loses two to four points of EBITDA in the trailing twelve months, partly to the incident response invoice itself, partly to the regulatory and customer-notification work, partly to the cyber insurance retention, and partly to the management distraction during the response. On a five-times multiple at exit, a two-point EBITDA hit erodes ten percent of enterprise value before the buyer-side diligence even begins to apply its own posture discount. The same incident, identified in the twenty-one-day diligence window before close, would have shown up as a price reduction of perhaps half a million dollars or as a specific indemnity in the purchase agreement. The sponsor's choice is between negotiating the finding pre-close on the seller's nickel, or absorbing it post-close on the portfolio company's nickel. The diligence team that does not surface it forces the second choice on the sponsor without telling them. The rep-and-warranty insurance market has noticed. Five years ago, an R&W policy on a mid-market deal typically included cyber coverage as part of the general representations, with a modest exclusion for known issues. Today, every R&W carrier we work with, AIG, Beazley, Euclid, Tokio Marine HCC, Aspen, runs a separate cyber underwriting workstream that explicitly reviews the cyber diligence report, asks for specific representations on MFA coverage, EDR deployment, backup posture, and incident history, and writes specific exclusions for any area the diligence did not adequately cover. The policy that the deal team thought they were buying is not the policy that closes. A diligence team that produces a thin posture report against a framework gets a thick exclusion schedule from the underwriter, and the sponsor discovers in the second week of integration that the cyber risk they thought was insured is, in fact, on their balance sheet. The founder-credential problem is the underpriced finding that we surface most often, and it is the cleanest example of why a framework-checklist diligence misses what matters. In the typical founder-owned mid-market target, the founder is or recently was the global administrator of the Microsoft 365 tenant, the AWS root account, the Stripe account, the bank portal, the domain registrar, and the cyber insurance policy. The founder may have rotated some of those credentials at the request of an IT consultant in the past three years, but at least three of them are still in the founder's personal password manager, on a personal device, with no MFA enforcement and no shared visibility for the new sponsor's IT or finance team. The diligence framework does not ask about founder credentials because the framework was written for an enterprise that does not have founders. The risk lives precisely where the framework does not look, and the post-close discovery that the founder still holds the root credentials to the AWS account is the most common reason a sixty-day cyber integration becomes a hundred-and-twenty-day cyber integration. We address this in detail in the carve-out tech diligence field guide. The diligence shape that survives the partner meeting The cyber diligence engagement that survives the partner meeting looks different from the cyber diligence engagement that produces a forty-page framework report. The first difference is that the senior advisor is on the diligence call, not the proposal call. We do not staff a junior analyst to the engagement and review the deliverable at the end; the partner-level advisor reads the data room, interviews the target's IT lead, walks the environment with the seller, and writes the report. This is not a marketing claim, it is a structural decision about how the diligence is sequenced. The risk inquiries that matter, founder credentials, vendor BAA chains, prior-incident posture, identity sprawl, financial-system auth, require the judgment of someone who has run the question fifty times before, not the framework recall of someone who has run it three times. The senior advisor on the call is a precondition to the diligence being useful, not a premium add-on for the engagement. The second difference is that the NDA precedes the data room, and the diligence team writes the NDA. A standard target NDA written by the seller's counsel will typically permit a posture review and prohibit the testing, scanning, or environmental access that produces an actionable diligence finding. The deal team that signs the seller's NDA without modification has agreed in advance that the diligence will produce a paper exercise. We negotiate the NDA addendum that permits, at minimum, a read-only review of the target's IdP (typically Microsoft Entra ID or Okta), a read-only review of the cyber insurance policy and the prior three years of claims history, a read-only review of the EDR console, and a documented interview with the target's IT lead, the target's MSP if one exists, and the target's cyber insurance broker. The addendum is not aggressive; it is the floor at which the diligence produces useful findings. Sellers and seller's counsel typically agree to it when the request is framed as protecting the R&W policy. The deal team that does not ask for the addendum has accepted the seller's framing of the diligence on the first phone call. The third difference is the twenty-one-day window. Mid-market deals run on a diligence calendar that gives cyber roughly four to six weeks between the data room opening and the diligence committee meeting. The full Securem diligence runs in twenty-one calendar days from data room access to written report, which is faster than the typical Big Four engagement (six weeks) and slower than the typical boutique engagement (ten business days). The twenty-one-day window is not a marketing claim, it is the cycle time that lets the senior advisor do the work properly: the first four days are inventory, the next five are control assessment, the next five are vendor and SaaS audit, the next four are incident and insurance review, and the last three are report writing with cost ranges and integration plan. The cycle is described in full in the twenty-one-day field guide, and is summarized in section four of this guide. The window matters because it lets the cyber diligence finish ahead of the QofE and the legal diligence, which means the findings can be reflected in the purchase agreement, the disclosure schedules, and the R&W policy negotiation rather than discovered after the agreements are signed. The five questions the diligence has to answer are the questions the partner meeting will ask. We have run this list across enough engagements that the order is stable, and the order is not arbitrary; it reflects which questions most often surface the integration cost that destroys the IRR. The first question is cyber posture. What is the target's actual control coverage, not against a framework, but against the threats the target actually faces, given its industry, its customer base, and its prior incident history? This is not a maturity score and it is not a heat map. It is a one-page table of the eight controls that matter most for an entity of this size in this vertical (MFA on the IdP, MFA on financial systems, EDR deployment percentage, backup posture and tested restore, dormant-account hygiene, third-party access inventory, vendor BAA chain, incident response retainer), with a current-state assessment, a target-state recommendation, and a cost-to-close range. The partner meeting needs the table, not the framework report. The second question is cloud and application inventory. What is the actual surface area of the target's environment, every cloud account, every SaaS subscription, every on-premises system, every internet-facing asset? The target's CFO will produce a list; the actual inventory is typically thirty to fifty percent larger. The gap is the integration cost. We produce the gap, not the CFO's list. The third question is vendor and SaaS sprawl. How many vendors does the target actually pay, how many of them have access to customer data or financial systems, how many of them have a current contract and a current BAA where required, and how many of them are duplicates of vendors the sponsor's portfolio already uses? The rationalization is the cleanest one-year cost takeout in the integration model, and it requires the data from the diligence to be actionable in the first ninety days. The fourth question is founder credentials. What administrative credentials does the founder, the founder's spouse, the founder's prior CTO, or the founder's MSP currently hold to systems that the post-close entity will operate? The question is not in any framework. The answer is in every diligence we have ever run on a founder-owned target. The fifth question is incident history. What has actually happened in the target's environment in the past three years, every confirmed incident, every reported near-miss, every cyber insurance claim, every customer-facing notification, every regulatory inquiry, every law-enforcement contact? The answer is the most reliable predictor of what will happen in the next three years, and the answer is rarely complete in the data room without specific inquiry. The diligence team that does not ask the founder directly does not get the answer. The diligence shape that produces actionable answers to these five questions in twenty-one days, with the senior advisor on the call and the NDA addendum in place, is the diligence shape that survives the partner meeting. It is also, in our experience, the only shape that produces a finding the deal team can negotiate with the seller before the agreements are signed. Pre-LOI diligence signals The diligence engagement formally begins when the data room opens, but the diligence inquiry begins as soon as the target is identified, and the signals available before the data room opens are often more revealing than the signals inside it. The deal team that waits for the data room has accepted a one-sided view of the target, the view the seller wants to project. The deal team that runs the pre-LOI inquiry in parallel with the commercial diligence sees the same target through three or four independent lenses, and the convergence (or divergence) of those lenses is itself a diligence finding before any framework is applied. The first pre-LOI signal is public breach disclosure. Every US-domiciled entity above a regulatory or contractual threshold has a published trail of cyber disclosures, SEC filings for public companies and certain private debt issuers, state-attorney-general notifications for breaches involving residents of the relevant state, HHS Office for Civil Rights "wall of shame" entries for HIPAA-covered entities and business associates, and increasingly, voluntary CISA disclosures under the CIRCIA framework. The disclosures are aggregated and searchable. A target that has filed a Form 8-K under the SEC's cybersecurity disclosure rules, or that appears on the OCR public breach list, has a finding the data room will minimize. The pre-LOI search is mechanical, takes an analyst two hours, and produces the most reliable single signal of cyber posture risk we have found in the mid-market. The second pre-LOI signal is the target's response to inbound security questionnaires. Every mid-market entity above the SMB threshold has answered at least one customer security questionnaire, a SIG, a CAIQ, a vendor risk assessment, a HIPAA business-associate inquiry, in the past three years, and the responses live in the target's CRM, in the customer's vendor management system, and often in a shared Google Drive that the founder set up and forgot. The diligence team that asks the target's sales lead for the three most recent security questionnaires answered for the target's largest customers will get a richer view of the actual control posture than a framework checklist can produce, because the questionnaire forced the target to make specific, documented attestations to customers who have contractual recourse if the attestations are wrong. The questionnaires are available; the deal team has only to ask. The third pre-LOI signal is the public-rating profile. The major cyber ratings services, BitSight, SecurityScorecard, UpGuard, RiskRecon, publish letter-grade or numeric scores for almost every mid-market entity with an internet-facing footprint. The ratings are imperfect: they over-weight perimeter signals (open ports, expired certificates, exposed services) and under-weight internal control posture, and they cannot see anything inside the target's identity provider or financial systems. But the ratings are a useful negative filter. A target with an F rating from BitSight has perimeter hygiene problems that the data room will minimize and that the post-close integration team will inherit. A target with an A rating has done at least the basic work of attack-surface management, which is itself a posture signal. The diligence team that pulls the ratings before the LOI has a baseline against which to read the data room. The fourth pre-LOI signal, and the one we weight most heavily, is the target's open job postings. A target that has posted a CISO requisition in the past ninety days, or a Director of Information Security, or a Manager of Security Operations, has acknowledged a gap that the data room will not. The signal is stronger if the requisition has been open for more than sixty days, which suggests a hiring difficulty in a market that is otherwise hiring well, and stronger still if the requisition is for a role the target does not currently staff at all. We have seen targets close the CISO requisition the week the data room opens; the requisition is recoverable from cached job-board snapshots, and the seller's representation that "we have a head of security" needs to be read against the cache. The same logic applies to compliance, GRC, and IT-operations roles. The hiring pattern is the most honest disclosure the target makes. The fifth pre-LOI signal is the litigation and regulatory inquiry record. PACER, state-court records, and the relevant industry regulator's enforcement database typically surface any cyber-related civil action, regulatory consent order, or active investigation involving the target. The signal is more reliable for regulated industries (financial services, healthcare, education) than for unregulated ones, but the inquiry is cheap and the absence of a finding is itself informative. A target with three pending civil actions tied to a 2023 incident has a posture story that the data room will not lead with. The pre-LOI inquiry can be completed in roughly one analyst-week, costs the diligence team essentially nothing once the workflow is built, and produces a baseline that lets the deal team enter the data room with informed questions rather than a clean slate. The deal team that does not run it is starting the diligence two weeks behind a competing bidder that does. We address the operational mechanics in the M&A diligence practice page and the broader pre-LOI signal stack in the twenty-one-day field guide. Full-scope diligence: the 21-day Securem method The full-scope diligence is structured as a twenty-one-calendar-day engagement, sequenced so that each phase produces an artifact the next phase depends on, and so that the report lands ahead of the QofE and the legal diligence rather than after them. The sequencing is not arbitrary; it reflects which findings most often shift the deal terms and which can wait until post-close. Days one through four: inventory. The first phase is mechanical. We pull every list the target can produce, employee roster from HR, identity roster from the IdP, device roster from the MDM or RMM, vendor roster from accounts payable, SaaS roster from the SSO catalog, customer roster from the CRM, contract roster from the CLM, and reconcile them against one another. The reconciliation is a series of joins that produces three artifacts: a master inventory of every system, identity, vendor, and customer relationship the post-close entity will inherit; a list of every discrepancy between the lists (the dormant accounts, the unowned service accounts, the vendors without contracts, the customers without signed agreements); and a list of every system the target operates that does not appear on any list at all (the shadow IT, the founder's personal AWS account, the spreadsheet that runs the commission calculation). We have never run this phase on a mid-market target without finding at least one system in the third bucket that is material to the operating model. The inventory phase is the precondition to every subsequent phase, and the deal team that skips it has accepted the seller's representation of the surface area as the surface area. Days five through nine: control assessment. The second phase tests the actual control posture against the eight controls that matter most for the target's size and vertical. The eight controls are not a framework, they are the answer to the question "what would the cyber insurance underwriter ask on the renewal call?" and they are: MFA enforcement on the IdP (coverage percentage, factor strength, fallback method); MFA enforcement on the financial systems (ERP, AP automation, corporate card, bank portal, payroll); EDR deployment on endpoints (coverage percentage, configuration baseline, alerting integration); backup posture with tested restore (frequency, retention, immutability, last successful restore date); dormant-account hygiene at the IdP (count, last-login distribution, named-owner percentage for service accounts); third-party access inventory (count of external identities, contract status, last-access date); vendor BAA chain for regulated verticals (count of vendors handling regulated data, BAA coverage, change-of-control language); and incident response readiness (named IR retainer, tabletop exercise in past twelve months, written IR plan tested in past twelve months). Each control gets a current-state assessment, a target-state recommendation, and a cost-to-close range. The phase ends with a one-page table that the deal team can put in front of the operating partner without translation. Days ten through fourteen: vendor and SaaS audit. The third phase takes the vendor list from phase one and the control assessment from phase two and produces the vendor rationalization plan. The plan has three components: the duplicates (vendors the target uses that the sponsor's portfolio already uses at better pricing, where the rationalization is a renegotiation rather than a replacement); the redundancies (vendors the target uses where the sponsor's existing tooling can absorb the function); and the risks (vendors the target uses where the contract is expiring, the BAA is missing, the security posture is below the sponsor's portfolio standard, or the vendor itself has had a recent incident). The rationalization plan typically identifies fifteen to twenty-five percent of the target's SaaS spend as addressable in the first year post-close, and the data the plan requires lives in the vendor list, the contract repository, and the SSO catalog from phase one. The rationalization is the cleanest one-year cost takeout in the integration model. Days fifteen through eighteen: incident and insurance review. The fourth phase reviews the target's prior three years of cyber incidents, claims, and insurance posture. The review covers every confirmed incident (with root cause, scope, and remediation status), every cyber insurance claim (with carrier, claim amount, and resolution), every customer-facing notification (with regulatory framework and timeline), every regulatory inquiry, every law-enforcement contact, and the current cyber insurance policy itself (limits, retentions, sub-limits, exclusions, named-peril coverage, war and infrastructure exclusions, and renewal posture). The review surfaces the questions the R&W underwriter will ask, the disclosures the purchase agreement will need to schedule, and the integration-budget items the operating partner will own. The phase ends with the integration cost range, the R&W exclusion forecast, and the disclosure schedule draft. Days nineteen through twenty-one: written report with cost ranges and integration plan. The fifth phase is the deliverable. The report is structured for three readers: the deal team lead, who needs the executive summary and the go-no-go recommendation; the operating partner, who needs the integration plan with budget ranges and the first-hundred-day action list; and the M&A counsel, who needs the disclosure schedule draft and the R&W exclusion forecast. The report is roughly twenty-five pages, not eighty, and it includes specific dollar ranges, specific timelines, and specific named owners for every recommendation. The senior advisor reviews the report with the deal team in a one-hour walkthrough, and the report is delivered the day the diligence committee meets, not the day after. The twenty-one-day cycle is the cycle that lets the diligence finding shape the deal terms. The longer cycles do not. The shorter cycles do not produce the findings. We describe the operational mechanics in the twenty-one-day field guide, and the integration handoff is the subject of the hundred-day post-close playbook. Carve-out cyber diligence Carve-out diligence is structurally different from platform diligence, and the difference compounds in the cyber surface area more than in any other diligence workstream. In a platform deal, the target is a standalone entity with its own identity provider, its own vendor stack, its own incident history, and its own insurance policy; the diligence team can interview the target's IT lead and walk the environment. In a carve-out, the target is a business unit of a parent company that will, in almost every case, restrict the diligence team's access to the parent's systems and offer only the carve-out's "as-projected" standalone state, a state that does not exist yet and that the parent's IT organization has no incentive to map accurately. The seller will not give access; the diligence team has to produce findings without the access the platform diligence assumes. The TSA negotiation is where the carve-out cyber diligence either lands or fails, and the diligence team that is not at the TSA negotiation table has already lost. The Transition Services Agreement is the document that governs which of the parent's systems, services, and personnel the carved-out entity continues to consume after close, for how long, at what price, with what service levels, and under what termination notice. In our experience the TSA cyber scope is typically drafted by the parent's M&A counsel in the first round, is significantly narrower than the carve-out actually requires, and is structured to expire in nine to twelve months with no automatic extension. A carve-out that does not have an IdP migration completed before the TSA expires loses its email, its file storage, its SSO, and its access to every SaaS subscription that federates from the parent's tenant on a single Friday. The diligence team that surfaces the TSA cyber scope in the diligence report, with a specific migration timeline and a specific extension-cost forecast, gives the sponsor's counsel the leverage to negotiate either a longer TSA or a parent-funded migration budget. The diligence team that does not surface it leaves the sponsor to discover the gap in month seven of the hold period. The IT separation cost is the single most underestimated cost line in carve-out integration. Across the carve-out engagements we have run in the last four years, the deal team's initial estimate of IT separation cost has been within twenty percent of the actual cost in roughly one of ten cases; the median deal team underestimate is sixty percent, and the modal underestimate concentrates in three categories. The first is the IdP migration itself, which requires building a new tenant, migrating identities, federating or migrating every SaaS subscription, repointing every workstation, and decommissioning the parent's access, a six-to-nine-month workstream at a mid-market carve-out, typically priced at fifty to two hundred fifty thousand dollars of external services on top of the internal IT effort. The second is the financial-system separation: the ERP, the AP automation, the corporate card, the bank portal, and the payroll provider all have to be either migrated to standalone instances or contracted directly under the new entity's name, and each migration has its own auth, integration, and data-migration sub-project. The third is the security-tooling separation: the EDR, the SIEM, the email security gateway, the DLP, and the cyber insurance policy all have to be either migrated, re-contracted, or replaced, and the parent will not, in our experience, transfer its enterprise pricing to the carved-out entity even when the carved-out entity continues to operate on the same platform. Shared credentials are the carve-out cyber finding we surface most often, and the one that the parent's IT organization is least equipped to remediate before close. In the typical mid-market carve-out, the parent's IT team has, over the years, set up shared service accounts that span multiple business units, an integration account that pulls data from the carve-out's ERP into the parent's data warehouse, a service account that runs the carve-out's payroll on the parent's identity, a federated identity that lets the parent's IT help-desk reset passwords for carve-out users. Every one of these shared credentials is an entry point into the carved-out entity that survives the close, that the parent's IT team typically does not document, and that the carve-out's new IT lead inherits without knowing it exists. The diligence team that asks for the shared-credential inventory before close, and that builds the rotation plan into the integration scope, prevents the post-close discovery that the parent still has root access to the carved-out AWS account. Data segregation is the carve-out finding that the regulators care about most, and that the diligence team has to surface even when the parent's IT team is confident the segregation is clean. In every carve-out we have run, the parent has, at minimum, customer data, employee data, and financial data that comingles across the parent and the carve-out in shared databases, shared file shares, shared CRM tenants, and shared analytics platforms. The segregation work is to identify every shared data store, classify the data in each by which entity owns it post-close, design the separation (split, copy, migrate, or delete), and execute the separation before the data-handling rights under the purchase agreement become operative. The work is typically a four-to-eight-month project that has to begin before close, not at close, and the diligence team that does not surface the scope in the diligence report leaves the sponsor to negotiate the timeline with the parent after the LOI is signed. The vendor BAA chain is the carve-out finding that compounds fastest in regulated verticals. Every BAA the parent holds with a vendor that processes data for the carved-out entity has to be either assigned to the new entity, re-executed in the new entity's name, or replaced with a new vendor relationship, and the assignment requires the vendor's consent, which the vendor has no contractual obligation to provide on the seller's preferred timeline. We have seen carve-outs close with thirty to seventy BAAs that have to be re-papered in the first six months post-close, with the carve-out's IT and compliance lead managing the project alone, with no budget allocated and no timeline negotiated. The diligence team that produces the BAA inventory and the assignment-versus-re-execution forecast before close gives the sponsor the leverage to negotiate either parent-funded BAA assignment or a transition-services line item. The detailed mechanics of the access-constrained diligence are in the carve-out field guide. Post-close cyber integration, the first 100 days The post-close integration window is the only window in the hold period when the integration team has the political authority, the budget posture, and the executive air cover to make the cyber decisions that compound for the next five to seven years. We have written the hundred-day playbook as a standalone reference; this section summarizes the integration steps that the diligence report should hand off to the operating partner on day one of close. The first integration step, in the first two weeks, is the founder credential rotation. Every administrative credential that the founder, the founder's spouse, the founder's prior CTO, the founder's MSP, or any other pre-close third party held to a system the post-close entity now operates has to be rotated, the new credentials have to be held by named post-close owners under MFA, and the prior credentials have to be confirmed disabled. The list of credentials should have been produced in phase two of the diligence and should be the first artifact the operating partner receives on day one. The rotation is mechanical, takes a competent IT lead three to five days for a typical mid-market entity, and is the single highest-leverage cyber action in the first hundred days. The rotation closes the most common entry vector for post-close incidents and is the precondition to every subsequent integration step. The second integration step, in the first thirty days, is the M365 or Entra ID cleanup. The diligence phase will have produced an identity-bloat estimate, typically thirty to fifty percent of the total identity count; the first-thirty-day cleanup disables the dormant accounts, names owners for every service account, removes shared mailboxes that no longer have a use case, and aligns the conditional-access policy with the sponsor's portfolio standard. The cleanup is the most reliably-found integration scope we run on portfolio companies, and the steps are documented in detail in the M365 and Entra hardening field guide. For carve-outs and for portfolio companies with material Azure footprints, the parallel cleanup on the Azure tenant is described in the Azure security review method. The third integration step, in the first sixty days, is the vendor consolidation. The vendor rationalization plan from phase three of the diligence becomes the action list. The duplicates get renegotiated under the sponsor's portfolio pricing, the redundancies get terminated on the next contract anniversary, and the risks get either replaced with a sponsor-portfolio-standard vendor or remediated under a documented exception. The consolidation is the cleanest one-year cost takeout in the integration model and typically produces fifteen to twenty-five percent of the SaaS spend as addressable savings in the first hold-period year. The fourth integration step, in the first ninety days, is the framework alignment. For portfolio companies in regulated verticals (financial services, healthcare, education, government contracting), the framework alignment is to either inherit the sponsor's portfolio SOC 2 or HIPAA posture or to build the entity's own posture on a documented roadmap. For unregulated portfolio companies, the framework alignment is to the NIST Cybersecurity Framework at a defensible maturity level. The alignment is not a certification project in the first ninety days; it is the gap analysis, the remediation roadmap, and the named owner. The certification, if it is required, lands in months six through eighteen on the roadmap. The fifth integration step, in the first hundred days, is the board cyber reporting cadence. The operating partner needs a one-page cyber report that lands in every quarterly board package, that the portfolio company's CIO or vCISO produces, and that the sponsor's portfolio operations group reviews. The report covers the eight controls from phase two of the diligence, the incident history (including near-misses), the open remediation items with named owners and dates, the cyber insurance posture, and the regulatory or customer-notification matters. The cadence is described in the board reporting field guide, and the broader reporting cadence for portfolio operations is described in the investor reporting cadence guide. The KPI selection for the underlying dashboards is covered in the investor-review dashboards guide. The sixth integration step, established in the first hundred days and active for the remainder of the hold period, is the incident response retainer. Every portfolio company above twenty-five million in revenue or in a regulated vertical needs a pre-negotiated incident response retainer with a named IR firm, with hourly rates locked in, with a defined response SLA, with the cyber insurance carrier's panel acknowledged, and with a tabletop exercise scheduled in the first hundred eighty days. The retainer typically costs five to twenty thousand dollars annually as a holding fee and converts to actual IR spend only when triggered. The portfolio company that does not have the retainer in place pays roughly three times the hourly rate when the incident arrives, and waits two to four weeks for an available IR team in a market that has hardened since 2023. R&W insurance and cyber The rep-and-warranty insurance market has changed materially in the last three years on the cyber surface area, and the deal team that is negotiating the R&W policy with the assumption that cyber is covered under the general representations is operating on a 2020 view of the market. Every R&W carrier we work with now runs a separate cyber underwriting workstream, and the workstream has specific requirements, specific exclusions, and a specific posture toward the diligence report that the deal team has to understand before the policy bind, not after. R&W typically covers, on the cyber surface area, breaches of the target's general data-security representations (that the target has reasonable security measures in place), breaches of the target's specific representations about prior incidents (that the target has disclosed all material incidents in the past three to five years), and breaches of the target's compliance representations (that the target is in compliance with applicable data-protection law). The coverage is meaningful when the policy is properly negotiated, and the coverage is the reason the R&W premium is a justifiable line item on the deal model even on smaller transactions. The carriers we work with most often include AIG, Beazley, Euclid, Tokio Marine HCC, and Aspen; the policy terms vary by carrier but the cyber underwriting question converges across the market. What R&W typically does not cover is the set of risks the carrier views as either too foreseeable, too insider-specific, or too operationally controllable to be properly transferred. Insider risk is almost always excluded, a founder, a former employee, or a contractor who misuses credentials they held before close is not a covered loss. Founder administrative access that survives the close is in the same category, if the diligence did not surface the founder credential problem, the resulting incident is on the sponsor's balance sheet, not the carrier's. Known issues are excluded, anything the disclosure schedules surface, anything the diligence report identifies, and anything the seller's prior incident history reports is excluded from the coverage by the policy's known-loss exclusion. Forward-looking obligations are excluded, the cost to remediate a control gap identified in diligence is integration cost, not insurable loss. The diligence findings directly shape the R&W policy in three ways. First, the disclosure schedules pick up the specific findings from the diligence report, which converts them from general-representation coverage to specifically-disclosed items the policy does not cover. Second, the underwriting questionnaire asks the deal team to make representations about the cyber posture that the diligence team has to be willing to support; the deal team that makes the representations without the diligence backing typically discovers in claim that the carrier denies coverage on the basis that the representations were not adequately supported. Third, the underwriter writes specific exclusions for any control area the diligence did not adequately cover; a diligence report that did not test backup posture produces an R&W exclusion for ransomware loss. The common cyber exclusions in 2026 mid-market R&W policies are: any incident involving the target's founder, founder-family, or founder-affiliated entities (insider risk); any incident involving credentials known to the target before close (known loss); any loss to remediate a control gap identified in the diligence (integration cost); any loss arising from a vendor or business-associate relationship that was not properly papered as of close (vendor risk); any ransomware loss where the target did not have tested backups as of close (backup posture); and any regulatory penalty arising from a posture that the diligence identified and the buyer accepted (assumed risk). The exclusion list is negotiable in the binding process, but the negotiation requires the diligence report to support the negotiation, which is the reason the diligence team has to finish the report before the R&W binding, not after. The pattern across PE roll-ups The single-portco diligence pattern is well-understood. The roll-up pattern, where a sponsor acquires three, five, or fifteen portfolio companies in a single vertical over a thirty-month hold-period window, has its own cyber pattern, and the pattern compounds across the portfolio in ways the single-portco view does not capture. The sponsors we work with on roll-up strategies have learned, in some cases the hard way, that the cyber surface area of a five-platform roll-up is not five times the surface area of one platform; it is roughly fifteen times the surface area, because the integration interfaces, the shared vendors, the shared identity, and the cross-portfolio AI exposure all create new surface area that did not exist in any individual entity. The shared-TSA pattern is the first roll-up finding. When a sponsor acquires three carve-outs from the same parent in twelve months, the TSAs typically run in parallel and expire in parallel, which creates a sixty-day window when three independent IdP migrations, three independent financial-system separations, and three independent security-tooling re-contracting workstreams have to converge on the same integration team. The sponsor that does not stagger the TSA expirations in the negotiation (or that does not staff the integration team for the convergence) discovers in month nine of the hold period that all three carve-outs are simultaneously losing parent access. We negotiate the TSA expiration sequencing at the diligence phase for any roll-up where a second target from the same parent is on the pipeline. The multi-target integration pattern is the second roll-up finding. The integration playbook for the first portfolio company in a roll-up is typically built ad-hoc; the second, third, and fourth integrations either inherit the playbook (which compounds favorably) or rebuild it (which compounds unfavorably). The sponsors we work with on roll-up strategies build a portfolio-level cyber posture standard in the first acquisition's integration phase, typically a one-page set of minimum controls that every subsequent acquisition has to meet within the first hundred days post-close, and reuse the standard, the vendor stack, and the integration playbook across the portfolio. The standard converts cyber integration from a per-acquisition engagement to a portfolio-level repeatable, which produces both cost takeout and posture consistency. The reusable playbook is the asset. The AI exposure pattern is the third roll-up finding, and the one that has changed most in the last eighteen months. Every portfolio company we run diligence on in 2026 has deployed at least one generative AI tool, typically Microsoft Copilot, GitHub Copilot, ChatGPT Enterprise, or a vertical-specific AI vendor, and the deployment has typically happened without portfolio-level governance, without a documented AI use policy, and without a vendor-data-handling review. The cross-portfolio exposure compounds because the same AI vendors are typically used across the portfolio, the data flows are typically opaque, and the contractual representations are typically inconsistent. We address the portfolio-level AI strategy in the portfolio AI strategy guide, the governance framework in the one-page AI governance policy guide, and the deeper compliance stack in the five-layer AI compliance stack pillar. The roll-up that does not have a portfolio-level AI posture by the second acquisition is building integration debt that compounds at the pace of the AI vendor market, which is faster than the integration team's capacity to remediate. The post-close tenant consolidation pattern is the fourth roll-up finding. The sponsors we work with on roll-up strategies eventually face the decision of whether to consolidate the portfolio companies onto a single Microsoft 365 or Google Workspace tenant, onto shared AWS organizations, onto a shared identity provider, and onto a shared security tooling stack, or to keep each portfolio company on its own tenant and accept the duplicated overhead. The decision is not technical; it is a governance and exit-readiness decision, and the answer is typically different for roll-ups that intend to exit the platforms as separate businesses than for roll-ups that intend to exit the platform as a consolidated business. The decision has to be made by the second or third acquisition, not at year three when the consolidation cost has compounded. The broader systems-integrator question is addressed in the finance-transformation integrator guide; the back-office consolidation pattern in vertical roll-ups is in the property-management back-office consolidation field guide; and the cash-forecasting cadence that the consolidated portfolio needs is in the cash forecasting guide. The MD&A and IPO-readiness implications of a consolidated roll-up are covered in the private-company MD&A and IPO-readiness guide. Frequently asked questions How much does M&A cyber diligence cost? A full-scope twenty-one-day Securem diligence on a mid-market target (typically seventy-five-million to four-hundred-million enterprise value) is a fixed-fee engagement in the range of forty-five to ninety-five thousand dollars, depending on the target's complexity, the regulated vertical, the carve-out posture, and whether the engagement includes pre-LOI signal work. The fee is roughly one-tenth of the median post-close cyber integration cost we have observed on the same target population, and roughly one-fortieth of the median post-close incident cost. The diligence engagement is the cheapest cyber dollar a sponsor will spend in the hold period. What is the difference between cyber diligence and IT diligence? IT diligence covers the target's overall technology surface area, the systems, the infrastructure, the application portfolio, the integration architecture, the technology roadmap, and the technology spend, and is typically delivered by a technology consulting firm or an IT operations specialist. Cyber diligence covers the subset of IT diligence that relates to security posture, incident risk, regulatory compliance, and insurance coverage. The two overlap meaningfully on inventory, vendor stack, and identity, and the sponsors we work with most often staff a single combined engagement (typically named "tech and cyber diligence") that covers both workstreams under a single senior advisor. The combined engagement is more efficient than two separate engagements and produces a single report that the deal team and the operating partner can both use. The combined engagement is described in the M&A diligence practice page. Can cyber diligence happen pre-LOI? Yes, and in our experience the pre-LOI signal phase produces meaningful findings that shape the LOI itself. The pre-LOI inquiry covers the public-disclosure search, the customer-questionnaire review, the public-rating pull, the job-posting review, and the litigation-and-regulatory search; it does not require data room access and can be completed in roughly one analyst-week. The pre-LOI findings have been material enough to shift the LOI price on roughly one in four engagements we have run, and to walk the sponsor away from the target on roughly one in twenty. Who pays for cyber diligence in a carve-out? In our experience, the buyer pays for the buyer's diligence in every case, including carve-outs, and the seller will not contribute to the cost. The negotiation point in a carve-out is not who pays for the diligence but what the seller is contractually required to provide as inputs to the diligence, the inventory, the contracts, the BAA chain, the incident history, the shared-credential register, the data-segregation map. The diligence team that writes the carve-out data request specifically, and that supports the buyer's M&A counsel in negotiating the data request into the LOI or the data-access agreement, gets meaningfully better diligence inputs than the team that accepts the parent's standard carve-out data room. What is a typical post-close cyber integration timeline? The first thirty days are the foundational controls (founder credential rotation, M365/Entra cleanup, EDR deployment confirmation, financial-system MFA enforcement). The first ninety days are the operational controls (vendor consolidation, third-party access cleanup, BAA inheritance work, identity sprawl remediation). The first hundred eighty days are the posture controls (framework alignment, board reporting cadence, incident response retainer, first tabletop exercise). The first twelve months are the certification controls if the entity needs SOC 2, HIPAA attestation, or similar, with the certification itself landing in months six through eighteen. The full integration is materially complete at month twelve in our experience, and the entity is exit-ready on the cyber surface area at month eighteen. Does R&W cover cyber? R&W typically covers the cyber-related representations the target makes in the purchase agreement, subject to the disclosure schedules and the specific exclusions the carrier writes during binding. The coverage is meaningful when the policy is properly negotiated, and the negotiation requires the diligence report to be finished before the binding, with the findings reflected in both the disclosure schedules and the underwriting questionnaire responses. The 2026 R&W market has tightened on cyber relative to 2020, and the deal team negotiating against the 2020 assumption is over-relying on the policy. When should a deal team walk away based on cyber findings? In our experience the walk-away findings cluster in three categories. The first is undisclosed material incidents, a target that has had a confirmed incident in the past three years that was not disclosed in the data room, that the diligence team has surfaced through pre-LOI signal work or through interview, and that the seller will not represent or schedule on disclosure. The second is structural posture gaps that the integration budget cannot absorb, typically a regulated entity with no functioning compliance program, an unfunded remediation backlog in the millions, or a customer-contract posture that requires controls the target cannot demonstrate. The third is founder-risk concentrations that the integration cannot remediate, typically a founder who refuses to transfer administrative credentials, who has refused to consent to the carve-out of personal entanglements, or who is the sole holder of integration-critical knowledge with no documented backup. The walk-away rate on our diligence engagements is roughly one in fifteen; the price-adjustment rate is roughly one in three. How do you evaluate a target's incident response? The evaluation has four components. The first is the written incident response plan, does it exist, when was it last updated, who are the named roles, and what is the escalation path? The second is the IR retainer, is there a pre-negotiated retainer with a named IR firm, what are the hourly rates, what is the response SLA, and is the cyber insurance carrier's panel acknowledged? The third is the tabletop exercise history, has the entity run a tabletop in the past twelve months, what was the scenario, who participated, and what were the findings? The fourth is the prior-incident history, how have prior incidents actually been handled, what was the response time, what was the customer-notification timeline, and what was the post-incident remediation? An entity with no IR plan, no retainer, no tabletop, and an unclear prior-incident response is a high-likelihood-of-failure entity on the next incident, and the integration cost to remediate is the equivalent of building the IR program from scratch in the first six months. How does cyber diligence interact with the QofE? The cyber diligence and the QofE typically run in parallel windows but produce different deliverables on different timelines. The cyber findings most often affect the QofE in three ways: by surfacing remediation cost ranges that have to be reflected in the working-capital target or the post-close adjustment; by surfacing vendor consolidation savings that the QofE can include in the run-rate adjustment; and by surfacing prior-incident costs that should be either excluded from the trailing-twelve-month EBITDA as non-recurring or included if they are likely to recur. The diligence team that finishes the report before the QofE finalizes its model produces the cleanest integration of cyber findings into the deal economics. Where to go deeper This guide is the pillar. The implementation guides below cover specific phases and adjacent workstreams in more operational detail, and the practice pages cover the engagement structures. For the operational mechanics of the twenty-one-day diligence cycle, the M&A cyber and tech diligence twenty-one-day field guide walks through the phase-by-phase deliverables. The carve-out variant, where the seller restricts data-room access, is covered in the carve-out tech diligence field guide. The post-close handoff, with the eight controls every newly-acquired portco needs in the first thirty days, is in the hundred-day post-close cyber integration playbook. For the identity and tenant-hardening work that the integration team owns in the first sixty days, the M365 and Entra ID hardening field guide and the Azure security review method are the operational references. For portfolio-level AI posture, the portfolio AI strategy guide, the one-page AI governance policy guide, and the five-layer AI compliance stack pillar cover the policy and compliance posture that the portfolio-level operating partner has to set. For the broader operating-partner toolkit that surrounds the cyber work, the investor reporting cadence guide, the board reporting field guide, and the KPI dashboards for investor review guide cover the reporting infrastructure. The cash forecasting guide, the finance-transformation integrator guide, and the property-management back-office consolidation guide cover the adjacent finance and integration workstreams that the same operating partner typically owns. The private-company MD&A and IPO-readiness guide is the exit-side companion. For the engagement structures themselves, the M&A diligence practice page describes the diligence offering, the counsel page describes the senior-advisor engagement model, and the engagements page describes the broader retainer and fractional posture work. The diagnostic is the entry point for sponsors who want a fixed-fee review of an existing portfolio company before scoping the broader engagement. The private equity industry page, the regulated SaaS page, and the healthcare industry page describe the vertical posture for the three industries where we run the most diligence. External authorities the deal team should be familiar with: the NIST Cybersecurity Framework is the framework most R&W underwriters reference; the SEC's cybersecurity disclosure rules shape the disclosure obligations for public-company sellers and for private targets with public-debt obligations; AIG and the other major R&W carriers publish their underwriting posture; the ABA M&A Committee publishes the deal-points studies that document market terms; and the Association for Corporate Growth publishes the mid-market deal-flow data that shapes the cyber diligence market itself. The diligence that shapes the deal terms is the diligence that finishes before the agreements are signed. The integration that compounds favorably is the integration that begins on day one of close with the diligence report in hand. The hold period that exits cleanly is the hold period that built the cyber posture in the first hundred days. Each window closes on its own schedule, and each window opens once.