The Essential Cyber Due Diligence Checklist for M&A and Fundraising

You’re three weeks from term sheet signing on your Series A, or you’re in exclusivity with an acquirer conducting due diligence. The investor’s DD checklist arrives, and section seven is cyber security and data protection. They want your cyber insurance policies, details of any security incidents in the past five years, evidence of your security controls, customer contract terms related to data protection, and your incident response procedures. Some of these documents exist. Some don’t. Some exist but reveal gaps you’d rather not disclose.

This cyber due diligence checklist is what institutional investors and strategic acquirers actually use during fundraising and M&A processes. We’re writing from experience supporting DD on both sides—advising companies preparing for raises and helping investors assess cyber risk. By the end, you’ll know exactly what documents to prepare, which disclosures are material, and how to present your cyber risk profile professionally.

Why Cyber Due Diligence Determines Deal Certainty

Cyber due diligence exists because digital incidents create tail liabilities that persist long after close. An acquirer buying your company inherits liability for breaches that occurred before acquisition but surface afterwards. An investor funding your Series B doesn’t want their capital consumed by incident response costs from a breach during their hold period.

The timing pressure creates the problem. You’re typically conducting cyber due diligence in parallel with financial, legal, and technical DD, compressed into a 2-4 week window. If cyber DD uncovers issues requiring deeper investigation, you’re either delaying close—which kills momentum and deals—or proceeding with valuation adjustments that reduce your proceeds. Companies that prepare cyber DD materials before entering processes avoid these timing collisions.

The Complete Cyber M&A Checklist: Documents Investors Demand

This cyber M&A checklist covers the six areas investors scrutinize. Prepare these documents before DD begins, not during the sprint to close.

1. Incident History and Disclosure Requirements

Investors want complete disclosure of any security incidents, breaches, or near-misses in the past 3-5 years.

Documents to prepare:

• Incident log listing all material security events with dates, scope, and outcomes
• Forensic investigation reports for each incident
• ICO notifications and correspondence (if applicable)
• Customer breach notifications (templates and evidence of delivery)
• Remediation reports showing actions taken post-incident
• Insurance claims documentation including amounts paid
• Any ongoing regulatory proceedings or customer disputes

What constitutes a material incident:

• Unauthorised access to customer, employee, or proprietary data
• Ransomware attacks or system encryption
• System compromises requiring external forensic investigation
• Incidents requiring regulatory or customer notification
• DDoS attacks causing material service disruption
• Insider threats or privileged access abuse

Disclosure format for each incident:

• Date of occurrence and discovery
• Nature of incident and systems affected
• Number of affected individuals or customers
• Notification actions taken (regulatory and customer)
• Root cause analysis and remediation steps
• Total costs incurred and insurance recovery received
• Current status of any claims or regulatory proceedings

Non-material events (summarize briefly, don’t require detailed disclosure):

• Vulnerabilities discovered and patched before exploitation
• Phishing attempts blocked by security controls
• Failed login attempts or routine security alerts
• Routine penetration test findings remediated promptly

2. Security Controls, Certifications, and Audit Evidence

Investors want proof of security posture through certifications, audits, and control documentation.

Required documentation:

• SOC 2 Type II reports (current and prior year)
• ISO 27001 certification (if applicable)
• Cyber Essentials or Cyber Essentials Plus certification
• Penetration testing reports (most recent 12 months)
• Vulnerability scanning reports with remediation tracking
• Security policies and procedures (incident response, access control, data protection, change management)
• Multi-factor authentication implementation evidence
• Encryption configuration (data at rest and in transit)
• Backup and disaster recovery testing results
• Security awareness training records for staff

Key investor cyber questions to prepare for:

• How often do you conduct penetration testing and who performs it?
• What critical or high-severity vulnerabilities remain unremediated and why?
• How do you manage privileged access and credential rotation?
• What monitoring and alerting do you have for security events?
• How often do you test your incident response plan?
• What’s your patch management SLA for critical vulnerabilities?

If you lack certifications:

• Document your security control framework (even if not formally certified)
• Provide evidence of control implementation and testing
• Show remediation roadmap with target dates for formal certification
• Be transparent about gaps rather than claiming controls you don’t have

3. Cyber Insurance Coverage and Claims History

Cyber insurance coverage represents your capacity to respond to incidents without consuming operating capital.

Documents to provide:

• Current cyber insurance policy declarations page (limits, coverage scope, policy period)
• Historical policies covering the lookback period (typically 3-5 years)
• Schedule of coverage including first-party and third-party limits
• Any sublimits for specific coverage types (ransomware, regulatory fines, business interruption)
• Claims history including dates, amounts claimed, and amounts paid
• Any denied or partially paid claims with explanation
• Renewal terms and premium history showing pricing trends

Coverage analysis investors perform:

• Do limits match your revenue and customer base? (Typical expectation: £2M-£5M for companies with £5M-£50M revenue)
• Does coverage meet contractual requirements from major customers?
• Are there coverage gaps or exclusions that create uninsured exposure?
• Is the policy claims-made or occurrence-based, and what’s the retroactive date?
• Have you had multiple claims that indicate insurability problems at renewal?

If coverage is inadequate:

• Explain your plan to increase limits before close
• Provide broker quotes for enhanced coverage
• Identify which customer contracts have insurance requirements you don’t meet
• Quantify the uninsured gap so investors can price the risk

4. Customer Contracts and Cyber Liability Allocation

Customer contracts determine your potential cyber liability exposure.

Contracts to include in DD:

• Top 10-20 customers by revenue (full executed agreements)
• Standard contract template (if you have one)
• Any contracts with unlimited or uncapped cyber indemnity
• Contracts with cyber-specific SLA penalties
• Data processing agreements with security obligations
• Master service agreements with insurance requirements

Key provisions investors scrutinize:

• Cyber indemnity scope (what triggers your liability to customers)
• Liability caps (general cap vs cyber-specific cap)
• SLA terms including cyber-caused downtime treatment
• Security warranties and representations
• Insurance requirements (limits, additional insured provisions)
• Force majeure provisions (whether cyber incidents are excluded)

Red flags that affect valuation:

• Unlimited cyber indemnity in multiple contracts
• Customer contracts requiring insurance limits you don’t carry
• Security warranties for controls you don’t have
• SLA penalties that stack with other cyber liabilities
• Contracts with large customers that have one-sided risk allocation

Prepare a summary showing:

• Maximum contractual exposure per customer
• Aggregate exposure across all customers
• Which contracts have terms outside your standard
• How your cyber insurance limits compare to contractual obligations

5. Regulatory Compliance and Data Protection Framework

UK GDPR compliance is baseline, but investors want evidence of implementation depth.

Required documentation:

• Data protection impact assessments (DPIAs) for high-risk processing
• Records of processing activities (ROPA) documenting data you hold
• Lawful basis documentation for each data processing category
• Data retention and deletion policies with implementation evidence
• Cross-border data transfer mechanisms (standard contractual clauses)
• Privacy notices and consent management evidence
• Data subject rights procedures (access, erasure, portability)
• Data breach notification procedures and ICO registration

For AI/ML companies, add:

• Model governance documentation and bias testing results
• Algorithmic accountability procedures
• Explainability documentation for consequential decisions
• AI governance framework alignment with emerging regulation

Evidence of operational compliance:

• Data mapping showing where personal data resides
• Access logs demonstrating data subject rights fulfillment
• Deletion logs proving retention policy enforcement
• Training records showing staff understand obligations

6. Third-Party Dependencies and Supply Chain Risk

Your cyber risk includes vendors, cloud providers, and integration partners.

Vendor assessment documentation:

• List of critical third-party services with security implications
• Vendor security assessment questionnaires and responses
• Vendor contracts including liability allocation
• Evidence of vendor SOC 2, ISO 27001, or equivalent certifications
• Vendor incident notification procedures
• Business continuity plans if critical vendors fail

Key third-party risks investors assess:

• Single points of failure (sole reliance on one cloud provider)
• Vendors processing customer data (and your liability for their breaches)
• API integrations with security implications
• Open source dependencies with known vulnerabilities
• Subprocessors under GDPR (and your accountability for them)

How to Disclose Past Incidents Without Destroying Value

Past cyber incidents don’t kill deals—undisclosed incidents do. The disclosure strategy matters as much as the facts.

Frame incidents professionally. Instead of “We had a data breach,” present it as: “In Q3 2023 we detected and contained unauthorised access affecting 5,000 records. We engaged forensics, notified the ICO and customers within regulatory timelines, implemented additional controls based on forensic recommendations, and had no regulatory penalties or customer claims. Cyber insurance covered the £85,000 in response costs.”

This demonstrates competence, transparency, and learning. Investors distinguish between companies that have incidents and manage them well from companies that hide them or handle them poorly.

Quantify everything. Investors want financial impact: total costs, insurance recovery, business interruption quantified, settlement amounts if applicable. This transparency allows them to assess whether your cyber insurance limits are adequate.

Provide remediation evidence. For each incident, show what you’ve done to prevent recurrence. If the incident resulted from missing MFA, show MFA is now enforced. If it was an unpatched vulnerability, show improved patch management and current compliance metrics. Remediation evidence proves the risk has been addressed.

Cyber Insurance in Deal Structure

Cyber insurance serves multiple deal purposes beyond risk transfer.

Tail coverage for pre-close incidents is primary deal protection. If an incident occurred before close but surfaces post-acquisition, your cyber insurance provides defence and indemnification for warranty breach claims. Acquirers typically require sellers to maintain tail coverage for 1-3 years post-close.

Insurance limits signal insurability. If you carry £5 million in cyber insurance, investors know an underwriter assessed your risk and provided that capacity. Adequate coverage becomes a quality signal, not just risk transfer.

Post-close insurance requirements are often conditions of close. Acquirers may require you maintain coverage at specified limits post-close, or investors may require it as a funding condition. Understand these requirements before final negotiations to avoid last-minute coverage scrambles.

The Bottom Line for Cyber Due Diligence for Fundraising

Prepare your cyber due diligence materials before you enter fundraising or M&A processes. The companies that navigate DD successfully are the ones with documents ready, incidents disclosed transparently, and cyber insurance aligned with their risk profile.

Use this cyber M&A checklist to prepare:

1. Incident history with dates, scope, costs, and remediation
2. Security certifications and audit reports (SOC 2, ISO 27001, penetration tests)
3. Cyber insurance policies and claims history
4. Customer contracts with cyber liability terms
5. GDPR compliance evidence and data protection framework
6. Third-party vendor assessments and dependencies

Past incidents won’t destroy your valuation if you present them with context, costs, insurance recovery, and clear remediation. Investors appreciate transparency and competent incident management. They penalize companies that hide issues or discover material gaps during DD that should have been disclosed upfront.

The time to assemble these materials is now, before DD begins—not during the two-week sprint to close when every delay creates deal risk.

External Resources

• British Private Equity & Venture Capital Association (BVCA) – Industry guidance on due diligence best practices for private equity and venture capital transactions, including cyber security considerations
• ICO: Data Protection and Accountability Framework – Official UK guidance on demonstrating GDPR compliance, essential for investor due diligence on data protection practices