Cyber Due Diligence Checklist for Private Equity: The Questions That Actually Change a Deal

Most due diligence checklists are designed to make everyone feel organized.

Cyber due diligence is different. Done well, it should make at least one person in the room slightly uncomfortable.

That is the point.

A good cyber due diligence process does not ask, "Does this company have cybersecurity?" Every company has something. A policy in a folder. A penetration test from last year. A tool with a dashboard. A person who "handles IT." The better question is: What cyber risk is already sitting inside the deal model, pretending to be EBITDA?

Because cyber risk rarely introduces itself as cyber risk. It shows up as delayed integration. Surprise remediation costs. Customer trust issues. Product security debt. Uninsurable exposure. A breach that happened two years ago and was "handled internally." Or a critical system nobody wants to touch because the person who built it left in 2019.

For private equity deal teams, cybersecurity is no longer a technical side quest. It is a value protection exercise. Sometimes it is even a value creation exercise. The target's security posture can affect purchase price, closing conditions, post-close priorities, insurance terms, customer retention, and the first 100 days of ownership.

This checklist is designed for investors who do not want theatre. It is not about collecting every document the target can upload into a data room. It is about asking the questions that reveal whether cyber risk is manageable, material, or already metastasizing.

The uncomfortable truth: cyber maturity does not look like a policy library

One of the easiest mistakes in cyber due diligence is confusing documentation with reality.

A target company may have acceptable policies, a recent penetration test, a security awareness slide deck, and a tool stack that looks respectable on paper. That can still tell you very little about how security actually works on a Tuesday afternoon when a developer pushes code, an employee gets phished, a supplier is compromised, or a critical vulnerability appears in a system nobody owns.

Cybersecurity is not a bookshelf. It is a set of operating habits.

That distinction matters in private equity because deal teams often see polished answers under intense time pressure. Management has every incentive to appear prepared. Advisors have every incentive to keep the process moving. The data room can become a stage, and every file uploaded can feel like evidence.

But evidence of activity is not evidence of control.

The real question is not "Do they have security documents?" It is: Can this company repeatedly make secure decisions when nobody from the deal team is watching?

That is what you are trying to underwrite.

What cyber due diligence should answer

A useful cyber due diligence process should leave the investment team with clear answers to four questions:

1. What could realistically go wrong? Not in science-fiction terms. In business terms. What systems, data, customers, products, suppliers, or processes create real exposure?
2. How likely is it? Not "cyber is risky" as a generic statement. Which risks are plausible given the company's architecture, maturity, sector, and threat profile?
3. What would it cost to fix? Risk without remediation cost is just anxiety. Deal teams need numbers, timelines, and priorities.
4. What should happen after close? The best cyber DD does not end with a red-yellow-green heatmap. It becomes a post-close action plan.

If the assessment cannot support those four answers, it may still be useful background reading. But it is not yet deal-grade cyber due diligence.

The private equity cyber due diligence checklist

Below are the areas every deal team should pressure-test before signing.

The goal is not to turn investment professionals into security engineers. The goal is to know where to push, what to request, and which answers should trigger deeper investigation.

1. Governance: Who actually owns cyber risk?

Start here because ownership predicts outcomes.

In many companies, cybersecurity is treated as an IT hygiene topic. Someone patches laptops, manages antivirus, and responds when people cannot log in.

That may be fine for a small business with limited exposure. It is not fine for a company handling sensitive customer data, operating critical production systems, selling software, or integrating into a portfolio.

The key question is simple: Who wakes up worried about cyber risk?

If the answer is "our IT provider," keep digging. External providers can be valuable, but outsourced activity is not the same as internal accountability. Someone inside the company must understand the risk, make trade-offs, secure budget, report to management, and drive follow-through.

Ask:

• Who is accountable for cybersecurity at management level?
• How often is cyber risk discussed by leadership?
• Is there a security roadmap, or only ad hoc fixes?
• Who approves exceptions to security requirements?
• How are cyber risks reported to the board, shareholders, or investors?

A mature answer does not require a 40-person security team. It requires clarity. Even lean organizations can show ownership, prioritization, and disciplined execution.

The red flag is not "small team." The red flag is diffuse responsibility. When everyone is vaguely responsible for cyber, nobody is responsible when it matters.

2. Identity and access: Who can do what?

If cyber due diligence had to start with one technical area, identity would be a strong candidate.

Attackers do not usually hack through the front door with dramatic music playing. They log in. They steal credentials, abuse weak access controls, exploit forgotten accounts, or move through systems using privileges nobody reviewed after the last reorganization.

Identity is where many companies accidentally reveal their true security culture.

Ask:

• Is multi-factor authentication enforced for all users, especially administrators?
• Are privileged accounts separate from normal user accounts?
• How often are access rights reviewed?
• Are former employees and contractors removed quickly?
• Are shared accounts used anywhere?
• Who has access to production systems, financial systems, source code, cloud environments, and customer data?

The phrase to listen for is: "We trust our people."

Trust is not a control. Trust is a reason to design controls that protect good people from bad days.

Weak identity controls are especially dangerous in PE contexts because they often become integration blockers. If a portfolio company cannot explain who has access to what, it will struggle to integrate securely, scale securely, or withstand customer and insurer scrutiny.

A practical post-close identity program can create fast risk reduction. But if privileged access is chaotic before close, the remediation cost belongs in the deal conversation.

3. External attack surface: What can the internet see?

Every company has a public face. Websites, VPNs, cloud services, remote access portals, development systems, exposed storage, forgotten subdomains, old login pages, test environments, partner portals, and that one server everyone assumed had been decommissioned.

The internet is an unforgiving auditor. It does not care what is in the policy document. It only sees what is exposed.

Ask:

• What internet-facing assets does the company operate?
• Is there a complete and current inventory?
• Are remote access services protected and monitored?
• Are any outdated, unsupported, or high-risk services exposed?
• Are cloud assets continuously monitored for misconfiguration?
• Are old domains, subdomains, or test environments still reachable?

This is one of the most useful areas in deal-speed cyber DD because it can reveal risk quickly. You can often identify exposed systems, outdated software, weak configurations, or forgotten infrastructure without waiting for a perfect data room.

The thought-provoking part is this: a company's external attack surface is often more honest than its management presentation.

Not because management is dishonest. Because infrastructure accumulates. Products pivot. Teams change. Cloud experiments become production dependencies. Temporary exceptions become permanent architecture.

What is exposed to the internet tells you what the company has become, not just what it believes it is.

4. Vulnerability management: Can the company fix what it finds?

A vulnerability report is only half a story.

The more important half is what happens next.

Many companies can produce scanning results. Fewer can show a reliable process for prioritizing, assigning, fixing, verifying, and learning from those findings. In due diligence, you are not simply asking whether vulnerabilities exist. They always do. You are asking whether the company has a functioning immune system.

Ask:

• Are vulnerability scans performed regularly?
• Are critical findings tracked to closure?
• Who owns remediation?
• How quickly are severe vulnerabilities fixed?
• Are exceptions documented and time-limited?
• Are third-party and open-source vulnerabilities included?
• Is patching different for laptops, servers, cloud, applications, and production systems?

Do not be overly impressed by a clean report. It may mean the scope was narrow.

Do not be overly frightened by a messy report. It may mean the company is finally looking honestly.

The real maturity signal is trend and behavior. Are severe issues decreasing? Are teams closing findings? Are repeat problems being addressed at the root? Does leadership understand the trade-offs?

A company that finds problems and fixes them is investable. A company that avoids looking is gambling.

5. Product and technology security: Is the product itself a risk?

For software, SaaS, fintech, healthtech, industrial tech, platforms, marketplaces, and digitally enabled businesses, product security can be the difference between manageable IT risk and enterprise value risk.

This is where generic cybersecurity checklists often fail.

Corporate IT security asks whether employees and systems are protected. Product security asks whether the thing customers buy can be trusted.

Ask:

• Is security integrated into the software development lifecycle?
• Are code reviews, dependency checks, and security testing performed?
• Are secrets, API keys, and credentials managed safely?
• Is customer data segregated properly?
• Are authorization checks robust?
• Has the product undergone penetration testing?
• How are vulnerabilities reported by customers, researchers, or partners?
• Is there a secure process for deploying changes?

A product security weakness can become a sales problem, a legal problem, a retention problem, or an exit problem.

The uncomfortable question for investors is this: Is the company's valuation built on software that would survive serious scrutiny?

If not, that does not necessarily kill the deal. But it should affect the remediation plan, the investment thesis, and possibly the price.

6. Data protection: What data exists, where is it, and who cares if it leaks?

Data risk is often misunderstood because companies talk about it in abstract nouns: personal data, confidential data, sensitive data, customer data, financial data, intellectual property.

In due diligence, abstract nouns are not enough.

You need to understand what data exists, where it lives, how it moves, who can access it, how long it is retained, and what would happen if it became public.

Ask:

• What sensitive data does the company process?
• Where is that data stored?
• Is data encrypted at rest and in transit?
• Who has access to customer, employee, financial, and product data?
• Are data flows documented?
• Are retention and deletion practices enforced?
• Are backups protected from deletion or ransomware?
• Are there sector-specific obligations or customer commitments?

The most revealing exercise is to ask management to describe the crown jewels.

If they cannot name the data and systems that matter most, they probably cannot protect them consistently.

Data protection is not just compliance. Compliance asks whether the company can defend its behavior to a regulator. Cyber due diligence asks whether the company can defend its value from reality.

Both matter. They are not the same thing.

7. Incident response: What happens on the worst Friday of the year?

Every company has an incident response plan in theory.

The real test is what happens at 17:43 on a Friday when systems behave strangely, the IT lead is on holiday, the CEO is boarding a flight, and someone asks whether the company should shut down production.

That is not the moment to discover who is allowed to make decisions.

Ask:

• Is there an incident response plan?
• Has it been tested in a tabletop exercise?
• Who is on the response team?
• Are legal, communications, leadership, IT, and external experts included?
• Are detection and logging sufficient to investigate an incident?
• Is cyber insurance in place, and are notification requirements understood?
• Has the company experienced previous incidents? If so, what changed afterward?

The last question matters most.

A past incident is not automatically a deal problem. In fact, companies that have been through an incident and improved may be more mature than companies that believe nothing has ever happened.

The red flag is not a scar. The red flag is a scar with no lesson.

8. Third-party and supply-chain risk: Who else can break the company?

Modern companies are not single companies. They are ecosystems wearing a logo.

Cloud providers, SaaS tools, software libraries, outsourced IT, payment providers, logistics partners, development agencies, data processors, managed service providers, and niche vendors all become part of the risk picture.

Private equity deal teams should care because third-party risk can hide outside the neat perimeter of the target.

Ask:

• Which vendors are critical to operations?
• Which vendors process sensitive data?
• Are supplier security requirements defined?
• Are vendor reviews performed before onboarding?
• Are contracts clear on security, notification, audit rights, and data handling?
• Are software dependencies and open-source components tracked?
• Are there concentration risks in one provider, agency, or individual?

The dangerous assumption is that outsourcing transfers risk.

It rarely does. It transfers tasks. The risk often comes home at the worst possible time.

A company that depends on third parties without understanding them has not reduced complexity. It has rented it.

9. Backups and resilience: Can the business recover?

Backup maturity is boring until it becomes existential.

Ransomware, accidental deletion, cloud misconfiguration, failed migrations, insider mistakes, and supplier incidents all turn backup strategy into business continuity strategy. In due diligence, the question is not whether backups exist. It is whether the company can recover the right systems fast enough to avoid material damage.

Ask:

• What systems are backed up?
• How often are backups created?
• Are backups isolated from normal admin access?
• Are backups protected from ransomware?
• When were restores last tested?
• What are the recovery time objectives for critical systems?
• What are the recovery point objectives for critical data?
• Does the company know which systems must come back first?

The phrase "we have backups" should never end the discussion.

It should start one.

Backups that have never been restored are more like wishes than controls.

10. Cyber insurance and compliance: Useful, but not a shield

Cyber insurance can be valuable. Compliance can be valuable. Certifications can be valuable.

None of them should be mistaken for security.

Insurance does not prevent incidents. Compliance does not guarantee operational resilience. Certifications may prove that a company passed a defined assessment at a point in time, not that every material risk is controlled today.

Ask:

• Is cyber insurance in place?
• What are the coverage limits, exclusions, and conditions?
• Are required controls actually implemented?
• Are regulatory and customer security obligations understood?
• Are certifications current and relevant?
• Were there audit findings, exceptions, or compensating controls?

The investor's question is not "Can this company show a certificate?"

It is: Would the controls still look good if something went wrong tomorrow?

That question changes the conversation.

Red flags that should change the deal conversation

Not every finding is material. The art of cyber due diligence is knowing the difference between hygiene issues and deal-relevant risk.

Here are red flags that deserve attention:

• No clear owner for cybersecurity
• No MFA for privileged or remote access
• Unknown or unmanaged internet-facing systems
• Critical vulnerabilities without remediation ownership
• Unsupported systems connected to important processes
• No tested backups for critical systems
• Shared administrator accounts
• Weak offboarding for employees and contractors
• No incident response plan or untested plan
• Product security not integrated into development
• Sensitive data stored without clear access controls
• Major customer security requirements not being met
• Heavy dependency on one external IT provider without oversight
• Prior incidents with no documented lessons learned
• Security roadmap that exists only as a wish list

One red flag may be manageable. A cluster of red flags tells a story.

And stories matter in investing.

They reveal whether the company is merely immature or structurally exposed. Immaturity can be fixed. Structural exposure may require money, time, leadership attention, and a change to the value creation plan.

What to request in the data room

A practical cyber DD request list should be focused. Too little information creates blind spots. Too much creates noise.

Request:

• Security organization chart or role overview
• Security policies and standards
• Asset inventory
• Network and cloud architecture diagrams
• Identity and access management overview
• List of privileged users
• Recent vulnerability scan results
• Recent penetration test reports
• Remediation trackers
• Incident response plan
• Incident history and post-incident reviews
• Backup and disaster recovery documentation
• Business continuity plans
• Cyber insurance policy summary
• Security awareness materials
• Vendor and third-party risk overview
• Customer security commitments
• Compliance reports and certifications
• Product security documentation
• Software development and deployment process
• Open-source and dependency management reports

But remember: documents are the beginning, not the answer.

The best diligence teams read documents like investigators, not librarians. They look for contradictions. A policy says access reviews happen quarterly, but no one can show the last review. A penetration test found critical issues, but the remediation tracker is empty. A cloud diagram looks clean, but external scanning shows forgotten assets.

That gap between paper and practice is where the truth usually lives.

The questions management should be able to answer

A strong management team does not need perfect answers. It needs honest, specific, operational answers.

Ask these live:

• What are your most important systems and data?
• What cyber incident would hurt the business most?
• What security risk worries you that is not yet fixed?
• What did the last penetration test or assessment change?
• Which security improvements are planned but unfunded?
• Where are you dependent on one person, one supplier, or one legacy system?
• How would you detect a compromise?
• How would you recover from ransomware?
• Which customer security requirements are hardest to meet?
• What would you fix first with a post-close security budget?

The best answer is rarely "everything is fine."

The best answer sounds more like: "Here is where we are strong, here is where we are exposed, here is what we are doing about it, and here is what we need after close."

That is the kind of management answer investors can work with.

Cyber due diligence should not punish honesty. It should punish fantasy.

The post-close question: What happens on day one?

The most common failure mode in cyber due diligence is treating the report as a closing artifact.

The deal closes. The report gets archived. Everyone moves to the next sprint, the next board pack, the next portfolio initiative. Six months later, the same risks are still there, now with compound interest.

A better approach is to turn diligence into a 100-day cyber value protection plan.

That plan should identify:

• Immediate risk-reduction actions
• Budget required
• Owners
• Dependencies
• Timeline
• Board-level reporting metrics
• Quick wins
• Structural remediation items
• Items to integrate into the broader value creation plan

Cyber risk becomes manageable when it is owned, sequenced, and measured.

The most valuable diligence output is not a beautiful report. It is a credible operating plan.

How to think about findings: price, protect, or improve

Every meaningful cyber finding should go into one of three buckets.

1. Price it. If remediation is material, urgent, or unavoidable, it may belong in the financial model or negotiation.
2. Protect against it. If the risk affects closing, customer exposure, insurance, or legal posture, it may require conditions, warranties, or immediate controls.
3. Improve it. If the issue is real but manageable, turn it into a post-close value creation initiative.

This framing keeps cyber DD out of the swamp of abstract risk.

It also helps avoid the two classic mistakes: overreacting to every technical issue, or underreacting because the issue sounds too technical.

Cyber findings are business findings wearing technical clothing.

Translate them.

A simple scoring model for deal teams

If you need a fast way to structure the conversation, score each area across three dimensions:

• Exposure — How much damage could this area create?
• Control maturity — How well is the risk managed today?
• Remediation effort — How hard, expensive, and disruptive is it to fix?

A high-exposure, low-maturity, high-effort issue is deal-relevant.

A low-exposure, low-maturity, low-effort issue is probably a post-close hygiene item.

The goal is not mathematical perfection. The goal is decision clarity.

Deal teams do not need more colors on a heatmap. They need to know what changes the investment case.

What most deal teams miss

Most cyber DD processes catch the obvious problems: no MFA, old systems, weak policies, missing documentation, outdated penetration tests.

The more interesting risks are quieter.

They live in product architecture. In supplier dependencies. In customer commitments the company cannot quite meet. In development shortcuts taken during growth. In cloud environments spun up by teams that moved faster than governance. In the difference between what management thinks is critical and what actually keeps revenue moving.

The deeper question is not "Is this company secure?"

No company is simply secure or insecure. That is too binary to be useful.

The better question is: Is this company secure enough for the strategy we are underwriting?

A business planning aggressive international growth needs different cyber maturity than a local services company. A SaaS platform selling into regulated enterprise customers needs different controls than a niche manufacturer. A buy-and-build platform needs integration-ready identity, visibility, and governance. A company preparing for exit needs a security story that can survive buyer scrutiny.

Cyber due diligence should fit the thesis.

Otherwise, it is just a checklist with better branding.

The final checklist

Before signing, make sure you can answer:

• Who owns cyber risk?
• What are the most important systems and data?
• What can the internet see?
• Who has privileged access?
• Are critical vulnerabilities found and fixed?
• Is the product itself secure enough for its market?
• Could the company detect an incident?
• Could it recover from ransomware?
• Which third parties create material dependency?
• What security obligations exist with customers, regulators, and insurers?
• What would need to be fixed in the first 100 days?
• What would remediation cost?
• Could any finding affect price, closing, insurance, customer retention, or the value creation plan?

If the answer to these questions is clear, you have useful cyber due diligence.

If the answer is vague, you have cyber uncertainty.

And uncertainty is expensive.

Closing thought: cyber DD is not about fear

The best cyber due diligence is not alarmist.

It does not try to kill deals. It does not bury investors in technical jargon. It does not pretend every missing control is a catastrophe.

It does something more useful: it makes invisible risk visible early enough to act.

That is the real value.

Because after close, cyber risk does not stay in the IT department. It becomes a board topic, a budget topic, a customer topic, a legal topic, an integration topic, and sometimes a headline.

The earlier you understand it, the more options you have.

And in private equity, optionality is a beautiful thing.

Need cyber due diligence before signing?

int[cube] helps private equity firms and investors identify cyber risks, red flags, remediation costs, and post-close priorities before they become portfolio problems.

If you need a clear, deal-relevant view of cyber risk, we can help you move fast without turning the process into theatre.

Talk to int[cube] about cyber due diligence.