KRIs for M&A security due diligence

The Marriott/Starwood acquisition is the textbook case: Starwood had been breached prior to acquisition; Marriott completed the deal without discovering the active compromise; the breach continued for two years post-close; 383 million guest records were ultimately exposed; GDPR fines, FTC enforcement, and reputational damage totaling hundreds of millions of dollars followed. The UK ICO was direct in its assessment: adequate due diligence would have found it.

Security M&A due diligence has matured from a checkbox into a risk-quantification discipline. The KRIs in this domain apply across the deal lifecycle: pre-LOI screening, confirmatory due diligence, pre-close assessment, and post-close integration tracking. They are as relevant to private equity portfolio operations as to strategic acquirers, and increasingly, PE sponsors are requiring CISO-level security assessment as part of deal approval.

If you are standing this up from scratch, start with how to build a KRI program and the consolidated KRI reference library, which maps every domain to one CIS-aligned catalog.

KRI inventory

1. Pre-Close security assessment coverage score

What to measure. Completeness of security due diligence conducted prior to deal close, measured against a defined assessment framework covering external attack surface, internal architecture review, data asset inventory, historical incident disclosure, regulatory posture, and compliance obligation inheritance.

Why it matters. Security due diligence scope is frequently compressed by deal timelines. Investment bankers and deal attorneys view security review as a cost center; founders view it as a threat to deal velocity. The result is that security assessments are often superficial, a questionnaire and a brief conversation rather than a structured risk assessment. Coverage score holds the assessment scope accountable: either you assessed external attack surface or you didn't. Either you requested and reviewed incident history or you didn't. The post-deal risk of undiscovered security debt is directly proportional to how many assessment areas were skipped under time pressure.

Assessment Area	What it covers
External attack surface	Internet-facing asset inventory, TLS/certificate health, exposed services, known CVEs in external footprint
Incident history disclosure	Last 3 years of material security incidents, breach notifications sent, regulatory inquiries
Regulatory and compliance posture	Data residency obligations, active regulatory matters, certification status (SOC 2, ISO 27001, etc.)
Data asset inventory	What PII/sensitive data is held, in what systems, subject to what obligations
Third-party dependencies	Key vendor security posture, single-source dependencies, TPRM maturity
Identity and access posture	Admin account governance, MFA enforcement, service account hygiene
Vulnerability posture	Internal scan results or attestation, known critical unpatched vulnerabilities
Security architecture	Network segmentation, cloud security posture, encryption at rest/in transit
Insurance coverage	Current cyber insurance terms, coverage limits, exclusions, claims history
Integration risk	Day-one network connectivity plan, identity federation approach, data migration security

How to calculate. (Assessment areas covered or partially covered) ÷ (total assessment areas) × 100 Weight: fully covered = 1.0, partially covered = 0.5, not covered = 0

Status	Criteria
Green	>90% coverage score; all high-weight areas (incident history, regulatory posture, data inventory) fully covered; external attack surface assessment completed by independent party; findings documented and shared with deal team
Amber	70–90% coverage; one or more high-weight areas partially covered; timeline compression limited depth but core areas addressed; findings documented
Red	<70% coverage; incident history or regulatory posture not assessed; no external attack surface assessment; findings not formally documented; assessment compressed to questionnaire-only

2. Critical finding rate and severity distribution

What to measure. Number and severity distribution of security findings identified during due diligence, categorized by deal impact type (deal-breaker, price-affecting, post-close remediation required, informational), and tracked from identification through resolution or risk acceptance.

Why it matters. Due diligence findings without a structured severity and response framework become noise. A spreadsheet of 47 findings that aren't categorized by deal impact creates paralysis, the deal team can't assess whether the findings change the deal economics, and the security team can't get remediation commitments built into transaction documents. Critical finding rate and severity distribution create a decision framework: findings above a threshold affect deal price or require escrow/indemnification; findings below threshold are cataloged for post-close remediation with defined timelines.

Finding classification.

• Deal-breaker (Category 1): Active compromise or unresolved breach; material misrepresentation in security representations and warranties; undisclosed regulatory enforcement action; critical unpatched vulnerabilities in systems handling regulated data with evidence of exploitation
• Price-affecting (Category 2): Significant security debt requiring immediate post-close remediation investment (>$500K); undisclosed prior incidents affecting data obligations; compliance obligations that will require material investment to maintain post-integration
• Post-close remediation (Category 3): Security control gaps that can be remediated within 12 months post-close on a defined plan; vulnerabilities without evidence of exploitation; third-party risk exposure without active incident
• Informational (Category 4): Observations that inform integration planning but don't materially affect risk posture; good-practice improvements; areas for future investment

How to calculate. Track: (Category 1 findings), (Category 2 findings), (Category 3 findings), (Category 4 findings) Track: (Category 1 and 2 findings with deal response defined) ÷ (total Category 1 and 2 findings) × 100 Track: post-close, (Category 3 findings remediated on plan) ÷ (total Category 3 findings at close) × 100

Status	Criteria
Green	No Category 1 findings; Category 2 findings reflected in deal terms (price, escrow, or indemnification); all findings documented with deal impact classification; remediation plan for Category 3 findings agreed pre-close
Amber	No Category 1 findings but Category 2 findings not fully reflected in deal terms; or Category 3 finding volume is unusually high (>20 findings), indicating broad security debt not yet sized
Red	Category 1 findings present; or active compromise discovered during due diligence; or Category 2 findings not disclosed to deal team; or seller has made material misrepresentations about security posture

3. Inherited regulatory and data obligation exposure score

What to measure. The scope and complexity of regulatory and data protection obligations inherited through the acquisition, including active regulatory matters, pending breach notifications, data subject rights obligations, cross-border data transfer exposure, and the delta between acquirer and target regulatory posture.

Why it matters. Regulatory and data obligations don't stay with the company being acquired, they transfer to the acquirer. A US-headquartered acquirer purchasing a European SaaS company inherits GDPR controller obligations for all data that company holds. A healthcare company acquiring a medical device startup inherits HIPAA BAA obligations for all covered entity integrations. An acquirer purchasing a company with an undisclosed breach inherits the regulatory notification timeline, and if the breach has already exceeded the 72-hour GDPR window or 30-day HIPAA window, the acquirer inherits the violation. Understanding the inherited regulatory obligation stack is foundational to quantifying deal risk.

• Legal due diligence disclosure schedules: active regulatory inquiries, enforcement actions, breach notifications in progress, pending litigation with security/privacy nexus
• Privacy program review: GDPR Article 30 Record of Processing Activities (ROPA) completeness; DPIA coverage for high-risk processing; cross-border transfer mechanisms in place (SCCs, BCRs, adequacy decisions)
• Certification and attestation review: SOC 2 report (read the exceptions section, not just the opinion); ISO 27001 certificate scope and surveillance audit findings; PCI DSS Attestation of Compliance scope
• Data residency mapping: where does target's data physically reside? Does this create new residency obligations post-acquisition?
• State privacy law inventory: CCPA/CPRA, VCDPA, CPA, and other state law applicability based on data subject population
• Breach notification status: any breach currently in notification window? Any breach for which notification was required but not sent?

Obligation Type	Exposure Level	Weighting
Active regulatory enforcement	High	3x
Undisclosed breach in notification window	High	3x
GDPR controller obligations + inadequate ROPA	Medium-High	2x
Cross-border transfers without valid mechanism	Medium-High	2x
Certification scope gaps (SOC 2 exceptions)	Medium	1.5x
State privacy law obligations requiring remediation	Medium	1.5x
PCI DSS scope inheritance	Medium	1.5x
HIPAA BAA inheritance	High (if applicable)	2x

Status	Criteria
Green	No active regulatory matters; no breach in notification window; regulatory obligation stack mapped and quantified; acquirer regulatory posture can absorb inherited obligations without material new program investment; indemnification coverage for pre-close regulatory events secured
Amber	Minor regulatory matters disclosed with known exposure; one or two certifications with exceptions requiring remediation; regulatory delta between acquirer and target quantified and remediation budgeted
Red	Active enforcement action not disclosed; breach in notification window; material undisclosed GDPR/HIPAA exposure; cross-border transfers without valid mechanism involving large data subject populations; indemnification insufficient to cover identified exposure

4. External attack surface risk score (Pre-Close)

What to measure. Risk posture of the target's externally visible attack surface at point of due diligence, including internet-facing asset inventory completeness, critical vulnerability exposure in external footprint, TLS/certificate health, exposed administrative interfaces, and third-party supply chain visibility.

Why it matters. The target's external attack surface is the most objective, independently verifiable element of the security due diligence. Unlike internal assessments that depend on the seller granting access, external attack surface assessment can be conducted without seller cooperation and serves as an independent ground truth for the target's security investment level. A company with a clean external attack surface, current certificates, no critical CVEs in external footprint, and no exposed admin interfaces has made meaningful security investments regardless of what their questionnaire says. A company with expired certificates, legacy VPN appliances running unpatched software, and exposed management interfaces is telling you something more important than any policy document.

• External attack surface management platforms (Censys, Shodan, Tenable ASM, CyCognito, Axonius): internet-facing asset discovery, certificate status, port and service enumeration, technology fingerprinting
• Vulnerability intelligence: cross-referencing discovered technology versions against CVE databases (NVD, CISA KEV), particularly relevant for internet-facing VPN appliances, web servers, remote access tools
• SSL Labs / testssl.sh: TLS configuration quality across all HTTPS-facing services
• SecurityScorecard / BitSight: externally-derived security rating as a quick pre-LOI signal (supplement, not substitute, for assessment)
• Exposed credential check: credential stuffing lists that include target domain email addresses; dark web exposure of target employee credentials
• DNS and certificate transparency: subdomain enumeration, historical certificate issuance, shadow IT discovery through CT logs

Finding	Risk Weight
Active exploitation of CVE in external asset (KEV-listed)	Critical
Critical CVE (CVSS 9.0+) in internet-facing system	High
Exposed administrative interface (RDP, SSH, admin panels)	High
Unpatched VPN/remote access appliance	High
Expired or mis-issued TLS certificates on production services	Medium
TLS 1.0/1.1 in use on production services	Medium
Known malicious IP in hosting infrastructure	Medium
Unregistered high-value subdomains (takeover risk)	Medium
High-severity CVE (7.0–8.9) in external footprint	Medium
No MX/SPF/DMARC protection (BEC enabler)	Medium

Status	Criteria
Green	No Critical or High findings; all TLS configurations current; no exposed administrative interfaces; no known malicious infrastructure; DMARC at enforcement; external attack surface consistent with stated security investment
Amber	One or more High findings (no Critical); some TLS issues; DMARC not at enforcement; external attack surface broader than expected but manageable
Red	Critical findings present (active exploitation or KEV-listed CVEs); exposed RDP or administrative interfaces; active malicious indicators; external attack surface inconsistent with claimed security posture (indicating questionnaire misrepresentation)

5. Security integration readiness score

What to measure. Preparedness for executing the day-one security integration plan, including network segregation prior to connectivity establishment, identity integration approach, data security controls for migrating data between environments, and the post-close security milestone roadmap.

Why it matters. Integration is where most M&A security risk materializes. Day-one network connectivity established without proper segmentation creates an immediate blast-radius problem: a compromised target network that is directly connected to the acquirer's network gives attackers a bridge into the acquirer's environment. Identity federation done poorly creates privilege escalation paths. Data migration without encryption or access logging creates compliance exposure. The 2017 NotPetya ransomware, which devastated Maersk, Merck, and FedEx, spread through M&A-derived network connections that were inadequately segmented. The companies affected didn't intend to have flat network connectivity to Ukrainian subsidiaries; it was the residue of incomplete integration.

Network connectivity (Day 1).

• Is connectivity between environments established through a controlled DMZ/segmented zone, or direct peering?
• Are firewall rules for the integration connection reviewed and approved before go-live?
• Is network monitoring/IDS in place on integration points?

Identity integration (Week 1–4).

• Is the identity federation approach defined? (Separate directories with controlled trust, or full merge?)
• Are admin accounts in the target environment placed under acquirer PAM control before connectivity?
• Is the service account inventory of the target documented and reviewed?

Data migration security.

• Is data migrated over encrypted channels with access logging?
• Is sensitive data (PII, IP, financial) migrated with documented chain of custody?
• Are regulatory obligations for data residency maintained during migration?

Post-close remediation milestones.

• Are Category 3 findings from due diligence translated into a remediation plan with dates and owners?
• Is the integration security milestone roadmap approved by acquirer CISO?
• Is integration security reviewed at 30/60/90-day intervals?

How to calculate. (Integration readiness elements confirmed complete) ÷ (total elements) × 100 Track separately pre-close readiness (planning) and post-close execution (milestone completion rate)

Status	Criteria
Green	>90% of readiness elements confirmed; day-one network connectivity plan reviewed and approved by security; PAM control established over target admin accounts before connectivity; data migration plan documented with security controls; 30/60/90-day integration security review schedule confirmed
Amber	70–90% of elements; day-one plan exists but not fully reviewed; some admin account governance outstanding at go-live; data migration security partially documented
Red	<70% of elements; day-one connectivity established without security review; no PAM control over target admin accounts; no integration security milestone plan; integration has proceeded without security sign-off

6. Post-Close security debt remediation rate

What to measure. Progress against the agreed-upon remediation plan for security findings identified in due diligence, tracking Category 2 and 3 findings from identification through confirmed remediation, with milestone adherence and budget consumption.

Why it matters. Due diligence findings that aren't tracked through to remediation are meaningless. The acquisition closes, the deal team moves on, and the security findings document sits in a data room folder. Six months later, the compromised credential that was a Category 3 finding becomes the initial access vector for a ransomware attack. Post-close remediation tracking converts due diligence findings into an operational program, with owners, timelines, milestone tracking, and escalation paths when milestones are missed.

• Integration security project tracker: finding ID → owner → target remediation date → status → completion evidence
• Vulnerability management platform: findings from pre-close assessment loaded as tracked items with integration tags
• Security milestone reviews (30/60/90/180-day): structured reviews against integration security milestones
• Budget tracking: remediation budget allocated at close vs. actuals, are security investments tracking to the plan that justified the deal economics?
• Escalation log: findings that have missed milestone dates and required escalation to deal sponsor or integration management office (IMO)

How to calculate. (Category 2 and 3 findings remediated on schedule) ÷ (total Category 2 and 3 findings with due dates passed) × 100 Track: on-time completion rate, past-due finding count, findings with no owner assigned

Status	Criteria
Green	>85% of findings remediated on schedule; no Category 2 findings past due; escalation process active for at-risk items; 30/60/90-day milestone reviews completed; remediation budget within 20% of plan
Amber	70–85% on schedule; or one Category 2 finding past due with escalation; or milestone reviews not completed on schedule; or budget variance >20%
Red	<70% on schedule; or Category 2 findings materially past due with no escalation; or remediation program has stalled; or a security incident has occurred that is attributable to an unresolved due diligence finding

M&A security assessment by deal phase

Phase 1: Pre-LOI Screening (Days 1–5)

Objective. Identify deal-breaker signals before significant deal investment. Conducted using open-source intelligence and publicly available data only.

curl -H "Authorization: Token $SSC_TOKEN" \
  "https://api.securityscorecard.io/companies/targetcompany.com"

curl "https://api.shodan.io/shodan/host/search?key=$SHODAN_KEY&query=hostname:targetcompany.com"

curl "https://crt.sh/?q=%.targetcompany.com&output=json" | \
  jq 'length'  # how many certificates have been issued?

curl "https://haveibeenpwned.com/api/v3/breacheddomain/targetcompany.com" \
  -H "hibp-api-key: $HIBP_KEY"

dig txt _dmarc.targetcompany.com
dig txt targetcompany.com | grep spf

Phase 2: Confirmatory Due Diligence (Weeks 2–6)

Objective. Full assessment with seller cooperation. Access to internal documentation, systems, and personnel.

Security Due Diligence Document Request - Confidential

1. Security incident history (last 36 months): incident reports, 
   root cause analyses, breach notifications sent

2. Penetration test results (last 24 months): scope, findings, 
   remediation status

3. Vulnerability scan results (last 90 days): internal and external,
   critical and high findings

4. Security policy framework: current policies and last review dates

5. SOC 2 or ISO 27001 report: most recent audit report including 
   exceptions section (Type II preferred)

6. Cyber insurance policy: declarations page, coverage limits, 
   exclusions, claims history

7. Regulatory matters: active inquiries, enforcement actions, 
   breach notifications in progress

8. Data processing map / ROPA: systems containing PII, data 
   categories, processing purposes, third-party data sharing

9. Third-party risk documentation: vendor inventory, assessment 
   results for critical vendors

10. Network architecture diagram: current state, cloud accounts and 
    regions, on-prem/cloud segmentation

11. Identity architecture: directory services, privileged accounts, 
    service accounts, MFA enforcement rate

12. HR security: background check policy, security training completion 
    rates, offboarding process

Phase 3: Pre-Close Assessment (Days -30 to -1)

Objective. Confirm no material changes since confirmatory due diligence; finalize integration day-one security plan.

curl "https://efts.sec.gov/LATEST/search-index?q=%22cybersecurity+incident%22\
&dateRange=custom&startdt=2024-01-01&entity=targetcompany"

Phase 4: Post-Close Integration Tracking

$findings = Import-Csv "ma-security-findings.csv"

$pastDue = $findings | Where-Object { 
    [DateTime]$_.TargetDate -lt (Get-Date) -and 
    $_.Status -ne "Remediated" 
}

$report = @{
    TotalFindings = $findings.Count
    Remediated = ($findings | Where-Object { $_.Status -eq "Remediated" }).Count
    OnTrack = ($findings | Where-Object { $_.Status -eq "In Progress" -and [DateTime]$_.TargetDate -gt (Get-Date) }).Count
    PastDue = $pastDue.Count
    OnScheduleRate = [math]::Round((($findings.Count - $pastDue.Count) / $findings.Count) * 100, 1)
}

$report | ConvertTo-Json