Advising on Capital, Building with AI, Executing Like Operators
LinkedIn

M&A Readiness

Due Diligence

Cybersecurity Diligence Prep: What Buyers Flag and How to Get Ready Before the Process

March 22, 2026  ·  12 min read · In-depth

Buyers routinely hire a third-party cybersecurity firm to assess your environment during diligence. This guide covers what they actually look for — SOC 2 status, MFA coverage, incident response documentation, access controls, and the specific gaps that trigger escrow holdbacks or purchase price adjustments in middle market deals.

Best for:Founders preparing for a saleM&A advisors & bankersCFOs running diligence
Use this perspective to move toward transaction readiness, sale timing, or M&A execution work.

Key takeaways

  • Buyers routinely engage a third-party cybersecurity firm during diligence, your security posture will be assessed, not self-reported.
  • SOC 2 Type I takes 2–3 months and costs $15K–$40K; SOC 2 Type II takes 6–12 months and costs $30K–$80K, start before the process starts.
  • Basic cyber hygiene for a $15M–$75M business means MFA everywhere, documented incident response, endpoint protection, and an access review, not enterprise security infrastructure.

In this article

  1. Why cybersecurity diligence is now standard
  2. What buyers assess: the seven cybersecurity diligence areas
  3. Incident history: what buyers want to know
  4. Basic cyber hygiene for a $15M–$75M business
  5. SOC 2: timeline, cost, and when it matters
  6. The insurance angle: buyers increasingly require cyber coverage
  7. Regulatory gap checklist: what applies to your business
  8. Remediation cost estimation: what pre-sale cybersecurity readiness costs
  9. What buyers test in cybersecurity diligence, and how to prepare
  10. Common cybersecurity diligence mistakes

Why cybersecurity diligence is now standard

Cybersecurity was once a diligence category reserved for technology companies and regulated industries. That is no longer true. Buyers across every sector now conduct at least a basic cybersecurity assessment in transactions above $10M, and in many transactions above $5M. The reason is cost: a post-close breach that traces to pre-close security posture is expensive to remediate and creates significant post-close liability.

The cybersecurity diligence workstream typically involves a third-party security firm engaged by the buyer, not the seller. That firm is not working from your self-assessment. They are reviewing your actual environment: access logs, MFA enrollment data, endpoint protection coverage, vendor questionnaire responses, and any prior audit findings.

Research finding
IBM Cost of a Data Breach Report 2024

The average cost of a data breach for companies under $1B in revenue is $3.31M. For companies in the lower middle market ($10M–$75M revenue), the average breach cost represents 8–15% of annual revenue, a figure that buyers price into their risk model.

Buyers are not asking whether you have been breached. They are asking whether you have the controls in place to detect, contain, and respond to a breach. "We've never been hacked" answers the first question, not the second. The absence of a known breach does not indicate a strong security posture. It may indicate that a breach occurred and was not detected.

What buyers assess: the seven cybersecurity diligence areas

A cybersecurity diligence review in the middle market covers seven areas. The depth of review depends on the buyer's risk appetite, the industry, and the transaction size.

Cybersecurity Diligence Coverage Framework

Assessment AreaWhat Is ReviewedCommon Issues Found
Incident historyPast breaches, ransomware events, phishing compromises; how they were handled and disclosedUndisclosed incidents; incidents handled informally with no documentation; no IR plan
Data handling practicesWhere customer data lives; who has access; how it is protected in transit and at restCustomer data in unsecured spreadsheets; no encryption at rest; broad access rights
Access controlsMFA enforcement rate; password policy; privileged access management; offboarding processNo MFA on email or cloud systems; shared admin credentials; terminated employees with active accounts
Endpoint protectionAntivirus and EDR coverage; device management (MDM); BYOD policyGaps in endpoint coverage; no MDM; personal devices accessing company systems without policy
Certification statusSOC 2, ISO 27001, HIPAA, PCI, whichever applies to the businessNo certifications despite customer or regulatory requirements; lapsed certifications
Penetration test historyWhen last conducted; scope; findings; remediation statusNo pen test history; known findings not remediated; pen tests scoped too narrowly
Vendor security assessmentsThird-party vendors with access to company data; their security postureNo vendor questionnaire process; critical vendors with no security review

$3.31M

average cost of a data breach for companies under $1B in revenue (IBM 2024)

8–15%

typical breach cost as a percentage of annual revenue for lower middle market companies

52%

of middle market businesses do not have a documented incident response plan (Ponemon Institute)

Incident history: what buyers want to know

Every buyer's security questionnaire will ask about incident history. The question is not just "have you been breached?", and it is "how did you find out, what did you do, and what did you change as a result?"

The worst answer is a denial followed by the discovery of an undisclosed incident. Buyers engage security firms who can often find evidence of past incidents through log analysis, dark web monitoring, and breach database checks. If a breach is discoverable and was not disclosed, the seller has a much larger problem than a security gap.

The right approach: before the process starts, conduct an internal incident history review. Identify any security events, ransomware, phishing compromises, unauthorized access, data exfiltration, regardless of whether they were reported externally. Document how each was handled. If incidents were not documented at the time, reconstruct the record from email and system logs.

Illustrative example, a $28M professional services firm disclosed two prior phishing incidents that had been resolved internally. The buyer's security firm reviewed the remediation steps and concluded they were adequate. The incidents were noted but did not affect purchase price. A third firm in the same process disclosed nothing, and the buyer's security firm identified a prior ransomware event through log analysis, the deal restructured with a $500K security remediation escrow.

Research finding
Ponemon Institute on Incident Response

Companies with a documented incident response plan contain breaches 74 days faster on average than companies without one, and the average cost difference is $1.49M per incident. Buyers know this data and price the absence of an IR plan accordingly.

Working through this yourself?

Kolton works directly with founders on M&A readiness, deal structure, and AI implementation — one advisor, not a team of generalists.

Schedule a conversation →

Basic cyber hygiene for a $15M–$75M business

A $15M–$75M business does not need enterprise security infrastructure. It needs the foundational controls that prevent the most common attack vectors and demonstrate a minimum standard of care to diligence reviewers.

1

Step 1: MFA everywhere, enforce multi-factor authentication on email (Microsoft 365, Google Workspace), cloud systems (ERP, CRM, banking), VPN, and any system accessible from the internet

2

Step 2: Endpoint protection, deploy an EDR tool (CrowdStrike Falcon Go, SentinelOne, or Microsoft Defender for Business) on every company-owned device; document coverage rate

3

Step 3: Access review, quarterly review of who has access to what; immediately revoke access for terminated employees; eliminate shared credentials on critical systems

4

Step 4: Documented incident response plan, a 2-page document covering: who to call, what to do in the first 24 hours, when to notify customers and regulators, and how to preserve evidence

5

Step 5: Backup and recovery, documented backup schedule; tested recovery process (test at least annually); off-site or cloud backup for critical systems

6

Step 6: Vendor security review, simple questionnaire for vendors with access to company data; retain responses on file

The cost of implementing these controls for a company that has not done so: typically $15,000–$40,000 in tools, services, and internal time. The cost of a breach that exploits gaps in any one of these areas: typically $500,000–$3,000,000. The cost of a purchase price adjustment for documented cybersecurity gaps: typically $150,000–$750,000.

MFA enforcement is the single highest-leverage security control for a middle market business. It prevents an estimated 99% of automated credential attacks and significantly reduces the blast radius of phishing compromises. If you implement nothing else before a sale process, enforce MFA on every system with internet access. The cost is effectively zero if you are already using Microsoft 365 or Google Workspace, and it is a configuration change, not a purchase.

SOC 2: timeline, cost, and when it matters

SOC 2 is a security certification framework developed by the AICPA. It audits a company's controls across five trust service categories: security, availability, processing integrity, confidentiality, and privacy. In the middle market, the security category is the primary focus for most companies.

SOC 2 has two types: Type I is a point-in-time assessment, an auditor reviews whether your controls are designed correctly. Type II is a period-of-time assessment, an auditor reviews whether your controls operated effectively over a 6–12 month period.

SOC 2 Type I vs. Type II Comparison

DimensionType IType II
What it coversDesign adequacy of controls at a specific point in timeOperating effectiveness of controls over a period (typically 6–12 months)
Time to achieve2–3 months6–12 months from the start of the observation period
Typical cost$15,000–$40,000$30,000–$80,000
Value to buyersDemonstrates controls are in placeDemonstrates controls work in practice, significantly higher value
When to start12–18 months before process if you want Type II18–24 months before process for full Type II with a reputable auditor
Common preparersDrata, Vanta (automation tools that accelerate readiness); Big 4 or regional CPA firm for the audit itselfDrata, Vanta, or Tugboat Logic for readiness automation; Big 4 or regional CPA firm for the Type II audit

SOC 2 matters in a sale process for three reasons: some buyers require it as a condition of close; some customers require it before signing contracts (which means your growth pipeline depends on it); and the presence of a SOC 2 report demonstrates that security governance is systematic rather than ad hoc.

The insurance angle: buyers increasingly require cyber coverage

Cyber insurance is increasingly a closing condition or a representation and warranty in middle market transactions. Buyers want assurance that the seller maintained cyber coverage through close, and that the policy is transferable or replaceable post-close.

What buyers look for in a cyber policy: minimum coverage limits (typically $1M–$5M for a $15M–$75M business), coverage for both first-party costs (breach response, forensics, notification) and third-party liability (customer claims, regulatory fines), and no material coverage gaps that the buyer would inherit as an uninsured risk.

The underwriting process for cyber insurance now includes a security questionnaire that covers MFA enforcement, backup practices, incident history, and endpoint protection. Companies that score poorly on the questionnaire face higher premiums or coverage limitations. Companies that have implemented the basic hygiene controls described above typically qualify for standard coverage at standard rates.

$8K–$25K

typical annual premium for a $2M–$5M cyber insurance policy for a $15M–$75M business

$1M–$5M

typical minimum cyber coverage limit expected by buyers in middle market transactions

6–8 weeks

typical underwriting timeline for cyber insurance, start before the process starts

Regulatory gap checklist: what applies to your business

Before you can address compliance gaps, you need to know which regulations apply. Many middle market businesses assume compliance is only relevant for regulated industries, and that assumption is frequently wrong.

Regulatory Compliance Applicability Checklist

RegulationApplicability TriggerCurrent Compliance Status to AssessEstimated Remediation Cost if Gap
GDPR (EU General Data Protection Regulation)Any EU customer data, even a single EU-resident customer or employeeData processing agreements, privacy policy, right-to-erasure process, breach notification protocol$20,000–$75,000 for a gap-to-compliance remediation
CCPA (California Consumer Privacy Act)Any California residents whose personal data you collect, customers, employees, or website visitorsPrivacy policy, opt-out process, data inventory, vendor data sharing agreements$10,000–$40,000 for a gap-to-compliance remediation
HIPAA (Health Insurance Portability and Accountability Act)Any healthcare data, patient records, health insurance information, or services to covered entitiesSecurity rule compliance, BAAs with vendors, access controls, breach notification procedures$25,000–$100,000+ depending on gap severity
SOC 2 Type IIDoes your buyer require it? Do your enterprise customers require it? Do you process customer data in a SaaS platform?Control design, operating effectiveness over 6–12 month observation period, auditor report$30,000–$80,000 first year (tool + audit)
PCI DSS (Payment Card Industry Data Security Standard)Do you store, process, or transmit credit card data directly (not just through a payment processor)?Network segmentation, cardholder data environment, quarterly vulnerability scans, annual assessment$15,000–$50,000 for SMB-tier compliance

Scroll to see more →

If you are unsure whether a regulation applies to your business, the answer is almost always: get a legal opinion before the process starts, not during it. A $2,000–$5,000 regulatory applicability review from a privacy attorney is the cheapest way to know what you are facing. Discovering a HIPAA gap or a CCPA non-compliance issue during buyer diligence is significantly more expensive.

Remediation cost estimation: what pre-sale cybersecurity readiness costs

Understanding the cost to remediate specific gaps before a sale process is critical for two reasons: it lets you prioritize which gaps are worth fixing before process (high buyer impact, low remediation cost) versus disclosing and pricing into the deal (low buyer impact or high remediation cost), and it informs how you present cybersecurity status in the data room.

Pre-Sale Cybersecurity Remediation Cost Estimates

Control AreaWhat It CoversEstimated CostBuyer Impact if Gap Found
Endpoint security upgrade (EDR deployment)Deploying CrowdStrike, SentinelOne, or Microsoft Defender for Business across all company devices$5,000–$25,000 (tools + deployment)High, endpoint coverage is a standard diligence check
Employee security awareness trainingAnnual phishing simulation and security training for all employees$3,000–$10,000/yearMedium, training completion rates are reviewed in diligence
Vulnerability assessment and penetration testExternal pen test of internet-facing systems; internal vulnerability scan$10,000–$40,000High, pen test results (last 12 months) are requested in most diligence processes
SOC 2 Type II audit (first year)Readiness assessment + observation period + audit fee$30,000–$80,000 first yearVery High for SaaS and tech-enabled businesses; High for any company with enterprise customers
Incident response plan documentationWritten IR plan covering detection, containment, notification, and recovery$5,000–$20,000High, absence of documented IR plan is a standard diligence flag

Scroll to see more →

$50K–$175K

typical total pre-sale cybersecurity readiness investment for a mid-market business addressing all major gaps

$150K–$500K

typical purchase price adjustment when gaps are discovered by buyer during diligence rather than remediated pre-process

5x–15x

typical return on pre-sale cybersecurity investment in prevented purchase price adjustments

What buyers test in cybersecurity diligence, and how to prepare

Knowing exactly what the buyer's security firm will look for allows you to prepare specifically, rather than generically. The following are the most commonly tested items in middle market cybersecurity diligence.

What Buyers Test in Cybersecurity Diligence

Diligence ItemWhat the Buyer Looks ForHow to Prepare
Penetration test results (last 12 months)A professional third-party pen test of internet-facing systems; findings log; remediation status of any findingsCommission a pen test 6–12 months before process; remediate all critical and high findings; document remediation
Security incident historyAny breaches, ransomware events, unauthorized access, or data loss in the past 3–5 years; how each was handledConduct an internal incident history review; document each event and remediation; disclose proactively (undisclosed incidents discovered later are much more damaging)
Vendor access controlsWhich vendors have access to your network or data; what controls govern that access; are access rights reviewed regularlyAudit all vendor access; implement a formal vendor access review; terminate standing access for vendors who no longer need it
Employee security training completion ratesPercentage of employees who have completed annual security training; phishing simulation resultsRun an annual training program; track completion; generate a completion report before process
Patch management cadenceHow quickly critical software patches are applied; who is responsible; what is the current unpatched vulnerability countDocument your patch management process; run a current vulnerability scan; patch all critical findings before process

Prepare a one-page cybersecurity posture summary for the data room. It should cover: (1) MFA enforcement rate across all systems; (2) endpoint protection coverage rate; (3) last pen test date and critical finding remediation status; (4) incident history (if clean, state explicitly — "no material security incidents in the past 3 years"); (5) SOC 2 status or planned timeline; (6) cyber insurance coverage limits and renewal date. This converts a potentially open-ended diligence workstream into a documented, answerable set of questions.

Common cybersecurity diligence mistakes

"We've never been hacked" as a security posture. Absence of a known breach does not indicate a strong security posture, and it indicates no known breach. Buyers assume the difference and price accordingly.

No MFA on email. Email compromise is the #1 attack vector for middle market businesses. No MFA on Microsoft 365 or Google Workspace is the single most frequently flagged gap in middle market cybersecurity diligence. It is also the easiest to fix, a 30-minute configuration change.

Shared admin credentials. Multiple people sharing a single admin password on critical systems creates attribution problems, access control gaps, and audit log failures. Each admin account should be individual, and admin access should be limited to those who need it.

No documented incident response plan. A 2-page IR plan is not bureaucracy, and it is a diligence deliverable. Its absence signals to buyers that security is reactive rather than governed.

Terminated employees with active accounts. Access review is not a one-time exercise. If your offboarding process does not include a same-day account deactivation step, you have active accounts belonging to people who no longer work for you. This is one of the first things a security reviewer will check.

Research finding
Verizon Data Breach Investigations Report

74% of breaches involve a human element, phishing, use of stolen credentials, social engineering, or error. All four of these vectors are addressed by basic hygiene controls: MFA, access management, security awareness training, and endpoint protection. These are not advanced security measures, and they are the floor.

A cybersecurity readiness review 12 months before a sale process costs $15,000–$30,000. It identifies the specific gaps a buyer will find, prioritizes the fixes, and gives you time to implement controls and demonstrate they are operating. That $15,000–$30,000 investment routinely prevents $150,000–$500,000 in purchase price adjustments, a 5x–15x return on a single preparation step.

Frequently asked questions

What if we cannot get SOC 2 done before process?

A SOC 2 readiness assessment, a gap analysis against the SOC 2 framework, costs $10K–$20K and can be completed in 4–6 weeks. It tells buyers what controls are in place and what remains to be done. It is not equivalent to a certification, but it demonstrates seriousness and creates a roadmap.

What industries most commonly require SOC 2 in diligence?

SaaS and technology companies, healthcare services with digital data handling, financial services, and any company with enterprise customers who require vendor SOC 2 reports as part of their own compliance programs.

What is cyber insurance and do we need it before a sale?

Cyber insurance covers breach response costs, regulatory fines, and third-party liability. Buyers increasingly require cyber insurance as a condition of close or as a representation and warranty. A $2M–$5M cyber policy for a $15M–$75M business typically costs $8,000–$25,000 annually.

How does SOC 2 affect valuation?

SOC 2 Type II does not directly affect EBITDA, but it affects risk-adjusted valuation. Buyers apply lower risk premiums to companies with documented security governance, which translates to tighter valuation multiples and fewer adjustments in the purchase agreement.

Research sources

IBM Cost of a Data Breach Report 2024Verizon Data Breach Investigations ReportPonemon Institute on Incident Response

Disclaimer: Financial figures and case studies in this article are illustrative, based on representative middle market assumptions, and are not guarantees of outcome. Statistical references are drawn from cited third-party research; individual transaction and operational results vary based on business characteristics, market conditions, and deal structure. This content is for informational purposes only and does not constitute legal, financial, or investment advice. Consult qualified advisors for guidance specific to your situation.

Explore adjacent topics

Operational Discipline

Operational discipline is still the fastest path to credibility

AI-Enabled Execution

AI should remove friction, not create a science project

Found this useful?Share on LinkedInShare on X
Kolton Shreve

Kolton Shreve

Founder, Glacier Lake Partners

Background in investment banking, private equity, and AI-enabled workflow design. Glacier Lake Partners advises founder-owned and middle market companies on AI workflow implementation, M&A readiness, and operating discipline.

LinkedIn ↗
Investment BankingPrivate EquityAI Workflow Design

Related reading

M&A Readiness

What private equity buyers look for in lower middle market diligence

The specific things sophisticated buyers underwrite in a lower middle market transaction — and how preparation changes outcomes.

M&A Readiness

Why transaction readiness starts before the CIM

Buyers underwrite reporting quality, management cadence, and confidence in what the numbers actually mean.

Related service

M&A Advisory

Move from the insight into the most relevant advisory path for this topic.

Related service

Transaction Readiness

Move from the insight into the most relevant advisory path for this topic.

Related service

Sell Your Business

Move from the insight into the most relevant advisory path for this topic.

Next Step

Recognized a situation? A direct conversation is faster.

If a perspective maps to an active transaction, operating, or AI challenge, the right next step is a short discussion — not more reading.

Confidential inquiriesReviewed personally1 business day response target
Discuss a Situation
View Advisory Services

Direct contact

Email DirectlyCall +1 (808) 388-2570