Cybersecurity Due Diligence
Checklist for Deal Teams
Key controls, regulatory requirements, and red flags to evaluate during any M&A transaction involving financial data. Each item maps to SEC, FINRA, or FTC requirements so you know exactly what matters and why.
The Checklist
41 Controls Across 9 Categories
Governance & Security Program
Regulatory basis: SEC Reg S-P, FINRA Cybersecurity Guidance, FTC Safeguards Rule
Written Information Security Program (WISP) exists and is current
Verify the target has a documented WISP that reflects its actual environment — not a generic template. SEC examiners flag stale or mismatched policies.
Designated cybersecurity leader or Qualified Individual
The FTC Safeguards Rule requires a Qualified Individual to oversee the security program. Confirm who holds this role and their qualifications.
Board or senior management cybersecurity oversight documented
SEC and FINRA expect governance from senior leadership. Review board minutes, reporting cadence, and oversight structure.
Risk assessment completed within the past 12 months
NIST CSF's Identify function requires understanding business context and risks. Verify when the last assessment was performed and whether findings were remediated.
Cybersecurity policies reviewed and updated annually
Policies that haven't been updated in years signal neglect and create compliance gaps.
Identity & Access Management
Regulatory basis: FTC Safeguards Rule (MFA requirement), SEC Reg S-P, FINRA
Multi-factor authentication (MFA) enforced on all systems
MFA must cover email, CRM, custodian portals, trading platforms, VPN, remote desktop, and workstations. Partial MFA is a common deficiency finding.
Role-based access control (RBAC) implemented
Verify that access is granted by role with least-privilege principles. Review who has admin access and whether it's justified.
Legacy authentication protocols disabled
IMAP, POP, and other legacy protocols bypass MFA. Confirm they are disabled across all tenants.
Offboarding procedures documented and enforced
Terminated employee accounts should be disabled same-day. Review the process and check for dormant accounts.
Privileged access reviewed quarterly
Admin accounts should be separate from daily-use accounts, rotated regularly, and reviewed at least quarterly.
Data Protection & Encryption
Regulatory basis: SEC Reg S-P, FTC Safeguards Rule, State Privacy Laws
Sensitive data encrypted at rest and in transit
Client NPI, financial records, and trade data must be encrypted. Verify encryption standards (AES-256 at rest, TLS 1.2+ in transit).
Data classification policy exists
The target should categorize data (NPI, financial, internal, public) with defined protection levels for each.
Data loss prevention (DLP) controls deployed
DLP policies should prevent unauthorized sharing of client data via email, cloud storage, and removable media.
Data retention and destruction policies documented
Verify retention periods align with SEC Rule 204-2 and that destruction methods are documented and auditable.
Secure data room configured for transaction documents
Confirm that deal documents are stored with encryption, role-based access, watermarking, and full audit trails.
Endpoint & Network Security
Regulatory basis: NIST CSF, CIS Controls, FTC Safeguards Rule
Endpoint detection and response (EDR) deployed on all devices
Every workstation, laptop, and server should have EDR. Verify coverage is 100% — not just a subset.
Full-disk encryption on all endpoints
Lost or stolen devices should not expose client data. Verify BitLocker or equivalent is enforced via policy.
Patch management automated and current
Review patch compliance rates. Unpatched systems are one of the most common entry points for attackers.
Firewalls and intrusion detection/prevention deployed
Verify network segmentation, firewall rules, and IDS/IPS coverage.
Remote access secured with VPN and conditional access
All remote connections should use encrypted VPN with device-compliance checks. BYOD policies should be documented.
Monitoring, Detection & Response
Regulatory basis: SEC Reg S-P (incident response), FINRA, NIST CSF
24/7 security monitoring in place (SOC or SIEM)
Verify that threat detection is continuous — not just business hours. Review what log sources feed the monitoring platform.
Incident response plan documented and tested
The plan should include roles, containment steps, notification timelines (30 days per Reg S-P), and communication trees. Ask when it was last tested.
Security logs centralized and retained
Identity events, admin actions, endpoint telemetry, and cloud activity should be collected centrally and retained per regulatory requirements.
Vulnerability scanning performed regularly
Review scan frequency, coverage, and whether findings are remediated within defined SLAs.
Penetration testing conducted within the past 12 months
The FTC Safeguards Rule requires annual penetration testing. Review the most recent report and confirm findings were remediated.
Vendor & Third-Party Risk
Regulatory basis: SEC Reg S-P, FINRA, FTC Safeguards Rule
Complete vendor inventory with data access levels documented
Every service provider (custodians, cloud hosting, CRM, IT support, payroll) should be inventoried with documented data access.
Vendor security assessments completed annually
Review SOC 2 reports, security questionnaires, and due diligence documentation for critical vendors.
Cybersecurity clauses in vendor contracts
Contracts should require security controls, breach notification, audit rights, and data handling standards.
Vendor access restricted to least-privilege
Third-party access should be limited to necessary systems and data, monitored, and revoked when no longer needed.
Business Continuity & Backup
Regulatory basis: FINRA Rule 4370, SEC, NIST CSF
Business continuity plan (BCP) documented and tested
FINRA Rule 4370 requires a written BCP. Verify it covers data backup, recovery procedures, alternate sites, and communication plans.
Backups encrypted, immutable, and stored off-site
Backups should be protected against ransomware (immutable/air-gapped) and stored separately from production systems.
Recovery time objectives (RTO) and recovery point objectives (RPO) defined
The target should have documented RTOs and RPOs for critical systems — and evidence that they've been tested.
Backup restoration tested within the past 6 months
Untested backups are unreliable. Verify the date and results of the most recent restore test.
Employee Training & Awareness
Regulatory basis: SEC, FINRA, FTC Safeguards Rule
Security awareness training conducted continuously
Annual training is insufficient. Verify that the target provides monthly micro-trainings and quarterly phishing simulations.
Phishing simulation results tracked and improving
Review click-through rates over time. Declining rates indicate effective training.
Role-specific training for high-risk staff
Advisors handling wire transfers, account openings, or trading should receive targeted training on BEC and fraud prevention.
Training completion records available as audit evidence
Attendance records, quiz results, and completion certificates should be maintained and producible for examiners.
Incident History & Breach Disclosure
Regulatory basis: SEC Reg S-P, State Breach Notification Laws
Incident history disclosed and documented
Request a complete history of security incidents, breaches, and regulatory findings. Undisclosed incidents are a material risk.
Breach notification obligations assessed
If a past breach occurred, verify that notification obligations were met (Reg S-P: 30 days). Outstanding obligations transfer at close.
Post-incident remediation completed
For any prior incidents, verify that root causes were addressed, controls were strengthened, and policies were updated.
Regulatory findings or enforcement actions disclosed
Check for SEC, FINRA, or state regulatory actions related to cybersecurity or data protection.
Frequently Asked Questions
Who should use this checklist?
Deal teams, operating partners, compliance officers, and IT leaders involved in M&A transactions involving financial firms, RIAs, broker-dealers, or any business handling sensitive client data. The checklist is also valuable for private-equity firms evaluating portfolio company cybersecurity.
When during the deal process should this checklist be used?
Ideally, cybersecurity due diligence starts during the due diligence phase and continues through pre-close remediation and post-close integration. A high-level risk screen can be performed pre-LOI to identify potential deal-breakers early.
Can Katalism conduct the due diligence assessment for us?
Yes. Katalism specializes in cybersecurity due diligence for financial M&A transactions. We evaluate the target, document findings for your deal committee, prioritize remediation, and manage post-close integration. Schedule a meeting to discuss your transaction.
Need Help With Cybersecurity Due Diligence?
Katalism conducts cybersecurity due diligence for financial M&A transactions. We evaluate the target, document findings, and manage post-close integration.