Key Takeaways
- Cyber DD is now standard in any meaningful Indian M&A transaction. Acquirers protect themselves; sellers prepare for it.
- Scope: VAPT history, incident history, data inventory, third-party access, compliance posture, IR readiness, cyber insurance, regulatory exposure.
- Timing: typically during exclusivity (after term sheet, before signing) for the buy-side; vendor due diligence (VDD) by sellers ahead of marketing.
- Red flags affect valuation: undisclosed breaches, material compliance gaps, regulatory enforcement risk, technical debt, vendor exposure.
- Post-close integration risk is real: connecting two networks merges threat surfaces. Day-one integration cyber plan is essential.
Why Cyber DD Matters in M&A
The Yahoo-Verizon transaction (2017) is the canonical precedent. Verizon agreed to buy Yahoo's core internet business in 2016 for USD 4.83 billion. During exclusivity, Yahoo disclosed two massive prior breaches (3 billion accounts in one, 500 million in another). Verizon negotiated the price down by USD 350 million and required indemnity for certain ongoing liabilities. The transaction closed but the precedent set the M&A cyber DD baseline industry-wide.
Indian M&A activity has grown materially since 2020. PE, VC and strategic transactions across SaaS, fintech, healthcare, manufacturing and consumer all increasingly include cyber DD as a workstream. The cost of cyber DD is small relative to a typical deal; the cost of missing material cyber liability is large.
What Cyber DD Covers
- VAPT history: recent pentest reports, findings, remediation status, re-test outcomes
- Incident history: past cyber incidents, response, lessons learned, residual liability
- Data inventory: what personal data, payment data, IP, regulated data is held, where it sits, who can access
- Third-party access: vendor register, vendor cyber assurance, integration dependencies, supply chain exposure
- Compliance posture: ISO 27001, SOC 2, PCI DSS, HIPAA, DPDP, RBI/SEBI/IRDAI compliance status and certificates
- IR readiness: IR plan, tabletop history, retainer, recent exercise outcomes
- Cyber insurance: policy coverage, claims history, renewal status
- Regulatory exposure: open investigations, recent inspections, pending fines, sector-specific risk
- Technology debt: legacy systems with material cyber risk, deprecation roadmap
- Team and capability: CISO function, security headcount, programme maturity
Need Compliance Programme Help?
Codesecure delivers ISO 27001, SOC 2, PCI DSS, DPDP, HIPAA, GDPR, RBI, SEBI and NIST CSF programmes for Indian businesses. ISO/IEC 27001:2022 certified delivery, named ISO 27001 LA consultants, fixed-price proposals.
See Compliance Services →Timing in the Deal Process
Buy-side cyber DD typically runs during exclusivity, after term sheet and before signing. 2 to 6 weeks depending on target complexity. The output feeds the negotiation: price adjustment, representation and warranty, indemnity, escrow, post-close obligations.
Vendor due diligence (VDD) by the seller is conducted ahead of marketing the asset. The seller's cyber team or external consultant produces a comprehensive DD pack that addresses anticipated buyer concerns. VDD reduces surprises during buyer DD and supports a cleaner process.
Post-signing pre-closing cyber updates address material changes between signing and closing. A breach during this window can trigger material adverse change clauses.
Post-close integration includes integration-specific cyber DD on connecting the two organisations' networks, systems and identities.
Red Flags That Affect Valuation
Undisclosed breaches: the Yahoo precedent. Any breach should be disclosed during DD. Discovery after close triggers indemnity claims and rep and warranty breach.
Material compliance gaps: missing certifications customer contracts require, regulator-mandated controls not in place, DPDP / GDPR exposure for personal data handled.
Regulatory enforcement risk: open investigations, recent inspections with adverse findings, pending fines.
Technical debt: out-of-support systems holding sensitive data, fundamental architectural issues that materially affect post-close integration cost.
Vendor concentration risk: critical dependency on a single vendor with poor cyber posture.
Talent risk: CISO recently departed, security team understaffed, key person dependency.
Insurance gaps: cyber insurance not in place, recent policy reduction, exclusions affecting in-scope risk.
Post-Merger Integration Security
Connecting two organisations' networks, identities, applications and data multiplies the threat surface. Day-one integration cyber plan addresses the immediate risks; multi-year integration roadmap addresses structural alignment.
Day-one risks: open trust between the two networks before either has audited the other, identity federation introducing access paths that bypass either organisation's existing controls, immediate data flows that may not respect DPDP / GDPR cross-border restrictions, shared vendor relationships that need consolidation.
Recommended day-one approach: keep the networks separated until cyber DD findings are remediated, federate identity carefully with strict role mapping, conduct accelerated VAPT of the acquired entity's perimeter, integrate IR teams from day one (one IR plan, one incident channel), align cyber insurance to the combined entity within 30 days.
Audit Pressure or Customer Questionnaire?
Whether you need a gap assessment, an internal audit, a customer security questionnaire response or a board-ready compliance status, our compliance lead is available for a 30-minute free scoping call.
Talk to a Compliance Lead →DPDP Implications for M&A
DPDP Act 2023 has direct implications for M&A involving personal data. The acquirer inherits the personal data the target processed and the obligations attached to it. Issues to address: lawful basis on which the target collected data, whether that basis remains valid post-acquisition (consent given to the original entity may not automatically extend), data subject rights workflows, breach response obligations carried forward, vendor agreements covering personal data.
For cross-border transactions involving Indian targets, additional considerations: where personal data will sit post-close (India versus outside), Significant Data Fiduciary designation possibly triggered at combined scale, DPO appointment, independent audit obligations.
Vendor due diligence and acquirer DD should specifically address DPDP-attached liabilities. Codesecure delivers DPDP-focused DD as part of broader cyber DD engagements.
Cyber DD Report Structure
A cyber DD report serves multiple audiences in the deal process: the buyer's deal team, deal counsel, financial advisors, and (for material findings) the buyer's board. Structure:
Executive summary (1 to 2 pages, deal-team readable, deal-impact statements).
Scope and methodology.
Cyber risk profile: high-level posture assessment.
Detailed findings by domain (VAPT, incidents, data inventory, third party, compliance, IR, insurance, regulatory, technology, team).
Deal-impact summary: which findings affect price, which trigger reps and warranties, which require post-close action, which are accepted.
Integration considerations: cyber risks of integration, recommended day-one plan.
Appendices: evidence, control inventory, list of certificates reviewed, redacted excerpts from sampled documentation.
Codesecure delivers cyber DD with this structure for Indian buy-side and sell-side engagements.
Frequently Asked Questions
Who pays for cyber DD?
Buy-side cyber DD is paid by the buyer (cost of doing the deal). Vendor due diligence is paid by the seller. Sometimes the seller's VDD report is shared with bidders, reducing duplicate effort and accelerating the process.
How long does cyber DD take?
Buy-side: 2 to 6 weeks during exclusivity depending on target complexity. Vendor due diligence: 4 to 8 weeks ahead of marketing. Larger or more complex targets extend the timeline.
Can cyber DD be done without target cooperation?
Partially. External observable signals (DNS hygiene, certificate posture, exposed services, breach history from public sources) can be assessed without target cooperation. Full DD requires target document access and interviews.
What if cyber DD finds undisclosed breaches?
Material undisclosed breaches usually trigger price adjustment, indemnity, or in extreme cases termination. The Yahoo precedent established the playbook. Indian transactions follow similar patterns.
Does DPDP affect data acquired in M&A?
Yes. The acquirer inherits personal data and the DPDP obligations attached. Specific issues include lawful basis continuity, data principal rights workflow continuity, vendor agreement assignment, and possible Significant Data Fiduciary designation triggered at combined scale.
Can Codesecure conduct cyber DD?
Yes. Codesecure delivers buy-side and sell-side cyber DD for Indian M&A transactions across SaaS, fintech, healthcare, manufacturing and consumer sectors. Coordinated with legal, financial and tax DD teams. Deal-team readable reporting.
Run Cyber DD That Protects The Deal And The Post-Close Integration
Codesecure delivers buy-side and sell-side cyber due diligence for Indian M&A transactions. ISO/IEC 27001:2022 certified delivery, named consultants, deal-team readable reporting, integrated with legal, financial and tax DD workstreams.
