M&A Cyber Diligence Workbook

Most M&A cyber checklists are static PDFs. This is an active workbook that drives deal decisions with auto-generated recommendations, cost modeling, and deal-term mechanism mapping. The workbook opens with the acquirer's psychology directly: the $350M Verizon-Yahoo price cut, 73% who would walk from an undisclosed breach, 40% who find issues post-close, and fewer than 10% of deals that include cyber diligence today.

10-Day Sprint Plan — Day-by-day schedule covering Kickoff & DRL, OSINT, Document Review, Target Interview, Control Assessment, Vendor & Regulatory, Findings Consolidation, Remediation Cost, Synthesis, and Delivery. A compressed 5-day version is included.

Control Assessment — 23 controls: CIS Top 18 plus 5 M&A-specific extensions (Board Oversight, Cyber Insurance Health, Regulatory Posture, AI & Shadow AI, Supply Chain & M&A Hygiene). 5-point maturity scale with auto-flagged Candidate Findings and an overall maturity score generating a STRONG/ACCEPTABLE/CONCERNING/UNACCEPTABLE interpretation.

Findings Register — 13 columns per finding including Deal Impact Rating, Recommended Deal-Term Mechanism, and Estimated Remediation Cost. Pre-seeded with 5 realistic findings modeled on real M&A cyber-failure patterns.

Threat Intel & OSINT — 15 independent validation checks: breach databases, dark web, Shodan/Censys, SSL Labs, DMARC, GitHub secrets, exposed cloud storage, SEC filings, and more. Targets the Rep Gap between what targets disclose and what external signals reveal.

Vendor Inheritance — Pre-seeded with 8 realistic vendors showing the pattern of legitimate enterprise tools alongside shadow/personal-account vendors that need termination or remediation.

Regulatory Exposure — 15 frameworks (GDPR, CCPA/CPRA, HIPAA, PCI DSS 4.0.1, SOX, SEC Cyber Rules, NY DFS, CMMC, EU AI Act, and more) with pre-populated penalty exposure and per-framework cost-to-fix.

Deal Impact Summary — Auto-generated KPIs and a recommendation: WALK / DEMAND MAJOR RENEGOTIATION / RENEGOTIATE HARD / RENEGOTIATE / PROCEED WITH CONDITIONS / PROCEED. Findings broken down by deal mechanism (Walk-Away, Price Adjust, Indemnity, Rep&War, Condition Precedent, Post-Close Remediation, Accept).

Also includes: Document Request List (50 items, 10 categories), Remediation Cost Model (15 categories, 3-year total), Post-Close Day-1 Playbook (14 actions, first 30 days), and a 19-term Glossary covering deal mechanisms and cautionary cases.

The 24-section, 514-paragraph User Guide covers the Yahoo/Starwood case studies, DRL strategy, OSINT Rep Gap concept, target interview trap questions, all seven deal mechanisms, the 60-minute delivery framework, and the 80% good enough bar that prevents chasing perfection.