Secure Controls Framework
Download The SCF
Start Here
Free Content
GRC Fundamentals
SCF Certified
Marketplace
Home
Blog
Security & Privacy Capability Maturity Model (SP-CMM) Use Case #4 – Due Diligence In Mergers & Acquisitions (M&A)

Security & Privacy Capability Maturity Model (SP-CMM) Use Case #4 – Due Diligence In Mergers & Acquisitions (M&A)

cybersecurity assessments,cybersecurity audit,cybersecurity due diligence,due diligence,M&A,Mergers & Acquisitions,SCF
SCF Council
April 19, 2023

The SecureControls Framework (SCF) release 2023.2 contains completely newcontent for its Security& Privacy Capability Maturity Model (SP-CMM). Thiseffort was conducted to help streamline and standardize maturity criteria. Oneof the use cases for the SP-CMM is to provide a means to perform due diligenceof cybersecurity and privacy practices as part of Mergers & Acquisitions(M&A).

SP-CMM Use Case #4 – Due Diligence In Mergers &Acquisitions (M&A)

It is commonplace to conduct a cybersecurity and privacypractices assessment as part of Mergers & Acquisitions (M&A) duediligence activities. The use of a gap assessment against a set of baselineM&A controls (e.g., SCF-B control set) can be used to gauge the level ofrisk. In practical terms, this type of maturity-based gap assessment can beused in a few ways:

  • Sellers can provide the results from afirst- or third-party gap assessment to demonstrate both strengths andweaknesses, as a sign of transparency.
  • Buyers can identify unforeseen deficienciesthat can:
  1. Lead to a lower buying price; or
  2. Backing out of the deal.

Identifying The Problem

Acquiringanother entity involves a considerable amount of trust. Cybersecurity M&Adue diligence exists to prevent the purchasing entity from potentially acquiringa class-action lawsuit or multi-million dollar data protection-related fines(worst case scenarios). M&A is a game of cat and mouse betweenthe two parties:

  • The divesting entity is going to want to “putits best foot forward” and gloss over deficiencies; and
  • The acquiring entity wants to know the truthabout strengths and weaknesses.

If the acquiring entity only leverages a single framework(e.g., NIST CSF, ISO 27002 or NIST 800-53) for due diligence work, it will mostlikely provide a partial picture as to the divesting entity’s cybersecurity andprivacy practices. That is why the SCF-B is a bespoke set of cybersecurityand privacy controls that was purposed built for M&A to provide ascomplete a picture as possible about the divesting entity’s cybersecurity andprivacy practices.

A control set questionnaire that asks for simple yes, no ornot applicable answers is insufficient in M&A due diligence. Failure toleverage maturity-based criteria will result in the inability to providecritical insights into the actual security posture of the divesting entity. The SP-CMM can be used to obtain more nuancedanswers to determine (1) if a control is implemented and (2) how mature theprocess behind the control is.

Considerations

Referencing back to the SP-CMM Overview section of thisdocument, L0-1 levels of maturity are identified as being deficient from a“reasonable person perspective” in most cases. Therefore, acquiring entitiesneed to look at the “capability maturity sweet spot” between L2-L4 to identifythe reasonable people, processes and technologies needed to demonstrate toproperly protect systems, applications, services and data, regardless of whereit is stored, transmitted or processed.

Areasof deficiency can be identified and remediation costs determined, which can beused to adjust valuations. Key areas that affect valuations include, butare not limited to:

  • Non-compliance with statutory, regulatory and/orcontractual obligations
  • Data protection practices (e.g., privacy)
  • IT asset lifecycle management (e.g., unsupported/ legacy technologies)
  • Historical cybersecurity incidents
  • Risk management (e.g., open items on a riskregister or Plan of Action & Milestones (POA&M)
  • Situational awareness (e.g., visibility into activitieson systems and networks)
  • Software licensing (e.g., intellectual propertyinfringement)
  • Business Continuity / Disaster Recovery (BC/DR)
  • IT / cybersecurity architectures (e.g.,deployment of on-premise, cloud and hybrid architectures)
  • IT /cybersecurity staffing competencies

Identifying A Solution

The SCF did the hard work by developing the SCF-B controlset. The “best practices” that comprise the SCF-B include:

  • Trust Services Criteria (SOC 2)
  • CIS CSC
  • COBITv5
  • COSO
  • CSA CCM
  • GAPP
  • ISO 27002
  • ISO 31000
  • ISO 31010
  • NIST 800-160
  • NIST Cybersecurity Framework
  • OWASP Top 10
  • UL 2900-1
  • EU GDPR

Join 25,000+ GRC Professionals

Get the latest SCF updates, cybersecurity insights, and community news delivered to your inbox. You know you want to do it!

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Controls are your security, compliance & resilience program - A control is the power to influence or direct behaviors and the course of events.

DOWNLOAD THE SCF

Start Here

What Is The SCF?How To Implement (SCRMS)Domains & PrinciplesLaws & Frameworks (LRF)Relationship Mapping (STRM)NIST OLIR ParticipationESG Considerations

Free Content

SCF DownloadRisk Management (SCR-RMM)Maturity Model (SCR-CMM)Assessment Standards (CDPAS)Mergers & Acquisitions (MA&D)Privacy Principles (DPMP)Evidence Request List (ERL)Scoping Guide (USG)

Resources

GRC FundamentalsSCF CertifiedMarketplaceFAQAboutBlogSwag - SCF Branded Gear

Support

DonateVolunteer

© 2026 Secure Controls Framework Council, LLC. All rights reserved.

Terms & ConditionsPrivacyCookiesSitemap