Cybersecurity MA&D Standards

The Secure Control Framework Council (SCF Council) established a cohesive, consistent set of standards for evaluating relevant cybersecurity and data protection-related controls as part of Mergers, Acquisitions & Divestitures (MA&D) due diligence activities. This MA&D due diligence is associated with Third-Party Internal Control Assessment Services (3PICA Services). By following the Mergers, Acquisitions & Divestitures Security Standards (MADSS) approach, cybersecurity and data protection practitioners can utilize a standardized approach to assess the security posture of an organization as part of MA&D activities.

The MADSS is a “standard” that normalizes MA&D-related assessment practices.The MADSS is a free reference for cybersecurity practitioners to implement a standardized approach to assess the security posture of an organization as part of MA&D activities. Additionally, the latest release of the SCF contains a proposed control set that you can use for MA&D as part of this process.

From a cybersecurity perspective, MA&D tends to be either (1) an afterthought or (2) viewed as a "secret sauce" approach to performing due diligence activities. The MADSS takes a refreshing approach on the cybersecurity side of MA&D to be proactive and add value to the process, as compared to a check-the-box function.