Controls are your cybersecurity & data privacy program ---- A control is the power to influence or direct behaviors and the course of events.

Security & Privacy Capability Maturity Model (SP-CMM) Use Case #4 – Due Diligence In Mergers & Acquisitions (M&A)

Security & Privacy Capability Maturity Model (SP-CMM) Use Case #4 – Due Diligence In Mergers & Acquisitions (M&A)

Posted by SCF Council on Apr 19th 2023

The Secure Controls Framework (SCF) release 2023.2 contains completely new content for its Security & Privacy Capability Maturity Model (SP-CMM). This effort was conducted to help streamline and standardize maturity criteria. One of the use cases for the SP-CMM is to provide a means to perform due diligence of cybersecurity and privacy practices as part of Mergers & Acquisitions (M&A).

SP-CMM Use Case #4 – Due Diligence In Mergers & Acquisitions (M&A)

It is commonplace to conduct a cybersecurity and privacy practices assessment as part of Mergers & Acquisitions (M&A) due diligence activities. The use of a gap assessment against a set of baseline M&A controls (e.g., SCF-B control set) can be used to gauge the level of risk. In practical terms, this type of maturity-based gap assessment can be used in a few ways:

  • Sellers can provide the results from a first- or third-party gap assessment to demonstrate both strengths and weaknesses, as a sign of transparency.
  • Buyers can identify unforeseen deficiencies that can:
  1. Lead to a lower buying price; or
  2. Backing out of the deal.

Identifying The Problem

Acquiring another entity involves a considerable amount of trust. Cybersecurity M&A due diligence exists to prevent the purchasing entity from potentially acquiring a class-action lawsuit or multi-million dollar data protection-related fines (worst case scenarios). M&A is a game of cat and mouse between the two parties:

  • The divesting entity is going to want to “put its best foot forward” and gloss over deficiencies; and
  • The acquiring entity wants to know the truth about strengths and weaknesses.

If the acquiring entity only leverages a single framework (e.g., NIST CSF, ISO 27002 or NIST 800-53) for due diligence work, it will most likely provide a partial picture as to the divesting entity’s cybersecurity and privacy practices. That is why the SCF-B is a bespoke set of cybersecurity and privacy controls that was purposed built for M&A to provide as complete a picture as possible about the divesting entity’s cybersecurity and privacy practices.

A control set questionnaire that asks for simple yes, no or not applicable answers is insufficient in M&A due diligence. Failure to leverage maturity-based criteria will result in the inability to provide critical insights into the actual security posture of the divesting entity. The SP-CMM can be used to obtain more nuanced answers to determine (1) if a control is implemented and (2) how mature the process behind the control is.


Referencing back to the SP-CMM Overview section of this document, L0-1 levels of maturity are identified as being deficient from a “reasonable person perspective” in most cases. Therefore, acquiring entities need to look at the “capability maturity sweet spot” between L2-L4 to identify the reasonable people, processes and technologies needed to demonstrate to properly protect systems, applications, services and data, regardless of where it is stored, transmitted or processed.

Areas of deficiency can be identified and remediation costs determined, which can be used to adjust valuations. Key areas that affect valuations include, but are not limited to:

  • Non-compliance with statutory, regulatory and/or contractual obligations
  • Data protection practices (e.g., privacy)
  • IT asset lifecycle management (e.g., unsupported / legacy technologies)
  • Historical cybersecurity incidents
  • Risk management (e.g., open items on a risk register or Plan of Action & Milestones (POA&M)
  • Situational awareness (e.g., visibility into activities on systems and networks)
  • Software licensing (e.g., intellectual property infringement)
  • Business Continuity / Disaster Recovery (BC/DR)
  • IT / cybersecurity architectures (e.g., deployment of on-premise, cloud and hybrid architectures)
  • IT /cybersecurity staffing competencies

Identifying A Solution

The SCF did the hard work by developing the SCF-B control set. The “best practices” that comprise the SCF-B include:

  • Trust Services Criteria (SOC 2)
  • COBITv5
  • COSO
  • GAPP
  • ISO 27002
  • ISO 31000
  • ISO 31010
  • NIST 800-160
  • NIST Cybersecurity Framework
  • OWASP Top 10
  • UL 2900-1