Standardizing MA&D Cybersecurity Due Diligence
The SCF took on an ambitious project to “build a better mousetrap” to fix common complaints associated with MA&D due diligence. The MADSS provides a cohesive, consistent set of standards for evaluating cybersecurity and data protection controls as part of MA&D activities.
The MADSS is not one-size-fits-all. Instead, the guidance should be adopted and tailored to the unique size, resources and risk circumstances of each organization. It can be modified, or augmented, with specific requirements. By following this methodology, cybersecurity and data privacy practitioners can improve the currently disjointed approach used to perform assessments of cybersecurity and/or data privacy controls.
The MADSS is based on the SCF’s Cybersecurity & Data Protection Assessment Standards (CDPAS). Per NIST, a standard is “a document, established by consensus and approved by a recognized body, which provides for common and repeated use, rules, guidelines or characteristics for activities or their results, aimed at the achievement of the optimum degree of order in a given context.”
Assessment vs. Audit
The MADSS focuses on third-party assessments, not audits. An assessment evaluates whether controls are implemented correctly, operating as intended, and producing the desired outcome. An audit independently examines records and activities to ensure compliance with established controls and procedures. These terms are not interchangeable.
Who Uses MADSS?
The intended audience encompasses the “assessment ecosystem,” including all parties involved in MA&D cybersecurity due diligence activities.
Entity Being Acquired (EBA)
The organization (seller/target company) seeking to be acquired by another entity. EBAs must demonstrate proactive governance and maintain evidence of their cybersecurity and data privacy posture for assessment.
Acquiring Entity (AE)
The organization (buyer/acquirer/suitor) seeking to acquire another entity. AEs define risk tolerances, maturity levels, and materiality thresholds that form the assessment criteria.
Third-Party Assessor (TPA)
A company or individual that performs MA&D-related cybersecurity and/or data protection control assessment services. TPAs must demonstrate subject matter competency, independence, and ethical conduct.
External Service Providers (ESP)
Independent third-party organizations providing services, technologies, facilities and/or people, including consultants, Cloud Service Providers (CSPs), Managed Service Providers (MSPs), and MSSPs.
MA&D Considerations for Threat Identification & Risk Management
From an MA&D perspective, the goal of threat identification and risk analysis is to determine whether criteria fall within acceptable or unacceptable risk parameters. Understanding the relationship between risk appetite, risk tolerance, and risk thresholds is vital.
Risk Appetite (Strategic)
The types and amount of risk, on a broad level, an organization is willing to accept in its pursuit of value. Defined at the corporate level where strategic actions and decisions are made. Can be organization-wide or compartmentalized.
Risk Tolerance (Operational)
The level of risk an entity is willing to assume in order to achieve a desired result. Put into practice at the Line of Business (LOB) level where operational actions and decisions are made, defined by the established risk appetite.
Risk Thresholds (Tactical)
Values used to establish concrete decision points and operational control limits to trigger management action and response escalation. Used at the department/team level to assess operational risk within tolerance.
Risks vs. Threats
A risk exists due to a control absence or deficiency. A threat affects the ability of a control to exist or operate properly. Both tie into cybersecurity and data protection controls, but understanding the differences is critical for MA&D due diligence.
Eight Standard Categories
The MADSS defines eight standard categories covering the complete lifecycle of MA&D cybersecurity due diligence, from professional duty of care through conformity designation.
Below, you can view each standard and their corresponding substandards in more detail.
#
#
#
#
#
#
#
#
PPTDF Control Applicability Framework
The MADSS uses the People, Processes, Technologies, Data and Facilities (PPTDF) framework to categorize control applicability across the assessment boundary.
People
Human resources, roles, responsibilities, training, awareness, and personnel security controls applicable to the assessment boundary.
Processes
Administrative and operational procedures, policies, standards, and governance activities that define how controls are managed and executed.
Technologies
Technical controls including systems, applications, services, and infrastructure components within the assessment boundary.
Data
Data classification, handling, protection, privacy, retention, and disposal controls for information within scope of the assessment.
Facilities
Physical security controls for buildings, offices, data centers, and other physical locations within the assessment boundary.
Three Levels of Assessment Rigor
The MADSS recognizes three levels of rigor to assess a control, each with increasing depth and coverage to provide corresponding levels of assurance.
Level 1: Standard Rigor
Minimum assurance. Determines whether applicable controls are implemented and free of obvious errors. Provides a baseline level of understanding of administrative, technical and physical measures.
Level 2: Enhanced Rigor
Moderate assurance. Determines whether controls are implemented, free of obvious/apparent errors, and provides increased grounds for confidence that controls are implemented correctly and operating as intended.
Level 3: Comprehensive Rigor
High assurance. Provides further increased confidence that controls are implemented correctly, operating as intended on an ongoing and consistent basis, and supports continuous improvement in effectiveness.
Assessment Methods: Examine, Interview & Test
Assessors independently verify conformity using three methods: Examine (checking/inspecting/reviewing assessment objects), Interview (conducting discussions to facilitate understanding), and Test (exercising assessment objects under specified conditions to compare actual with expected behavior).
Considerations to Improve Valuation & Reduce Risk
Cybersecurity posture directly impacts MA&D valuation. The MADSS appendices address how security practices can affect deal value, both positively and negatively.
Red Flags That Can Hurt Valuation
Material control deficiencies or material weaknesses
Undisclosed material incidents or breaches
Non-compliance with regulatory obligations
Absence of governance documentation
No defined risk tolerance or maturity targets
Opportunities to Improve Valuation
Demonstrated maturity at L2+ across material controls
Third-party assessment evidence and attestations
Documented risk management and treatment plans
Proactive governance and compliance programs
Post-Close Integration Security Plan (PCISP) readiness
Plan-Do-Check-Act (PDCA)
The MADSS is designed to operate within a continuous PDCA improvement cycle, enabling organizations to systematically improve their MA&D due diligence practices over time.
PLAN
Define the MA&D assessment scope and boundaries. Identify stakeholders, agree upon the control set, define risk tolerances and maturity levels, and establish the assessment plan with the Evidence Request List (ERL).
DO
Conduct the MA&D assessment using the three methods (Examine, Interview, Test). Evaluate controls against PPTDF applicability. Document findings, control designations, and gather evidence through the Virtual Data Room (VDR).
CHECK
Perform objective peer review of assessment findings. Validate conformity designations. Calculate projected remediation costs. Compare findings against defined materiality thresholds and risk tolerances.
ACT
Issue the Report on Conformity (ROC). Address finding challenges. Develop the Post-Close Integration Security Plan (PCISP). Incorporate lessons learned into future MA&D due diligence processes.
.png)

%20(white).png)