M&A Cybersecurity Due Diligence: The Questions That Matter Most

Bank mergers and acquisitions are reaching record levels. As the U.S. banking sector enters a new wave of consolidation, are institutions asking the right cybersecurity questions during due diligence? Incomplete or inaccurate risk assessments that contain hidden liabilities can cost millions to remediate and expose the combined organization to regulatory scrutiny and data breaches.

If you're considering acquiring or merging with another institution, cybersecurity due diligence deserves the same rigor as financial and credit risk assessment. At the highest level, you need questions that help you understand an institution’s maturity in managing risk and your own organization’s potential exposure.

The first priority is to determine whether you're acquiring a bank with genuine security maturity or just good compliance paperwork. There's a difference, and it matters. Start by asking these questions to the institution you’re evaluating for acquisition:

• Can you describe the cybersecurity risk framework you're using, and can you explain how you utilize that to strengthen your organization? This reveals whether they simply complete assessments or actually act on findings. Many institutions can name their framework but struggle to articulate what they've done with the results.
• What's the awareness of your senior management team and board of directors of your cybersecurity posture? Board engagement signals whether security is treated strategically or as a checkbox exercise.
• What are the five things on your to-do list in the next year to improve your cybersecurity defenses? Their answers reveal whether they understand their gaps and have a realistic improvement plan.

There isn’t necessarily a right or wrong answer, but an accurate risk profile can and should be a key factor when evaluating a merger or acquisition. If you're walking into a poor risk position, it could affect valuation, negotiations or the cost of further investment to strengthen security after closing.

Evaluating data stewardship

At a conceptual level, data stewardship is no different than any vendor relationship. Banks should have comprehensive third-party risk management programs in place, and the same applies to M&A targets.

Before acquiring an institution, bank leaders must understand exactly what data liabilities they’re inheriting. Where does customer data sit? How is it managed? How is it protected? When is it purged? How can it be obtained if the relationship ends?

Depending on the data stored, it's important to understand how its access is protected from data breaches and insider threats. Can the institution demonstrate that its controls are actually working?

Remember: A bank can outsource functions but it can’t outsource the risk to its customers' data. In many cases, this will involve highly sensitive personally identifiable information (PII) regulated under the GLBA and other similar mandates.

Understanding the third-party risk cascade

One of the most overlooked aspects of M&A cybersecurity due diligence is the target's vendor ecosystem. When you acquire a bank, you're also inheriting relationships with every fintech, core provider and service vendor they use.

What fintechs or other vendors will gain access to your data through the acquisition? Get a complete inventory. How do you plan to oversee an acquired institution's complex network of partners and vendors? Do they have robust third-party risk management with clear governance structures and reporting to the board of directors, or obscure agreements that leave accountability unclear?

Don't just stop at the vendor inventory. Governance and reporting structures matter just as much. In many cases it would benefit the bank to have a third-party risk management committee with the responsibility to weigh in on vendor risk and report findings to the board.

Consider the potential for data to be sent to a fourth party — a third party of the fintech. The level of oversight is contingent upon the risk posed to the community bank and the community bank's customer data, which can be winding, far-reaching and opaque.

The framework paradox

Here's what I've observed: Mature organizations shouldn't be using the FFIEC CAT. At this stage, it has reached the end of its useful life as a primary assessment tool. However, the harsh truth is that a small bank using the CAT effectively and acting on its findings may be more mature than a larger bank with sophisticated frameworks like NIST CSF that they don't act on. Any institution that emerges from a cybersecurity assessment with an action plan based on results indicates a solid foundation of security awareness.

During M&A due diligence, the framework itself matters far less than what the institution has done with it. A well-executed assessment should produce a clear action plan with measurable progress. Ask to see evidence of improvements driven by assessment findings, such as upgraded systems, enhanced controls, staff training initiatives or policy changes. It’s a red flag if the acquired institution can only point to completed paperwork rather than tangible security enhancements. The assessment was either ignored or used as window dressing, and neither scenario suggests a mature security posture worth inheriting.

The CAT sunset creates specific M&A implications for smaller institutions. The transition to more comprehensive frameworks like NIST CSF requires specialized expertise that many community banks don't have in-house. The person who can complete a strategic cybersecurity assessment and develop an actionable improvement plan isn't the same person managing day-to-day network operations. If the target institution has executives "wearing lots of different hats" or lacks dedicated cybersecurity talent, consider hiring specialized staff or engaging external experts. This isn't a weakness. It's a resource reality that should inform your valuation and integration planning.

Applying a due diligence checklist

Simply asking questions isn't enough for proper risk assessment. Request and review the following documentation:

• Most recent cybersecurity assessment results and action plans developed from findings.
• Security incident history for the past three years, including response times and remediation costs.
• Current cybersecurity budget as a percentage of IT spending.
• Vendor contracts with data access provisions and security incident service level agreements.
• Board minutes related to cybersecurity discussions.
• Any audit findings related to information security.

Banks seeking to make acquisitions need to know if they’re walking into a weakly positioned organization. Fixing it will cost substantially more than acquiring one with mature security practices. The institutions that conduct thorough cybersecurity due diligence — asking hard questions, validating claims and calculating remediation costs — protect themselves from expensive surprises after closing.

In M&A, you're not just acquiring assets and customers. You're also acquiring every cybersecurity liability, every vendor relationship, and every gap in their security program. Make sure you understand exactly what you're buying and the potential risk you’re inheriting.

About Steve

Steve Sanders serves as CSI's chief risk officer and chief information security officer. With more than 15 years of experience focused on cybersecurity, information security and privacy, he employs his strong background in audit, information security and IT security to help board members and senior management gain a command of cyber risk oversight.

CSI will participate on the banking exchange Stablecoins virtual conference on Core Providers. Please click here to register.