Cybersecurity in M&A transactions: a non-negotiable

Beyond undermining deal economics, these hidden exposures can leave the purchaser vulnerable to a wide range of legal, regulatory, litigation, financial, and operational risks.

The dynamic and unpredictable risk landscape

Most underlying cyber risks within organisations tend to be longstanding and embedded within existing systems and ways of working. Issues such as credential theft and business email compromise, patching gaps, weak privileged access controls, poor backup resilience and insufficient monitoring, can all contribute to a suboptimal cyber risk profile. Supply chain and concentration and global operational dependence on a small number of cloud and SaaS providers also introduces an added layer of cyber risk, as this reliance can amplify the impact of cyber incidents, outages or compromises.

The growing scale, speed and sophistication of cyber threats, particularly with the proliferation of AI and the cyber risks arising from its rapid development, make the threat landscape dynamic and unpredictable. For example, extortion models have evolved to include double and triple extortion tactics, where data theft is used as leverage alongside operational disruption.

At the same time, regulatory expectations are evolving, legislative disclosure requirements are tightening, threat response windows are compressing and regulators are increasingly unsympathetic to organisations' unknown unknowns.

Accordingly, while the underlying cyber risk categories are familiar, the threat landscape continues to evolve and traditional cyber controls can be inadequate to detect and mitigate emerging threats.

A snapshot of the legal and regulatory landscape

Privacy regulation

Australian Privacy Principle 11 (APP 11) under the Privacy Act 1988 (Cth) requires APP entities to take reasonable steps to protect personal information. This requirement is deliberately fact-dependent, which is why cyber diligence must be evidence-based and specifically examine the steps an organisation takes to protect personal information. The gap between what the target's policy says and what occurs in practice is the delta in which most cyber and privacy risk lies.

Further, the APP 11 requirement for APP entities to destroy or de-identify personal information when it no longer required for a permitted purpose highlights a material aspect of cyber risk: the unnecessary retention of personal information. This is one of the most common and material gaps identified in due diligence. Prospective purchasers should review retention schedules, assess legacy system data holdings, and scrutinise an organisation's capability to comply with these deletion requirements.

Where a prospective purchaser acquires a target with weak security and data governance, it inherits both the operational realities and the likelihood of future incidents. It may also inherit regulatory and litigation risk if inadequate practices continue post-completion, or if historic issues prompt ongoing remediation, notifications or investigations.

Action: Given the significant penalties an organisation may face under the Privacy Act, it is clear that Privacy Act compliance and robust data governance must be central elements of any cyber due diligence investigation.

Mandatory reporting and critical infrastructure

The Cyber Security (Ransomware Payment Reporting) Rules 2025 (Cth), made under the Cyber Security Act 2024 (Cth), requires reporting entities to report ransomware or cyber-extortion payments made by them, or known to have been made on their behalf, within 72 hours of payment. Further, the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) regulates critical infrastructure assets across multiple sectors and has been progressively expanded through reforms to broaden obligations and strengthen government assistance mechanisms.

Prospective purchasers will need to determine whether a target (or part of its operations, managed services footprint, or customer base) falls within the scope of the SOCI Act and is subject to its reporting obligations. The outcome of this assessment will define the target's baseline cyber governance expectations, the scope of its incident reporting and notification obligations, and any potential constraints on integration.

Action: due diligence should assess compliance with all applicable regulatory regimes. In particular, where the SOCI Act applies to the target, due diligence should go beyond the Target's baseline reporting obligations and examine the target's critical infrastructure risk management program compliance posture, its hazard and material risk mapping, and whether third-party data or managed service arrangements create further obligations under the SOCI Act or further risk vectors.

Financial services regulation

For targets regulated by the Australian Prudential Regulation Authority (APRA), Prudential Standard CPS 234 (Information Security) requires a regulated entity to maintain an information security capability commensurate with the vulnerabilities and threats to which the target is exposed. APRA continues to remind regulated entities that these are binding obligations, not aspirational targets. Similarly ASIC treats cyber resilience as a core component of a licensee's obligations and broader market integrity. Accordingly, where a prospective purchaser proposes to acquire an APRA-regulated target, it is critical that regulatory compliance is carefully assessed.

For APRA-regulated prospective purchasers, Prudential Standard CPS 230 (Operational Risk Management) sharpens the focus on critical operations, material service provider governance, and operational resilience tolerances. Ensuring ongoing compliance with this standard is a key consideration for APRA-regulated purchasers in any transaction, particularly in assessing the impact the acquisition may have on their ability to continue to meet their obligations under the standard.

Action: due diligence, transaction planning and transitional services design must be conducted with this compliance in mind.

Applying a risk lens to a transaction

In the transaction context, where a prospective purchaser proposes to acquire a business, it is, in fact, acquiring a threat surface, and so investigations into the full scope of cyber threats, and an interrogation into a target organisation's cyber maturity and capacity to deal with those threats, is essential. Fulsome cyber due diligence is becoming a market standard practice; sophisticated purchasers expect it, insurers will underwrite against it, and sellers who cannot evidence cyber maturity will likely face valuation adjustments, escrow pressure and extended completion timelines.

However, standard transaction processes and due diligence investigations may not be fit-for-purpose where a purchaser seeks to properly interrogate the cyber risks that may exist within a target's operations. Cyber liabilities often conceal themselves in traditional diligence exercises, and organisations cannot afford to rely on traditional processes that will leave certain risks uncovered until the post-completion run state.

But cyber risk can also exist as a feature of the transaction process itself. Compressed diligence timetables and high-trust data sharing in virtual data rooms can elevate it, and back-end separation and integration efforts post-completion may also play host to a number of cyber issues, given temporary access pathways under transitional services arrangements and complex identity and network connectivity events post-completion. Even well-governed organisations become temporarily more vulnerable during a transaction.

It's essential that organisations proposing to undertake sale and purchase activities are live to the cyber-related issues that can arise at all stages of the transaction lifecycle.

Cyber due diligence: what “good” looks like

A defensible cyber due diligence program has two defining features:

• it is evidence-based, focused on processes, controls, governance, architecture and incident artefacts, rather than policy documentation alone. Diligence must be directed towards answering specific questions about the target's operational state (including, for example, whether there is latent compromise, whether identity controls are fragile, whether third-party control maturity is adequate), rather than simply confirming that the target has policies; and

• it is calibrated to the size of the transaction and the purchaser's risk tolerance, while ensuring compliance with a minimum baseline.

The following tiered model provides a scalable framework for cyber due diligence.

Tier 1 (Baseline)

This sort of due diligence scope would be appropriate for smaller or time constrained transactions, with core workstreams including, by way of example:

• external attack surface scans and credential leak checks;

• identity baselining, covering multi-factor authentication (MFA) coverage, privileged accounts and joiner/mover/leaver processes;

• endpoint detection and response (EDR) deployment and patching cadence;

• assessment of backup and restore capability with evidence of a restore test;

• incident history and breach notification review;

• high-level data mapping.

The output of investigations could take the form of an organisational heat map, incorporating remediation efforts and cost estimates.

Tier 2 (Enhanced)

For transactions involving targets with significant data assets or material integration requirements, prospective purchasers may also conduct:

• targeted technical testing of high-risk assets, including identity infrastructure, cloud configurations and privileged access pathways;

• sampling-based control verification against the target’s own claims, drawing on tickets, logs and change control evidence;

• a privacy and regulatory gap analysis mapped to actual data flows and retention practices, framed around APP 11 reasonable steps exposure;

• third-party contract sampling examining security clauses, notification timelines and audit rights; and

• a tabletop incident response exercise focussed on an integration scenario.

Tier 3 (Deep)

For transactions involving large-cap, cross-border, critical infrastructure or highly regulated targets, prospective purchasers may additionally:

• conduct a time-boxed compromise assessment or threat hunt;

• perform an architecture review across IT and operational technology;

• undertake a deeper cloud security posture management review;

• conduct a code supply chain review for software targets;

• develop a formal integration gating plan; and

• align insurance coverage with identified cyber risks.

Sector-based considerations

Diligence priorities vary by sector, and boards should calibrate the approach accordingly. For:

• healthcare and health technology targets, the focus should be on data segmentation, access controls and retention discipline through an APP 11 lens, given the heightened regulatory and reputational consequences of breaches involving health information;

• financial services and fintech targets, CPS 234 norms provide a useful benchmark even where the target is not directly APRA-regulated, and acquirers should assess whether the target’s posture would withstand regulatory scrutiny post-completion;

• critical infrastructure-adjacent targets (data centres, managed services, utilities supply chains), SOCI Act scope assessment is a threshold issue, with incident response capability and third-party dependencies as central diligence priorities;

• SaaS and software targets, code supply chain integrity, secrets management and customer contractual obligations are as significant as internal controls; and

• retail and consumer data targets, identity fraud and customer data exposure drive brand damage, making identity and access management and breach notification capability the primary focus areas.

Turning diligence into deal protection

Cyber due diligence is essential for de-risking transactions and safeguarding the value expected to be realised from the transaction. The underlying challenge is timing. Cyber risk is most dynamic precisely when traditional diligence concludes at signing, controls are often most fragile during the transition period, and integration activities creates new attack surfaces and access pathways. Deal protections must therefore be designed not only to allocate identified risk, but also to manage the signing-to-completion gap and post-completion integration.  A range mechanisms are available, with their selection dependent on the target's risk profile as identified during due diligence and the relative negotiating power of the parties.

Pricing and valuation

Quantified remediation work should be treated as capital or operational expenditure and priced through an adjustment to the upfront purchase price or, operationalised via pre-completion remediation covenants (or a combination of both). For higher-risk targets, cyber risk should be treated like leakage risk, with notification obligations for material incidents between signing and completion and where appropriate, corresponding indemnification for such incidents .

Escrows, holdbacks and earnout protections

Cyber-specific escrows should be sized to cover the high-probability downside, with release conditions linked to objective milestones. Earnout mechanics should address how cyber incidents affect performance measurement and therefore the earnout calculations. Where a post-closing cyber incident occurs which arose from a vulnerability or compromise that existed pre-completion, buyers should ensure that the resulting downtime is reflected in performance calculations, so that the seller’s earnout is adjusted to account for the pre-existing issue.

Conditions precedent and interim covenants

For higher-risk targets, conditions precedent should require “minimum viable security” deliverables before completion. These may include multifactor authentication enforcement for all privileged accounts and remote access, disabling of legacy protocols, patching of critical vulnerabilities identified in diligence, and confirmation that backups are immutable and a restore test has succeeded. Between signing and completion, interim operating covenants should prevent deterioration, including no material changes to security tooling or third-party providers without consent, maintenance of security headcount and SOC coverage, and prompt notification of material incidents.

Representations and warranties

Boilerplate “compliance with laws” warranties are inadequate in the cyber context. The transaction documents should include representations and warranties that are orientated toward the risks identified during due diligence, including:

• incident and breach disclosure over a defined lookback period, including all regulator interactions;

• third-party management, confirming vendor security obligations, breach notification timelines and subcontractor controls; and

• data governance framed around APP 11 by reference to actual security measures and retention and destruction processes, rather than generic compliance assertions.

Key drafting considerations include longer survival periods for cyber representations, separate caps and baskets, and treatment of certain cyber representations as fundamental warranties where appropriate.

Indemnities

Indemnities can be utilised where due diligence identifies known risks or issues, including incidents with incomplete scope, regulatory investigations, or exposures of specific datasets for which the seller should remain accountable.

Insurance alignment

Warranty and Indemnity insurance is not a substitute for diligence. Insurers underwrite against cyber risk specifically, and superficial diligence is likely to result in policy exclusions. The target’s existing cyber insurance assignability, exclusions and notification requirements should be verified pre-completion.

TSA security and integration gating

Transitional services arrangements can become a backdoor for security risk if not properly structured. Security schedules should:

• define minimum controls during the transitional period, including MFA, logging and segmentation requirements;

• set incident notification timelines and cooperation obligations; and

• include rights to audit the security controls applied to transitional services.

Integration gating rules should explicitly provide that the purchaser will not connect networks until the target meets a defined security baseline, that any interim data transfers will use controlled and monitored channels, and that privileged accounts created for integration purposes are time-limited and actively monitored.

Walk-away rights

For higher-risk targets, the transaction documents should address the consequences of material cyber deterioration between signing and completion, including allowing the buyer to terminate the transaction where a cyber-specific issue has resulted in a "material adverse change".

Key takeaways

Cyber due diligence is no longer an optional exercise for sophisticated transactions. It is a rational prerequisite that should be treated with the same rigour as financial, tax and legal diligence. Organisations that approach it as a value-creation discipline, rather than a compliance burden, are more likely to complete transactions more efficiently, achieve smoother integration, and minimise post-completion surprises.

The critical point is that this value is only realised when due diligence informs transaction structuring, the transaction terms and the design of the transition and integration process. A diligence report must translate into enforceable protections through transaction documentation to deliver its real value.

_Disclaimer

_{Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this communication. Persons listed may not be admitted in all States and Territories.}