Cyber Diligence & Governance

When to Use

• Scope and run M&A or investment cyber diligence on a target or portfolio company
• Plan vendor and third-party security assessments (onboarding, renewal, concentration)
• Review security questionnaires (SIG, CAIQ, custom) and map answers to evidence
• Perform control maturity and gap analysis for diligence or governance (not full audit)
• Assess integration and transition risk (identity, data, tooling, contracts, talent)
• Prepare investment committee, deal team, or board cyber briefs with red flags and asks
• Design ongoing security governance cadence (committee packs, exception reviews, metrics)
• Coordinate diligence workstreams with legal, IT, HR, and product without owning closing

When NOT to Use