What is Cybersecurity Due Diligence in M&A?

Cybersecurity due diligence M&A is the systematic legal, technical, and operational investigation conducted during acquisitions to identify cyber risks, data protection compliance gaps, breach history, security infrastructure weaknesses, and potential liabilities that could affect transaction value or post-closing operations. This specialized assessment examines a target company's digital infrastructure, data handling practices, security controls, vendor management, incident response capabilities, and historical breach record before the buyer commits to the acquisition.

For multinational corporations acquiring Indian technology companies, e-commerce platforms, fintech startups, healthcare providers, or any business handling personal data, cybersecurity due diligence M&A has become non-negotiable. The process ensures buyers understand potential cyber liabilities, assess the robustness of digital defenses, and identify hidden exposures that could transform profitable transactions into expensive legal nightmares.

Traditional M&A due diligence examines financial performance, contracts, employment matters, regulatory compliance, intellectual property, and litigation. Cyber DD adds another critical layer by evaluating whether the target's digital assets, customer data, and proprietary information carry hidden risks. For cross-border deals involving India, this includes assessing compliance with India's legal framework under the Information Technology Act, 2000, and the Digital Personal Data Protection Act, 2023 (DPDP Act).

Why Cybersecurity Due Diligence Matters in India

India's digital economy has expanded rapidly, with millions of businesses now handling sensitive customer data, payment information, health records, financial data, and personal identifiers. When foreign buyers acquire Indian companies, they inherit existing and potential liabilities arising from past data breaches, ongoing regulatory investigations, non-compliance with statutory requirements, weak security infrastructure, third-party vendor risks, customer lawsuits, and potential criminal liability.

The consequences of inadequate cybersecurity due diligence M&A can be severe. Companies acquiring businesses without proper security posture assessment have inherited regulatory fines, customer lawsuits, reputational damage, and operational disruptions worth millions of dollars. In cross-border M&A involving India, these risks multiply because buyers must navigate multiple regulatory layers while meeting international compliance obligations under GDPR, CCPA, and other jurisdictions.

Legal Framework Governing Cybersecurity in Indian M&A

Cybersecurity due diligence M&A involving Indian targets requires understanding multiple regulatory layers that create data-breach liability acquisition risks.

Digital Personal Data Protection Act, 2023 (DPDP Act)

The DPDP Act, which received Presidential assent on August 11, 2023, establishes obligations for Data Fiduciaries (entities determining the purpose and means of processing personal data) and Data Processors. The Act mandates consent-based data collection, purpose limitation, data minimization, security safeguards, breach notification, and accountability measures.

Section 8 of the DPDP Act imposes penalties up to INR 250 crores for non-compliance. Buyers acquiring companies that process personal data inherit compliance obligations and potential penalty exposure for historical violations. The Act introduces strict requirements for consent mechanisms, data principal rights (access, correction, erasure), cross-border data transfers, and grievance redressal mechanisms.

Information Technology Act, 2000 (IT Act)

Section 43A of the IT Act requires body corporates handling sensitive personal data or information to implement reasonable security practices and procedures. Failure to do so makes the entity liable to compensate affected persons. Section 72A creates criminal liability for unauthorized disclosure of personal information obtained during the provision of services under lawful contract.

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, prescribe detailed security requirements that body corporates must implement. Non-compliance creates compensatory liability to affected individuals, making the target breach history a critical due diligence component.

CERT-In Cyber Incident Reporting Requirements

The Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013, as amended in 2022, mandate that service providers, intermediaries, data centres, and body corporates report cybersecurity incidents to the Indian Computer Emergency Response Team (CERT-In) within six hours of noticing such incidents.

Non-compliance attracts penalties under Section 70B(7) of the IT Act. Buyers must verify whether the target maintains incident logs, reporting protocols, and evidence of timely reporting. Failure to report incidents creates regulatory penalty exposure that buyers inherit.

Sector-Specific Cybersecurity Regulations

The Reserve Bank of India (RBI) has issued multiple cybersecurity directives for banks, non-banking financial companies (NBFCs), payment system operators, and other regulated entities. The RBI's Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices, 2016, and subsequent circulars mandate cybersecurity frameworks, incident reporting, audit requirements, and resilience testing.

Similarly, the Securities and Exchange Board of India (SEBI), the Insurance Regulatory and Development Authority of India (IRDAI), the Telecom Regulatory Authority of India (TRAI), and other sector regulators impose cybersecurity obligations on entities under their jurisdiction. Non-adherence to regulations such as RBI's Master Direction - Cyber Security Framework in Banks or SEBI's Cyber Security & Cyber Resilience framework for Stock Brokers indicates significant compliance risk.

Bharatiya Nyaya Sanhita, 2023 (BNS)

The BNS replaced the Indian Penal Code, 1860, and includes provisions addressing cyber-related offences. Section 318 of BNS deals with cheating by personation using computer resources. Section 319 addresses identity theft, making it a criminal offence punishable with imprisonment up to three years and a fine.

Section 308 of BNS addresses cheating, and Section 303 addresses theft, both of which can apply when cyber incidents facilitate criminal activities. Buyers must assess whether the target company or its key personnel face criminal exposure under BNS for cyber-related misconduct.

Bharatiya Nagarik Suraksha Sanhita, 2023 (BNSS) and Bharatiya Sakshya Adhiniyam, 2023 (BSA)

The BNSS governs procedural aspects of investigation, prosecution, and trial in criminal matters, including cyber offences. The BSA governs evidence in such proceedings. Buyers must review whether the target faces ongoing investigations or prosecutions under BNSS procedures for cyber incidents, and whether evidence handling under BSA creates exposure.

Core Components of Effective Cybersecurity Due Diligence M&A

Conducting effective Cyber DD involves a multi-faceted approach leveraging technical, legal, and operational expertise across several dimensions.

Target Breach History Review

Understanding the target breach history is the most critical starting point. Buyers must identify all cybersecurity incidents, data breaches, ransomware attacks, phishing incidents, or unauthorized access events in the past three to five years. This assessment must determine whether incidents were reported to CERT-In, sector regulators, law enforcement, or affected individuals as legally required.

Many sellers attempt to minimize or hide breach incidents during M&A negotiations. Buyers must conduct independent technical assessments, review third-party security audits, examine cyber insurance claims, analyze customer complaints, check regulatory filings, and interview IT and security personnel to uncover hidden breach history.

Key questions include whether remediation steps were taken post-incident, whether incidents resulted in regulatory investigations, penalties, customer lawsuits, or reputational damage, and whether potential ongoing liability exposure from unremediated breaches exists. Undisclosed or inadequately remediated breaches create significant data-breach liability acquisition risks.

Security Posture Assessment

A security posture assessment evaluates the target's current cybersecurity infrastructure, policies, processes, and controls. This comprehensive evaluation examines network security architecture, firewalls, intrusion detection and prevention systems, endpoint protection, antivirus and malware detection tools, access controls and authentication mechanisms, privileged access management, and data encryption practices (both at rest and in transit).

The assessment also reviews security policies, incident response plans, business continuity planning, employee training on cybersecurity awareness, vulnerability management and patch management processes, and third-party security audits, penetration testing, and security certifications such as ISO 27001 or SOC 2.

Weak security posture increases the risk of post-closing incidents that could disrupt operations, trigger regulatory action, or expose the buyer to customer lawsuits. Outdated technology and software, poor access controls, lack of encryption, weak incident response plans, and inadequate employee training are significant risk factors.

Data Protection Compliance Audit

Buyers must assess compliance with DPDP Act obligations including consent mechanisms, data processing purposes, storage limitations, data principal rights, and grievance redressal mechanisms. The audit must verify IT Act Section 43A compliance with reasonable security practices, privacy policies, and contractual obligations with data processors.

CERT-In reporting obligations must be verified, along with sector-specific cybersecurity regulations from RBI, SEBI, IRDAI, TRAI, and other regulators. Cross-border data transfer compliance requires examining whether the target transfers personal data outside India and whether such transfers comply with applicable restrictions.

Contractual data protection obligations under customer contracts, vendor agreements, and service level agreements imposing security requirements must be reviewed. High volumes of undocumented data without proper classification, ownership, or security protocols create compliance nightmares, especially under the DPDP Act, 2023.

Third-Party Vendor and Supply Chain Risk Assessment

Many breaches originate from third-party vendors. Cyber DD must evaluate cloud service providers for security certifications, data residency, and encryption standards. Software vendors require assessment of vulnerability management and patch release processes. Payment processors must demonstrate PCI-DSS compliance.

IT service providers need evaluation of access controls and security monitoring. Marketing and analytics platforms require examination of data handling practices. Buyers must review vendor contracts for security obligations, indemnification clauses, and liability allocation. Vague vendor contracts lacking clear cybersecurity clauses, data protection responsibilities, and liability allocation create potential points of failure.

Incident Response and Business Continuity Planning

Effective cyber DD evaluates whether the target has documented incident response plans, whether plans have been tested or activated during actual incidents, and whether business continuity and disaster recovery plans exist for cyber incidents. The assessment must determine whether the target maintains offline backups to recover from ransomware attacks and whether key personnel are trained to respond to incidents.

Weak incident response capabilities increase the severity and financial impact of post-closing breaches. Companies without clear, tested plans for responding to cyberattacks struggle to mitigate damage quickly.

Regulatory and Litigation Exposure

Buyers must identify ongoing regulatory investigations or enforcement actions by CERT-In, DPDP Act authorities (once operationalized), RBI, SEBI, or other regulators. Customer lawsuits, class actions, or arbitration claims arising from data breaches require examination. Criminal investigations under BNS provisions addressing cyber offences, identity theft, or fraud must be reviewed, along with regulatory penalty exposure from historical non-compliance.

Undisclosed regulatory or litigation exposure can materially affect transaction value and post-closing liability allocation. Sellers who fail to disclose breach history may attempt to hide penalty risk, regulatory investigations, or reputational damage affecting valuation.

Cyber Insurance Coverage

Buyers should review the target's cyber insurance policies including coverage limits, exclusions, and claim history. The review must determine whether coverage transfers post-acquisition, whether historical breaches triggered insurance claims, and whether denial of claims indicates unreported incidents or policy violations.

Cyber insurance coverage (or lack thereof) affects the buyer's risk assessment and post-closing risk transfer strategies. The absence of appropriate cyber insurance suggests a lack of awareness or preparedness for potential cyber incidents. Significant historical spending on breach remediation can indicate systemic issues or recurring vulnerabilities.

Employee Awareness and Insider Threat Risk

Human error causes many cyber incidents. Buyers must assess employee cybersecurity training programs, access control policies limiting employee access to sensitive data, monitoring for insider threats or unauthorized data exfiltration, background verification processes for employees handling sensitive data, and non-disclosure agreements and contractual obligations addressing data security.

Insider threats or poorly trained employees increase post-closing operational risk. High employee turnover in IT and security roles may indicate internal dissatisfaction, inadequate resources, management disinterest in security, or cultural issues affecting security posture.

Red Flags That Demand Immediate Attention in Cybersecurity Due Diligence M&A

Identifying red flags during cybersecurity due diligence M&A prevents future liabilities. These indicators signal potential risks that could transform into significant data-breach liability acquisition post-merger.

Legal and Regulatory Compliance Gaps

Non-compliance with data protection laws represents a major red flag. If the target company fails to comply with laws like the Digital Personal Data Protection Act, 2023, buyers face substantial penalties. Chapter VIII of the DPDP Act outlines penalties including fines up to INR 250 crores for certain breaches.

Weak Information Technology Act, 2000 adherence creates liability under Section 43A, which mandates compensation for failure to protect data. If the target company has weak security practices, it could face claims for damages from affected individuals in case of a data breach. Section 72A of the IT Act criminalizes the disclosure of information in breach of lawful contract, critical for intellectual property and trade secrets.

Sector-specific regulatory breaches for companies in sectors like finance (governed by RBI), insurance (IRDAI), or listed entities (SEBI) indicate significant compliance risk. Failure to report cybersecurity incidents to CERT-In within the mandated six-hour timeline creates regulatory penalty exposure.

Undisclosed or Inadequately Remediated Breach History

If the target breach history reveals undisclosed incidents, delayed reporting to regulators, inadequate remediation, or ongoing customer lawsuits, buyers face significant liability exposure. Past incidents that were not properly disclosed or resolved point to a lack of transparency and ongoing vulnerability. This is a critical aspect of cybersecurity due diligence M&A.

Frequent breaches indicate deep-rooted problems in security management. Buyers must investigate how incidents were handled, what lessons were learned, and whether the target demonstrates resilience and responsiveness.

Technical and Operational Weaknesses

Running critical systems on outdated, unsupported software or hardware is an open invitation for cyberattacks. Poor access controls where employees have excessive access privileges or access isn't regularly reviewed indicate serious security flaws. Lack of encryption for sensitive data (both in transit and at rest) signals poor security practices.

If the target lacks documented security policies, incident response plans, data classification frameworks, or employee training programs, the security posture assessment indicates high operational risk. Buyers may need to invest heavily post-closing to strengthen security infrastructure.

Absence of third-party security audits, penetration testing, or certification processes (ISO 27001, SOC 2, etc.) means buyers lack objective assurance of security controls. This absence suggests weak internal security governance.

Contractual and Third-Party Risks

If contracts with third-party vendors lack clear cybersecurity clauses, data protection responsibilities, and liability allocation, it creates a potential point of failure. Unassessed supply chain risks where critical vendors lack security certifications, operate without contractual security obligations, or have experienced breaches affecting the target increase data-breach liability acquisition risk.

Buyers should evaluate whether vendor contracts include indemnification clauses, audit rights, and termination provisions for security breaches. Third-party vendor security gaps significantly elevate post-closing exposure.

Financial and Operational Indicators

While not a substitute for good security, the absence of appropriate cyber insurance suggests a lack of awareness or preparedness for potential cyber incidents. If the target lacks cyber insurance, maintains inadequate coverage, or has experienced denied claims, buyers face greater post-closing financial exposure from future incidents. Denied claims may indicate unreported breaches, policy violations, or misrepresentations during underwriting.

A past record of high costs due to breaches can indicate systemic issues or recurring vulnerabilities. Significant historical spending on breach remediation warrants deeper investigation.

Criminal Investigation and Enforcement Exposure

If the target or its key personnel face criminal investigations under BNS provisions addressing cyber offences, identity theft, cheating by personation, or fraud, buyers face reputational risk, operational disruption, and potential management turnover. Buyers must review whether the target has disclosed such investigations and assess the likelihood of prosecution.

The consequences of ignoring these red flags can be severe, potentially leading to liabilities under the Bharatiya Nyaya Sanhita, 2023 if a cyber incident facilitates criminal activities. The procedural aspects would be governed by the Bharatiya Nagarik Suraksha Sanhita, 2023, and evidence by the Bharatiya Sakshya Adhiniyam, 2023.

Data-Breach Liability Acquisition Risks

Data-breach liability acquisition refers to the buyer's inheritance of legal, regulatory, financial, and reputational liabilities arising from the target's historical data breaches or ongoing vulnerabilities.

Types of Liabilities Buyers Inherit

Regulatory penalties under the DPDP Act can reach INR 250 crores. If the target violated DPDP Act obligations, IT Act Section 43A requirements, or CERT-In reporting rules before closing, buyers may inherit pending or future penalty exposure.

Compensatory liability to affected individuals under Section 43A of the IT Act allows affected persons to claim compensation for negligent data security. If the target's breach resulted from failure to implement reasonable security practices, buyers may face ongoing customer compensation claims.

Customer lawsuits and class actions filed by customers affected by data breaches claiming breach of contract, negligence, or statutory violations represent inherited ongoing litigation and potential settlement obligations.

Reputational damage and customer attrition occur when undisclosed breaches surface post-closing, damaging the buyer's reputation, triggering customer attrition, and affecting revenue projections that justified the acquisition price.

Operational disruption results if the target's weak security infrastructure leads to post-closing ransomware attacks, operational disruption, or system failures, creating business continuity challenges affecting integration and profitability.

Regulatory restrictions may be imposed post-closing if breaches or non-compliance trigger enforcement actions limiting business operations or requiring costly remediation measures.

International and Cross-Border Perspective

For international businesses, NRIs, and foreign investors, cybersecurity due diligence M&A in India involves unique complexity layers.

Jurisdictional Nuances

While global standards like GDPR exist, India's DPDP Act, 2023 introduces specific requirements that may differ. Cross-border data transfers require careful scrutiny. Companies operating in multiple jurisdictions must adhere to a patchwork of data protection laws. Their security posture assessment must demonstrate compliance with not only Indian laws but also regulations like GDPR (Europe), CCPA (California), and other international standards.

FEMA Implications

If data breaches lead to financial losses or unauthorized transactions across borders, it could have implications under the Foreign Exchange Management Act, 1999 (FEMA) and its regulations, especially concerning capital account transactions or remittances.

Treaty Benefits and Enforcement

Understanding how international treaties or bilateral agreements might apply to data-breach liability acquisition or intellectual property theft is vital. Enforcement of judgments across jurisdictions can also be challenging, requiring careful planning for dispute resolution and liability allocation in cross-border transactions.

Common Problems Faced by Global Businesses

Multinational corporations and foreign investors often encounter specific hurdles when conducting cybersecurity due diligence M&A in India.

Understanding Indian Data Privacy Landscape

The transition from the previous data protection regime to the DPDP Act, 2023, with its stringent consent requirements and cross-border transfer rules, can be complex. Foreign entities may struggle to correctly interpret and apply these new provisions, fearing unforeseen data-breach liability acquisition.

Lack of Standardized Cyber Security Disclosure

Unlike some Western markets, India might not have a long history of comprehensive cyber risk disclosures in public filings. This makes it difficult to get a complete picture of a target breach history without deep-dive Cyber DD. Buyers must conduct independent technical assessments to uncover hidden information.

Integrating Diverse IT Architectures

Merging a foreign company's advanced IT systems with a target Indian company's potentially less mature or legacy infrastructure can create new vulnerabilities if not managed meticulously through a robust security posture assessment during integration. Cultural factors affecting cybersecurity awareness can vary widely, affecting employee practices and vulnerability to social engineering attacks.

Regulatory Compliance Complexity

Navigating Indian cybersecurity laws can be complex, leading to possible non-compliance. Differences in data protection measures between countries may create vulnerabilities during integration. Not engaging experts in Indian laws can lead to misunderstandings that jeopardize compliance.

Practical Guidance for Robust Cybersecurity Due Diligence M&A

To navigate the complexities of cybersecurity due diligence M&A, consider these practical steps:

Engage Specialized Expertise Early

Involve cybersecurity professionals and legal experts with Indian regulatory experience at the outset of the transaction. Don't wait until late-stage due diligence to assess cyber risks. Early engagement allows time for thorough investigation and risk mitigation.

Conduct Comprehensive Technical Assessments

Move beyond questionnaires and self-assessments. Conduct independent penetration testing, vulnerability scanning, and architecture reviews. Interview IT and security personnel directly. Review system logs, incident reports, and security monitoring data.

Review Documentation Thoroughly

Examine security policies, incident response plans, disaster recovery procedures, vendor contracts, data processing agreements, employee training records, and compliance audit reports. Request evidence of CERT-In reporting, regulatory filings, and customer breach notifications.

Verify Certifications and Third-Party Audits

Confirm that claimed security certifications (ISO 27001, SOC 2, etc.) are current and valid. Review third-party audit reports, penetration test results, and vulnerability assessments conducted by independent firms.

Draft Clear Acquisition Agreements

Include specific representations and warranties regarding cybersecurity, breach history, regulatory compliance, and data protection practices. Negotiate indemnification clauses addressing cyber liabilities, post-closing obligations for breach remediation, and escrow arrangements to cover potential penalties.

Establish clear post-closing security improvement timelines, integration security protocols, and breach notification procedures. Define liability allocation for incidents discovered after closing but originating before closing.

Plan Post-Closing Integration Security

Develop integration plans that address network segregation during transition periods, privileged access management for integration teams, continuous security monitoring during integration, and employee training for combined organizations.

Plan for security infrastructure upgrades, vendor contract renegotiations, and compliance alignment across jurisdictions. Establish governance structures for ongoing cybersecurity oversight in the combined entity.

Maintain Professional Legal Consultation

Professional legal consultation becomes vital before concluding any acquisition. Engage experienced legal counsel and cybersecurity experts to navigate compliance and minimize risks. Don't overlook vendor risks by failing to scrutinize all vendors involved with the target for their cybersecurity practices.

Never neglect cybersecurity questions during negotiations. Failing to inquire about privacy practices and cybersecurity policies can be costly. Avoid underestimating the regulatory landscape, as misunderstandings jeopardize compliance.

Key Takeaways

Understanding and implementing cybersecurity due diligence M&A is vital for businesses engaging with India and international markets. Being proactive helps mitigate risks, ensures compliance, and safeguards investments. The process requires systematic evaluation of target breach history, comprehensive security posture assessment, thorough regulatory compliance review, and careful examination of data-breach liability acquisition risks.

For multinational corporations, overseas investors, and foreign nationals eyeing opportunities in India, or Indian companies expanding globally, understanding the digital health of a target company is no longer optional. A company's digital assets, customer data, and proprietary information are as valuable as its physical assets. Ignoring their security during an acquisition can lead to devastating financial, legal, and reputational damage post-merger.

The stakes are high. Buyers who inherit undisclosed breaches, non-compliant data practices, weak security infrastructure, or ongoing regulatory investigations face penalties, lawsuits, operational disruptions, and reputational damage worth millions of dollars. Conversely, buyers who conduct thorough cybersecurity due diligence M&A can negotiate appropriate price adjustments, structure effective risk allocation, implement post-closing remediation plans, and protect themselves from inherited liabilities.

In today's interconnected digital economy, where cyber threats pose constant challenges and regulatory frameworks like the DPDP Act, 2023 impose substantial penalties for non-compliance, Cyber DD has moved from optional best practice to essential transaction requirement. Engaging legal expertise aids companies in navigating the complexities of cybersecurity assessments, ultimately supporting smooth and successful transactions.

This article is for informational purposes only and does not constitute legal advice. Please consult a qualified legal professional for specific guidance.

About LawCrust

LawCrust Global Consulting Ltd. is the enterprise legal and consulting arm of the LawCrust Group, delivering lawyer-led corporate legal services, alternative legal services (ALSP), legal process outsourcing (LPO), legal operations support, and AI-enabled legal infrastructure for global businesses, multinational corporations, law firms, procurement-led enterprises, general counsels, investors, and institutional clients.

With operational headquarters in Mumbai's Bandra Kurla Complex (BKC) and a strategic US presence through LawCrust Inc., Delaware, we support cross-border legal and commercial operations involving India, the United States, the Middle East, and international jurisdictions.

For expert legal assistance, Call Now: +91 8097842911 Email: inquiry@lawcrust.com

Disclaimer

This article is for general information only and does not constitute legal advice. Every matter is fact-specific. For advice tailored to your circumstances, please consult counsel, ours, or your own.