Paul Theobald

|

Article

The Fast Five: Key Cybersecurity Questions for Every M&A Deal

I. Why Cybersecurity Must Be Prioritized in Every M&A Deal – Even without Full Diligence

Let’s be honest… most deals don’t get full cyber diligence. Timelines are compressed, targets are lean, and cyber often gets pushed to the “we’ll handle it post-close” pile. In many cases that makes sense. Not every transaction justifies a full-scale assessment. We saw that gap often enough that we built a different model – and launched our firm – to close it: an expedited screening approach designed to identify material cyber risks in fast-moving deals.

But ignoring cyber altogether? That’s a risk you can’t afford to normalize.

That’s why we built the “Fast Five” – a short list of cyber questions every deal team should be asking, even if you’re not bringing in a third-party provider. They’re not comprehensive. They’re not ideal. But they’re fast, aligned with cyber insurance underwriting, and tied directly to the control failures most often cited in claims data. In short… they’re the floor.

The answers you get can reveal broader issues. If no one knows who owns these controls – or you’re told “the MSP handles that” with a shrug – you may have already surfaced your first real red flag. This dynamic is common in LMM and MM deals, which is why we wrote a dedicated article on how to navigate IT stakeholder engagement during diligence.


📌 Short on time? Here’s what matters 📌
The Fast Five represent the minimum threshold for responsibly assessing cyber. Anything less introduces avoidable risk… to the deal, the firm, and your reputation.

  • MFA: Blocks the majority of credential-based attacks
  • EDR: Detects active compromise before it spreads
  • Patch Management: Strongest technical predictor of claims
  • Backups: Enables recovery without paying ransom
  • Incident Response: Limits cost, scope, and reputational fallout of an incident

A full question template is included at the end of this post – but the value is in understanding what the answers should actually tell you. If you’re short on time, skip to the list. If you’re responsible for the deal, read the detail. Knowing what to ask is great. Knowing what to listen for is where the risk gets managed.


II. The "Fast Five" Framework: Key Controls Every M&A Deal Team Should Know

These five controls aren’t theoretical. They’re tied to real-world financial outcomes, frequently cited in insurance claims, and increasingly baked into underwriting decisions. Not because they’re abstract best practices, but because they reflect where losses actually happen. For private equity professionals, that’s the point. Underwriters care about these controls because their job is to price risk based on claims data, not some “cyber expert’s” opinion. If the insurance market sees these as the difference between loss and recovery, they’re a useful benchmark for any deal team trying to quickly assess risk.

Each control has a clear rationale. Each one has claims data behind it. And when they’re missing, or only partially implemented, the risk is rarely theoretical.

In the next section, we’ll break down each of the Fast Five using a consistent structure that’s intended to make it easy to consume:

  • (A) Control Overview: What the control does and why it matters
  • (B) Claims & Market Insight: What real-world data tells us about its impact
  • (C) Deal Implications: Why it matters in diligence, insurance, and what the broader risk impact is
  • (D) Key Screening Questions: Tactical questions to help diligence teams identify red flags
  • (E) How to Assess Responses: Guidance on interpreting answers and reading between the lines

III. Multi-Factor Authentication (MFA) – The Baseline Control Every Buyer Should Expect

A) Control Overview
MFA prevents attackers from using stolen credentials to access systems like email, finance platforms, and remote networks. It’s simple, effective, and still somehow optional in too many environments… like seatbelts in the 1970s. Today, insurance carriers consider MFA a non-negotiable prior to placing a policy and it’s widely accepted as a universal best practice in the security industry. Its absence is no longer just a technical oversight – it’s a material exposure.

(B) Claims & Market Insight

  • Microsoft 2023 Research: Microsoft found that enabling multi-factor authentication (MFA) reduced the risk of account compromise by 99.22%. Even when credentials were leaked, 98.56% of MFA-enabled accounts remained secure.
  • Coalition 2025 Cyber Claims Report: Coalition’s analysis of its policyholder claims data found that organizations meeting MFA requirements experienced 73% fewer cyber insurance claims than the industry average.
  • Marsh 2024 Research: Using claims data between 2019 to 2023, Marsh found that orgs without MFA were 2x more likely to suffer business email compromise (BEC) claims.

(C) Deal Implications
Remediation Priority: If MFA isn’t enforced on systems that handle sensitive data – including email, finance, and remote access – it should be treated as a Day 1 remediation item. This isn’t optional hardening; it’s foundational risk containment. Deal teams should consider pushing for pre-close implementation or escrow-backed commitments where appropriate.

Insurance Impact: MFA is now a prerequisite for any cyber coverage worth having in place. Its absence will result in coverage declination from most reputable carriers, and if can find someone willing to take on the risk it will likely come with key exclusions and high premiums / retention. For buyers relying on cyber coverage within a broader R&W policy, expect exclusions that may be significant enough to question whether that portion of the policy offers any meaningful protection at all.

Risk Lens: Incomplete MFA deployment often signals broader governance issues – unclear IT ownership, resource constraints, or legacy systems that haven’t been addressed. It’s a reliable indicator of security maturity and a useful early test of whether basic controls are actually operational. By no means is it a deal breaker, but it’s a broader signal that you may be inheriting a high-risk asset from a cyber perspective.

(D) Key Screening Questions
☐ Is MFA enforced at login for all high-risk systems – including email, financial apps, and remote access services?
☐ Can you list all internal or cloud systems where MFA is not enforced?
☐ What MFA methods are in use today and is enforcement consistent across the organization?

(E) How to Assess Responses
When asking about MFA, the goal isn’t just to hear “yes” – it’s to understand coverage, enforcement, and consistency. Here’s how to interpret the responses:

Coverage Across Critical Systems: Strong responses confirm that MFA is enforced across all high-risk areas: email, finance systems, VPNs, and remote access platforms. Any exceptions should be documented, justified, and scheduled for remediation if possible.

Method Consistency: The most secure implementations use app-based or hardware token methods. The security industry likes to shame SMS-based MFA, but the reality is that it’s better than nothing. The easiest to manage is app-based, like Duo or Microsoft Authenticator.

Enforcement Rigor: Answers should confirm that MFA is not optional – it’s enforced at the system level and can’t be bypassed or disabled by users. Flexibility at the user level (e.g., opt-outs or “trusted devices”) should raise concern. Executives like the CFO and CEO are the most targeted individuals within the org, so allowing them to opt out due to their role is a high-risk situation that should likely be addressed.

Watch out for responses that are overly broad or lack detail – like a blanket “yes” without clarification on scope or method. If a team can’t specify which systems are covered, what MFA method is enforced, or whether enforcement is mandatory, assume the control may be incomplete or inconsistently applied. It’s not expected that every single system or application is covered – especially in legacy environments. What matters is that gaps are known, documented, and have a clear rationale. Strong answers show awareness, demonstrate policy alignment, and highlight intent – not just a theoretical control. The data doesn’t suggest a benefit for having MFA… it screams one. For deal teams, the conclusion is clear: if MFA isn’t enforced across critical systems, it needs to be addressed.

IV. Endpoint Detection & Response (EDR) – Visibility Into What’s Already There

(A) Control Overview
EDR provides real-time monitoring, detection, and blocking of malicious activity across endpoints – laptops, servers, and workstations. Consider EDR as a much more advanced version of antivirus. It’s a control that not only prevents most attacks but also minimizes the blast radius when one gets through. EDR is another tool that is now considered a baseline expectation by insurance underwriters. Without it… detecting a breach (let alone containing it) becomes guesswork.

(B) Claims & Market Insight

(C) Deal Implications
Remediation Priority: If EDR isn’t deployed across all endpoints and servers, that gap should be closed as early as possible post-close. It’s a high-leverage control that dramatically reduces both detection time and incident cost. If EDR is only partially deployed, consider structuring full deployment across critical systems as a condition precedent or pre-close obligation – particularly if your insurance carrier requires it. The more realistic compromise, especially in environments without an existing EDR footprint, is to set clear post-close timelines with ownership and verification. Deployment speed can vary significantly depending on the environment’s complexity, tooling gaps, or internal resource constraints.

Insurance Impact: EDR is now a standard underwriting requirement for many cyber policies. Its absence may lead to reduced limits, higher deductibles, increased exclusions (e.g. no ransomware coverage), or total declination in certain cases.

Risk Lens: A lack of EDR creates visibility gaps that complicate both breach prevention and incident response post-close. One common concern is the risk of unknowingly inheriting an undetected breach… a scenario that, while technically possible, is often overstated. The Marriott–Starwood example is frequently discussed as a scare tactic, but in today’s landscape, most financially motivated attackers act quickly and move on. The bigger issue isn’t a dormant breach waiting to trigger liability – it’s knowing that even if an incident did occur, the org wouldn’t know until it’s too late. And because most (all?) R&W policies exclude pre-existing breaches, that becomes your exposure. Add to that the cost and complexity of deploying EDR after closing – and the insurance implications of not having it in place – and the risk profile starts to shift meaningfully.

(D) Key Screening Questions
☐ Is EDR deployed across all workstations, laptops, and servers?
☐ What EDR solution is in use and who is responsible for monitoring alerts?
☐ Is it set up to block detected threats?
☐ How frequently are alerts reviewed?

(E) How to Assess Responses
Understanding EDR maturity requires more than confirming its presence. You want to understand where it’s deployed, what solution it is, whether alerts are actively monitored, and whether the organization is prepared to act on what the tool reveals.

Deployment Scope: Strong responses confirm 100% endpoint coverage – including production servers and remote devices. Partial rollouts or BYOD exclusions should be called out explicitly.

Configuration: Many companies roll out EDR and only set it to alert them of threats in fear of blocking legitimate activity. With advancements in AI, these tools should be set to block threats it has detected otherwise you risk something slipping through the cracks.

Monitoring and Response: The key here is that alerts are monitored 24x7x365. It shouldn’t be one internal IT person who claims to review them once a day. You can have the best EDR tool in the world, but if no one is monitoring alerts on Friday night at 11pm (when most incidents happen) then you’re going to have a surprise waiting for you on Monday morning. Ideally, it’d be a 3rd party that actively monitors alerts 24x7x365.

EDR Vendor: There are a lot of great EDR tools out there. There are also some EDR tools that provide a false sense of security. Some reputable vendors: SentinelOne, Crowdstrike, Microsoft Defender, Palo Alto Cortex, Huntress.

The key with EDR is that they have a tool in place, it is set up to automatically act on threats, and that it’s being monitored at all times. Look out for vague answers about how it’s being monitored. Just because they get an email alert, or their team ‘checks regularly,’ does not mean it’s being monitored. What you want to hear is that alerts are routed to a team that’s actively watching and responding 24/7. Without that EDR becomes an expensive checkbox.

V. Patch Management – A Direct Line to Breach Exposure

(A) Control Overview
Patch management is the process of identifying, prioritizing, and applying software updates that fix known vulnerabilities. When you think of cyber basics… patching known vulnerabilities is front of mind. When it works, it’s invisible. When it doesn’t, it’s often the reason attackers get in. Many of the highest-profile breaches over the past decade stemmed from unpatched, publicly known vulnerabilities.

Unlike some controls that require nuance, patch management is binary: either critical vulnerabilities are being addressed in a timely way or they’re not. It’s one of the clearest signals of a company’s operational maturity – and one of the first places insurers and underwriters look when assessing technical risk.

(B) Claims & Market Insight

  • Gallagher Re 2024 Cyber Claims Study: Found that the speed at which orgs apply security patches was the strongest technical predictor of cyber insurance claims, highlighting that a slow patching cadence accounted for 41% of the analyzed incidents.
  • Ponemon Institute: 60% of breaches involved known vulnerabilities for which patches were available but had not been applied.

(C) Deal Implications
Remediation Priority: Patch management doesn’t typically require pre-close attention unless there’s a known vulnerability that isn’t patched (which would be detected through our cyber screening process). Otherwise, it should be treated as a core part of the 100-day integration plan. If there’s no patching program or tool in place, this is one of the fastest ways to reduce technical risk across the environment. Some low hanging fruit include enabling auto-updates where possible, auditing patch status for externally facing systems, and standing up basic vulnerability tracking with defined timelines for patching critical vulnerabilities on external systems. These steps don’t require heavy investment, but they send a clear signal that risk is being actively managed – not deferred.

Insurance Impact: Many insurers are now asking specific questions about patch frequency, tooling, and vulnerability tracking. Weak practices can increase premiums, introduce exclusions, or lead to declined coverage – especially in breach-heavy sectors. Additionally, there are multiple cases of insurance claims being denied after the carrier determines that patches are not applied in accordance with their cyber policy and insurance applications. (Cottage Health vs. Columbia Casualty)

Risk Lens: Weak patch management is a red flag because it reflects more than just an IT security issue… it signals a lack of operational discipline. If a company isn’t consistently addressing something as basic as software updates then it often points to deeper problems with accountability, prioritization, and internal coordination.

(D) Key Screening Questions
☐ How quickly are critical patches applied to internet-facing systems?
☐ Is there a written policy or general practice that defines patching timelines?
☐ Who is responsible for making sure patches get applied across the company?

(E) How to Assess Responses
With patch management, you’re not looking for perfection – you’re looking for awareness, ownership, and follow-through. Good responses don’t just describe what’s supposed to happen; they reflect an actual process that someone is responsible for.

Clarity on Timing: Strong responses include a defined (or at least understood) timeframe for applying critical patches – especially to systems exposed to the internet. Insurance underwriters tend to care most about patching external systems and ideally like to see 24-48 hours for critical patches. It’s not unusual to see 5-7 days, so long as it’s defined and understood.

Defined Ownership: Answers should clearly identify who is responsible for patching and how they stay on top of it. Many targets in this space will rely on a third party MSP for patching, which can be concerning due to the fact that the MSP may have to patch 100 customers for a single critical vulnerability. Understanding who is responsible and what the SLAs are is critical to protecting the business.

Basic Oversight: Mature organizations can describe how they make sure patching doesn’t get missed – whether through tooling, reporting, or regular check-ins. It doesn’t need to be automated or perfect, but there should be some mechanism in place. And that matters more now than ever… the number of disclosed vulnerabilities jumped 38% YOY, from 28,800 in 2023 to over 40,000 in 2024. Microsoft alone issued more than 1,000 patches last year. Without a structured process, staying current isn’t just hard… it’s almost impossible.

If the team can’t name who’s responsible, how they prioritize, or what happens when patches are missed, assume this is a control that isn’t actively managed. It doesn’t mean the deals at risk – but it’s a signal that you’ll be inheriting operational gaps that may need attention early in ownership.

VI. Backups – The Most Overstated and Under Performing Control

(A) Control Overview
Backups are the safety net every organization assumes will work – until they don’t. The idea is simple: copy your critical data and systems somewhere safe so you can restore operations if ransomware or accidental loss strikes. But backups only help if they work.

The reality is that backups often exist in name only – poorly segmented, poorly protected, and rarely tested. It’s one of the most common areas where confidence doesn’t match reality. And when it fails, the cost isn’t just operational – it’s reputational, financial, and often permanent.

(B) Claims & Market Insight

  • At-Bay Ransomware Report:
    • 92% of businesses reported having backup systems, but 31% failed to successfully restore from them during ransomware attacks.
    • Organizations with well-tested and segmented backups saw a 41% reduction in ransomware claim severity.
    • Cloud-based backup solutions provided the highest recovery rates, with orgs using them being 1.5 times more likely to successfully restore than those using traditional offsite backups.
  • Coveware Q4 2023 Report: Companies unable to restore from backups were 300% more likely to pay a ransom.


(C) Deal Implications
Remediation Priority: Weak or unverified backups should be addressed early post-close. In the first 100 days, focus on isolating backup systems from the production environment (ideally via cloud-based solutions), enforcing MFA, enabling immutability where possible, and performing a test restore of critical assets to make sure they actually work when needed.

Insurance Impact: Backup maturity is a major factor in ransomware underwriting. Poor practices may lead to limited ransomware coverage, higher retention, or outright denial of certain claims. Denied claims become an issue when applicants submit that they have functional backups but fail to restore during a ransomware incident, prolonging downtime and increasing costs.

Risk Lens: Backups often reveal the gap between perception and practice. If a company hasn’t tested restoration or doesn’t segment backups from production, they’re not protected – they just think they are. That false sense of security is a liability.


(D) Key Screening Questions
☐ Are backups performed regularly across all critical systems?
☐ Are backup systems segmented?*
☐ When was the last time a restore test was performed?


(E) How to Assess Responses

Backups are easy to talk about and hard to validate – which is why this section often draws the most confident answers. The key is to move past “we have backups” and understand whether they’re useful when everything goes to hell.

Frequency and Scope: Good answers confirm that backups run regularly (e.g. daily) and cover all critical systems. Don’t expect every single thing to be backed up, just make sure critical systems are.

*Segmentation: This is where answers get vague and people make mistakes. I’m going to avoid getting too far into the weeds here… but there are different ways to segment backups and many ways to poorly segment them. The reality is that ransomware groups are intentionally trying to find and delete backups to force payment. That’s why the best, easiest-to-interpret answer is a cloud-based backup solution. It’s a strong signal that things are in a good place. Other answers aren’t necessarily a red flag, but you may need to pull in someone to assess the nuances of their answers.

Restore Confidence: You want to hear that they’ve tested the backups in the last year and that they have an idea of how long recovery would take. If not, it’s definitely something to pencil into the 100-day plan.

The biggest red flag with backups is overconfidence. We typically find a backup solution was purchased years ago, left to run on autopilot, and hasn’t been tested since. But there’s a big difference between having backups and being able to actually use them. In a ransomware scenario, that difference is the deciding factor whether the business is down for two weeks and pays a $500K ransom or restores operations in three days without writing a check.

V. Incident Response – The Plan Everyone Assumes Exists

(A) Control Overview
Leadership typically assumes someone will know what to do in a cyber incident (or that it won’t happen to them)…. until it happens. Incident response isn’t just about reacting under pressure. It’s about having a defined, tested plan that assigns roles, escalates quickly, and brings the right people into the room fast.

It’s the control that determines whether an incident stays a contained disruption or spirals into a costly, reputation-damaging mess. In LMM / MM sized transactions, we unfortunately see incident response plans that were copied and pasted directly from an online template.

(B) Claims & Market Insight

  • Coalition 2025 Claims Report: 56% of reported incidents were resolved with zero out-of-pocket cost when companies responded promptly and brought in legal and forensics early.
  • Marsh McLennan Cyber Incident Readiness Article: “A cyber incident response plan that is not tested is little more than a paper exercise and is unlikely to stand up to real-world events — or to insurer scrutiny.”
  • IBM Cost of a Data Breach Report 2024: Organizations with high levels of incident response planning and testing saved an average of $1.49 million per breach compared to those with none.

(C) Deal Implications
Remediation Priority: A written IR plan should be reviewed and refreshed within the first 100 days post-close. That includes naming internal leads, confirming external counsel and forensics partners that are approved by the cyber insurance policy, and running a tabletop exercise with key stakeholders.

Insurance Impact: Carriers increasingly expect documented IR plans – including contact escalation paths and legal coordination – as part of their underwriting review. Lack of planning may result in delayed claims handling, higher breach costs, or coverage disputes. One of the most important components is ensuring that both legal counsel and incident response firms are approved by the carrier.

Risk Lens: A poor (or non-existent) incident response plan isn’t just a cyber risk. It’s an operational, legal, and financial exposure. It signals uncoordinated execution, unclear stakeholder roles, and heightened vulnerability to regulatory and reputational fallout. One of the most common – and costly – gaps we see post-close is a missing escalation path to the private equity firm when a cyber incident is discovered. Sponsors are often notified only after key decisions have been made, at which point recovery options narrow and costs rise. Most LMM and MM targets lack deep experience with high-impact incidents and tend to rely on local IT vendors who shouldn’t be handling incident response. I’ve seen this play out dozens of times: delayed recovery when things go right, complete disaster when they don’t... Add in the absence of legal privilege, poor documentation for claims, and broken continuity across stakeholders – and what should have been a manageable event becomes a compounded loss. The plan doesn’t need to be perfect, but it needs to exist, be current, and explicitly include upstream communication.

(D) Key Screening Questions
☐ Is there a documented incident response plan and when was it last reviewed?
☐ Who leads the response effort internally and what external support is in place?
☐ Have key personnel participated in a tabletop or simulation exercise?

(E) How to Assess Responses
Incident response is easy to overestimate – especially if no one’s ever had to use the plan. What matters is whether the team knows what it says, who’s in charge, and how quickly it can be executed under pressure.

Plan Clarity: Strong responses confirm there’s a written IR plan with named internal roles, clearly defined escalation paths, and pre-identified external support. The most effective plans don’t rely on internal IT alone – they engage experienced outside counsel and forensic firms who handle incidents regularly and know how to manage legal exposure, preserve evidence, and coordinate with insurers. For lower and middle-market teams, this outside expertise is critical. While internal teams may have never dealt with a live incident, top-tier external partners often manage several per week. Those partners should be named directly in the plan… bonus points if direct phone numbers are included instead of generic hotlines.

Testing and Familiarity: Mature teams have run tabletop exercises or dry runs within the last 12-18 months. Don’t expect them to have brought in a 3rd party or spend a full day walking through a scenario.

Real Ownership: Someone should know who gets called first – and it shouldn’t be a guess. If the plan starts and ends with “we’d figure it out,” assume they haven’t.

The most important takeaway isn’t complexity… it’s credibility. No one expects an SMB to have a $50K IR plan built by a 3rd party that’s tested quarterly and mapped to three layers of regulatory frameworks. That’s not the bar. What matters is that a plan actually exists, that it hasn’t just been pulled from an online template, and that it names real people – internal and external – who know what to do when something goes wrong. It’s unrealistic to expect frequent testing in smaller environments, but an annual tabletop exercise and clearly documented escalation paths that include the sponsor and 3rd party experts go a long way. When things go sideways post-close, having the right names in the plan is often the only thing standing between a coordinated response and a chaotic, costly scramble.

VI. Final Take – No Diligence Provider? This is the Minimum Checklist

The “Fast Five” aren’t a replacement for cyber diligence… but they are a good alternative to skipping it. Think of them as your last line of defense when time, scope, or budget won’t support a full review. They’re not comprehensive but they’re focused.

They also serve another purpose: pressure-testing what you're being told. The answers you get to these questions won’t just reveal technical gaps – they’ll show you who’s really in charge, how risk is being managed, and whether there’s alignment between leadership and IT. That may be more revealing than anything you’d find in a formal diligence report.

In deals where you can't ask everything, ask the right things. The “Fast Five” won’t catch every risk – but they’ll help you feel a little more comfortable moving forward.

And if you’re tired of the traditional cyber diligence playbook… the bloated timelines, enterprise frameworks, and the 50-page reports that don’t align with anything you actually care about…you’re not alone. That’s exactly why we built our cyber screening approach. It’s not a shortcut. It’s a different model, entirely built for deal teams who want real insight, fast, and without the technical noise.

FAQ

01
What is the Fast Five cyber diligence framework?
02
Why does cyber risk matter in M&A if I already have R&W insurance?
03
What are the most important cyber controls to assess during due diligence?
04
How is this different from traditional cyber diligence?

Heading 1

Heading 2

Heading 3

Heading 4

Heading 5
Heading 6

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.

Block quote

Ordered list

  1. Item 1
  2. Item 2
  3. Item 3

Unordered list

  • Item A
  • Item B
  • Item C

Text link

Bold text

Emphasis

Superscript

Subscript

More Insights:

Paul Theobald

|

Article

Fixing Cyber Diligence: Aligning Risk with M&A Realities

Paul Theobald

|

Article

Executive Privacy Guide: How Private Equity and Corporate Leaders Can Reduce Digital Risk

The Fast Five: Key Cybersecurity Questions for Every M&A Deal

05.12.2025

Paul Theobald

I. Why Cybersecurity Must Be Prioritized in Every M&A Deal – Even without Full Diligence

Let’s be honest… most deals don’t get full cyber diligence. Timelines are compressed, targets are lean, and cyber often gets pushed to the “we’ll handle it post-close” pile. In many cases that makes sense. Not every transaction justifies a full-scale assessment. We saw that gap often enough that we built a different model – and launched our firm – to close it: an expedited screening approach designed to identify material cyber risks in fast-moving deals.

But ignoring cyber altogether? That’s a risk you can’t afford to normalize.

That’s why we built the “Fast Five” – a short list of cyber questions every deal team should be asking, even if you’re not bringing in a third-party provider. They’re not comprehensive. They’re not ideal. But they’re fast, aligned with cyber insurance underwriting, and tied directly to the control failures most often cited in claims data. In short… they’re the floor.

The answers you get can reveal broader issues. If no one knows who owns these controls – or you’re told “the MSP handles that” with a shrug – you may have already surfaced your first real red flag. This dynamic is common in LMM and MM deals, which is why we wrote a dedicated article on how to navigate IT stakeholder engagement during diligence.


📌 Short on time? Here’s what matters 📌
The Fast Five represent the minimum threshold for responsibly assessing cyber. Anything less introduces avoidable risk… to the deal, the firm, and your reputation.

  • MFA: Blocks the majority of credential-based attacks
  • EDR: Detects active compromise before it spreads
  • Patch Management: Strongest technical predictor of claims
  • Backups: Enables recovery without paying ransom
  • Incident Response: Limits cost, scope, and reputational fallout of an incident

A full question template is included at the end of this post – but the value is in understanding what the answers should actually tell you. If you’re short on time, skip to the list. If you’re responsible for the deal, read the detail. Knowing what to ask is great. Knowing what to listen for is where the risk gets managed.


II. The "Fast Five" Framework: Key Controls Every M&A Deal Team Should Know

These five controls aren’t theoretical. They’re tied to real-world financial outcomes, frequently cited in insurance claims, and increasingly baked into underwriting decisions. Not because they’re abstract best practices, but because they reflect where losses actually happen. For private equity professionals, that’s the point. Underwriters care about these controls because their job is to price risk based on claims data, not some “cyber expert’s” opinion. If the insurance market sees these as the difference between loss and recovery, they’re a useful benchmark for any deal team trying to quickly assess risk.

Each control has a clear rationale. Each one has claims data behind it. And when they’re missing, or only partially implemented, the risk is rarely theoretical.

In the next section, we’ll break down each of the Fast Five using a consistent structure that’s intended to make it easy to consume:

  • (A) Control Overview: What the control does and why it matters
  • (B) Claims & Market Insight: What real-world data tells us about its impact
  • (C) Deal Implications: Why it matters in diligence, insurance, and what the broader risk impact is
  • (D) Key Screening Questions: Tactical questions to help diligence teams identify red flags
  • (E) How to Assess Responses: Guidance on interpreting answers and reading between the lines

III. Multi-Factor Authentication (MFA) – The Baseline Control Every Buyer Should Expect

A) Control Overview
MFA prevents attackers from using stolen credentials to access systems like email, finance platforms, and remote networks. It’s simple, effective, and still somehow optional in too many environments… like seatbelts in the 1970s. Today, insurance carriers consider MFA a non-negotiable prior to placing a policy and it’s widely accepted as a universal best practice in the security industry. Its absence is no longer just a technical oversight – it’s a material exposure.

(B) Claims & Market Insight

  • Microsoft 2023 Research: Microsoft found that enabling multi-factor authentication (MFA) reduced the risk of account compromise by 99.22%. Even when credentials were leaked, 98.56% of MFA-enabled accounts remained secure.
  • Coalition 2025 Cyber Claims Report: Coalition’s analysis of its policyholder claims data found that organizations meeting MFA requirements experienced 73% fewer cyber insurance claims than the industry average.
  • Marsh 2024 Research: Using claims data between 2019 to 2023, Marsh found that orgs without MFA were 2x more likely to suffer business email compromise (BEC) claims.

(C) Deal Implications
Remediation Priority: If MFA isn’t enforced on systems that handle sensitive data – including email, finance, and remote access – it should be treated as a Day 1 remediation item. This isn’t optional hardening; it’s foundational risk containment. Deal teams should consider pushing for pre-close implementation or escrow-backed commitments where appropriate.

Insurance Impact: MFA is now a prerequisite for any cyber coverage worth having in place. Its absence will result in coverage declination from most reputable carriers, and if can find someone willing to take on the risk it will likely come with key exclusions and high premiums / retention. For buyers relying on cyber coverage within a broader R&W policy, expect exclusions that may be significant enough to question whether that portion of the policy offers any meaningful protection at all.

Risk Lens: Incomplete MFA deployment often signals broader governance issues – unclear IT ownership, resource constraints, or legacy systems that haven’t been addressed. It’s a reliable indicator of security maturity and a useful early test of whether basic controls are actually operational. By no means is it a deal breaker, but it’s a broader signal that you may be inheriting a high-risk asset from a cyber perspective.

(D) Key Screening Questions
☐ Is MFA enforced at login for all high-risk systems – including email, financial apps, and remote access services?
☐ Can you list all internal or cloud systems where MFA is not enforced?
☐ What MFA methods are in use today and is enforcement consistent across the organization?

(E) How to Assess Responses
When asking about MFA, the goal isn’t just to hear “yes” – it’s to understand coverage, enforcement, and consistency. Here’s how to interpret the responses:

Coverage Across Critical Systems: Strong responses confirm that MFA is enforced across all high-risk areas: email, finance systems, VPNs, and remote access platforms. Any exceptions should be documented, justified, and scheduled for remediation if possible.

Method Consistency: The most secure implementations use app-based or hardware token methods. The security industry likes to shame SMS-based MFA, but the reality is that it’s better than nothing. The easiest to manage is app-based, like Duo or Microsoft Authenticator.

Enforcement Rigor: Answers should confirm that MFA is not optional – it’s enforced at the system level and can’t be bypassed or disabled by users. Flexibility at the user level (e.g., opt-outs or “trusted devices”) should raise concern. Executives like the CFO and CEO are the most targeted individuals within the org, so allowing them to opt out due to their role is a high-risk situation that should likely be addressed.

Watch out for responses that are overly broad or lack detail – like a blanket “yes” without clarification on scope or method. If a team can’t specify which systems are covered, what MFA method is enforced, or whether enforcement is mandatory, assume the control may be incomplete or inconsistently applied. It’s not expected that every single system or application is covered – especially in legacy environments. What matters is that gaps are known, documented, and have a clear rationale. Strong answers show awareness, demonstrate policy alignment, and highlight intent – not just a theoretical control. The data doesn’t suggest a benefit for having MFA… it screams one. For deal teams, the conclusion is clear: if MFA isn’t enforced across critical systems, it needs to be addressed.

IV. Endpoint Detection & Response (EDR) – Visibility Into What’s Already There

(A) Control Overview
EDR provides real-time monitoring, detection, and blocking of malicious activity across endpoints – laptops, servers, and workstations. Consider EDR as a much more advanced version of antivirus. It’s a control that not only prevents most attacks but also minimizes the blast radius when one gets through. EDR is another tool that is now considered a baseline expectation by insurance underwriters. Without it… detecting a breach (let alone containing it) becomes guesswork.

(B) Claims & Market Insight

(C) Deal Implications
Remediation Priority: If EDR isn’t deployed across all endpoints and servers, that gap should be closed as early as possible post-close. It’s a high-leverage control that dramatically reduces both detection time and incident cost. If EDR is only partially deployed, consider structuring full deployment across critical systems as a condition precedent or pre-close obligation – particularly if your insurance carrier requires it. The more realistic compromise, especially in environments without an existing EDR footprint, is to set clear post-close timelines with ownership and verification. Deployment speed can vary significantly depending on the environment’s complexity, tooling gaps, or internal resource constraints.

Insurance Impact: EDR is now a standard underwriting requirement for many cyber policies. Its absence may lead to reduced limits, higher deductibles, increased exclusions (e.g. no ransomware coverage), or total declination in certain cases.

Risk Lens: A lack of EDR creates visibility gaps that complicate both breach prevention and incident response post-close. One common concern is the risk of unknowingly inheriting an undetected breach… a scenario that, while technically possible, is often overstated. The Marriott–Starwood example is frequently discussed as a scare tactic, but in today’s landscape, most financially motivated attackers act quickly and move on. The bigger issue isn’t a dormant breach waiting to trigger liability – it’s knowing that even if an incident did occur, the org wouldn’t know until it’s too late. And because most (all?) R&W policies exclude pre-existing breaches, that becomes your exposure. Add to that the cost and complexity of deploying EDR after closing – and the insurance implications of not having it in place – and the risk profile starts to shift meaningfully.

(D) Key Screening Questions
☐ Is EDR deployed across all workstations, laptops, and servers?
☐ What EDR solution is in use and who is responsible for monitoring alerts?
☐ Is it set up to block detected threats?
☐ How frequently are alerts reviewed?

(E) How to Assess Responses
Understanding EDR maturity requires more than confirming its presence. You want to understand where it’s deployed, what solution it is, whether alerts are actively monitored, and whether the organization is prepared to act on what the tool reveals.

Deployment Scope: Strong responses confirm 100% endpoint coverage – including production servers and remote devices. Partial rollouts or BYOD exclusions should be called out explicitly.

Configuration: Many companies roll out EDR and only set it to alert them of threats in fear of blocking legitimate activity. With advancements in AI, these tools should be set to block threats it has detected otherwise you risk something slipping through the cracks.

Monitoring and Response: The key here is that alerts are monitored 24x7x365. It shouldn’t be one internal IT person who claims to review them once a day. You can have the best EDR tool in the world, but if no one is monitoring alerts on Friday night at 11pm (when most incidents happen) then you’re going to have a surprise waiting for you on Monday morning. Ideally, it’d be a 3rd party that actively monitors alerts 24x7x365.

EDR Vendor: There are a lot of great EDR tools out there. There are also some EDR tools that provide a false sense of security. Some reputable vendors: SentinelOne, Crowdstrike, Microsoft Defender, Palo Alto Cortex, Huntress.

The key with EDR is that they have a tool in place, it is set up to automatically act on threats, and that it’s being monitored at all times. Look out for vague answers about how it’s being monitored. Just because they get an email alert, or their team ‘checks regularly,’ does not mean it’s being monitored. What you want to hear is that alerts are routed to a team that’s actively watching and responding 24/7. Without that EDR becomes an expensive checkbox.

V. Patch Management – A Direct Line to Breach Exposure

(A) Control Overview
Patch management is the process of identifying, prioritizing, and applying software updates that fix known vulnerabilities. When you think of cyber basics… patching known vulnerabilities is front of mind. When it works, it’s invisible. When it doesn’t, it’s often the reason attackers get in. Many of the highest-profile breaches over the past decade stemmed from unpatched, publicly known vulnerabilities.

Unlike some controls that require nuance, patch management is binary: either critical vulnerabilities are being addressed in a timely way or they’re not. It’s one of the clearest signals of a company’s operational maturity – and one of the first places insurers and underwriters look when assessing technical risk.

(B) Claims & Market Insight

  • Gallagher Re 2024 Cyber Claims Study: Found that the speed at which orgs apply security patches was the strongest technical predictor of cyber insurance claims, highlighting that a slow patching cadence accounted for 41% of the analyzed incidents.
  • Ponemon Institute: 60% of breaches involved known vulnerabilities for which patches were available but had not been applied.

(C) Deal Implications
Remediation Priority: Patch management doesn’t typically require pre-close attention unless there’s a known vulnerability that isn’t patched (which would be detected through our cyber screening process). Otherwise, it should be treated as a core part of the 100-day integration plan. If there’s no patching program or tool in place, this is one of the fastest ways to reduce technical risk across the environment. Some low hanging fruit include enabling auto-updates where possible, auditing patch status for externally facing systems, and standing up basic vulnerability tracking with defined timelines for patching critical vulnerabilities on external systems. These steps don’t require heavy investment, but they send a clear signal that risk is being actively managed – not deferred.

Insurance Impact: Many insurers are now asking specific questions about patch frequency, tooling, and vulnerability tracking. Weak practices can increase premiums, introduce exclusions, or lead to declined coverage – especially in breach-heavy sectors. Additionally, there are multiple cases of insurance claims being denied after the carrier determines that patches are not applied in accordance with their cyber policy and insurance applications. (Cottage Health vs. Columbia Casualty)

Risk Lens: Weak patch management is a red flag because it reflects more than just an IT security issue… it signals a lack of operational discipline. If a company isn’t consistently addressing something as basic as software updates then it often points to deeper problems with accountability, prioritization, and internal coordination.

(D) Key Screening Questions
☐ How quickly are critical patches applied to internet-facing systems?
☐ Is there a written policy or general practice that defines patching timelines?
☐ Who is responsible for making sure patches get applied across the company?

(E) How to Assess Responses
With patch management, you’re not looking for perfection – you’re looking for awareness, ownership, and follow-through. Good responses don’t just describe what’s supposed to happen; they reflect an actual process that someone is responsible for.

Clarity on Timing: Strong responses include a defined (or at least understood) timeframe for applying critical patches – especially to systems exposed to the internet. Insurance underwriters tend to care most about patching external systems and ideally like to see 24-48 hours for critical patches. It’s not unusual to see 5-7 days, so long as it’s defined and understood.

Defined Ownership: Answers should clearly identify who is responsible for patching and how they stay on top of it. Many targets in this space will rely on a third party MSP for patching, which can be concerning due to the fact that the MSP may have to patch 100 customers for a single critical vulnerability. Understanding who is responsible and what the SLAs are is critical to protecting the business.

Basic Oversight: Mature organizations can describe how they make sure patching doesn’t get missed – whether through tooling, reporting, or regular check-ins. It doesn’t need to be automated or perfect, but there should be some mechanism in place. And that matters more now than ever… the number of disclosed vulnerabilities jumped 38% YOY, from 28,800 in 2023 to over 40,000 in 2024. Microsoft alone issued more than 1,000 patches last year. Without a structured process, staying current isn’t just hard… it’s almost impossible.

If the team can’t name who’s responsible, how they prioritize, or what happens when patches are missed, assume this is a control that isn’t actively managed. It doesn’t mean the deals at risk – but it’s a signal that you’ll be inheriting operational gaps that may need attention early in ownership.

VI. Backups – The Most Overstated and Under Performing Control

(A) Control Overview
Backups are the safety net every organization assumes will work – until they don’t. The idea is simple: copy your critical data and systems somewhere safe so you can restore operations if ransomware or accidental loss strikes. But backups only help if they work.

The reality is that backups often exist in name only – poorly segmented, poorly protected, and rarely tested. It’s one of the most common areas where confidence doesn’t match reality. And when it fails, the cost isn’t just operational – it’s reputational, financial, and often permanent.

(B) Claims & Market Insight

  • At-Bay Ransomware Report:
    • 92% of businesses reported having backup systems, but 31% failed to successfully restore from them during ransomware attacks.
    • Organizations with well-tested and segmented backups saw a 41% reduction in ransomware claim severity.
    • Cloud-based backup solutions provided the highest recovery rates, with orgs using them being 1.5 times more likely to successfully restore than those using traditional offsite backups.
  • Coveware Q4 2023 Report: Companies unable to restore from backups were 300% more likely to pay a ransom.


(C) Deal Implications
Remediation Priority: Weak or unverified backups should be addressed early post-close. In the first 100 days, focus on isolating backup systems from the production environment (ideally via cloud-based solutions), enforcing MFA, enabling immutability where possible, and performing a test restore of critical assets to make sure they actually work when needed.

Insurance Impact: Backup maturity is a major factor in ransomware underwriting. Poor practices may lead to limited ransomware coverage, higher retention, or outright denial of certain claims. Denied claims become an issue when applicants submit that they have functional backups but fail to restore during a ransomware incident, prolonging downtime and increasing costs.

Risk Lens: Backups often reveal the gap between perception and practice. If a company hasn’t tested restoration or doesn’t segment backups from production, they’re not protected – they just think they are. That false sense of security is a liability.


(D) Key Screening Questions
☐ Are backups performed regularly across all critical systems?
☐ Are backup systems segmented?*
☐ When was the last time a restore test was performed?


(E) How to Assess Responses

Backups are easy to talk about and hard to validate – which is why this section often draws the most confident answers. The key is to move past “we have backups” and understand whether they’re useful when everything goes to hell.

Frequency and Scope: Good answers confirm that backups run regularly (e.g. daily) and cover all critical systems. Don’t expect every single thing to be backed up, just make sure critical systems are.

*Segmentation: This is where answers get vague and people make mistakes. I’m going to avoid getting too far into the weeds here… but there are different ways to segment backups and many ways to poorly segment them. The reality is that ransomware groups are intentionally trying to find and delete backups to force payment. That’s why the best, easiest-to-interpret answer is a cloud-based backup solution. It’s a strong signal that things are in a good place. Other answers aren’t necessarily a red flag, but you may need to pull in someone to assess the nuances of their answers.

Restore Confidence: You want to hear that they’ve tested the backups in the last year and that they have an idea of how long recovery would take. If not, it’s definitely something to pencil into the 100-day plan.

The biggest red flag with backups is overconfidence. We typically find a backup solution was purchased years ago, left to run on autopilot, and hasn’t been tested since. But there’s a big difference between having backups and being able to actually use them. In a ransomware scenario, that difference is the deciding factor whether the business is down for two weeks and pays a $500K ransom or restores operations in three days without writing a check.

V. Incident Response – The Plan Everyone Assumes Exists

(A) Control Overview
Leadership typically assumes someone will know what to do in a cyber incident (or that it won’t happen to them)…. until it happens. Incident response isn’t just about reacting under pressure. It’s about having a defined, tested plan that assigns roles, escalates quickly, and brings the right people into the room fast.

It’s the control that determines whether an incident stays a contained disruption or spirals into a costly, reputation-damaging mess. In LMM / MM sized transactions, we unfortunately see incident response plans that were copied and pasted directly from an online template.

(B) Claims & Market Insight

  • Coalition 2025 Claims Report: 56% of reported incidents were resolved with zero out-of-pocket cost when companies responded promptly and brought in legal and forensics early.
  • Marsh McLennan Cyber Incident Readiness Article: “A cyber incident response plan that is not tested is little more than a paper exercise and is unlikely to stand up to real-world events — or to insurer scrutiny.”
  • IBM Cost of a Data Breach Report 2024: Organizations with high levels of incident response planning and testing saved an average of $1.49 million per breach compared to those with none.

(C) Deal Implications
Remediation Priority: A written IR plan should be reviewed and refreshed within the first 100 days post-close. That includes naming internal leads, confirming external counsel and forensics partners that are approved by the cyber insurance policy, and running a tabletop exercise with key stakeholders.

Insurance Impact: Carriers increasingly expect documented IR plans – including contact escalation paths and legal coordination – as part of their underwriting review. Lack of planning may result in delayed claims handling, higher breach costs, or coverage disputes. One of the most important components is ensuring that both legal counsel and incident response firms are approved by the carrier.

Risk Lens: A poor (or non-existent) incident response plan isn’t just a cyber risk. It’s an operational, legal, and financial exposure. It signals uncoordinated execution, unclear stakeholder roles, and heightened vulnerability to regulatory and reputational fallout. One of the most common – and costly – gaps we see post-close is a missing escalation path to the private equity firm when a cyber incident is discovered. Sponsors are often notified only after key decisions have been made, at which point recovery options narrow and costs rise. Most LMM and MM targets lack deep experience with high-impact incidents and tend to rely on local IT vendors who shouldn’t be handling incident response. I’ve seen this play out dozens of times: delayed recovery when things go right, complete disaster when they don’t... Add in the absence of legal privilege, poor documentation for claims, and broken continuity across stakeholders – and what should have been a manageable event becomes a compounded loss. The plan doesn’t need to be perfect, but it needs to exist, be current, and explicitly include upstream communication.

(D) Key Screening Questions
☐ Is there a documented incident response plan and when was it last reviewed?
☐ Who leads the response effort internally and what external support is in place?
☐ Have key personnel participated in a tabletop or simulation exercise?

(E) How to Assess Responses
Incident response is easy to overestimate – especially if no one’s ever had to use the plan. What matters is whether the team knows what it says, who’s in charge, and how quickly it can be executed under pressure.

Plan Clarity: Strong responses confirm there’s a written IR plan with named internal roles, clearly defined escalation paths, and pre-identified external support. The most effective plans don’t rely on internal IT alone – they engage experienced outside counsel and forensic firms who handle incidents regularly and know how to manage legal exposure, preserve evidence, and coordinate with insurers. For lower and middle-market teams, this outside expertise is critical. While internal teams may have never dealt with a live incident, top-tier external partners often manage several per week. Those partners should be named directly in the plan… bonus points if direct phone numbers are included instead of generic hotlines.

Testing and Familiarity: Mature teams have run tabletop exercises or dry runs within the last 12-18 months. Don’t expect them to have brought in a 3rd party or spend a full day walking through a scenario.

Real Ownership: Someone should know who gets called first – and it shouldn’t be a guess. If the plan starts and ends with “we’d figure it out,” assume they haven’t.

The most important takeaway isn’t complexity… it’s credibility. No one expects an SMB to have a $50K IR plan built by a 3rd party that’s tested quarterly and mapped to three layers of regulatory frameworks. That’s not the bar. What matters is that a plan actually exists, that it hasn’t just been pulled from an online template, and that it names real people – internal and external – who know what to do when something goes wrong. It’s unrealistic to expect frequent testing in smaller environments, but an annual tabletop exercise and clearly documented escalation paths that include the sponsor and 3rd party experts go a long way. When things go sideways post-close, having the right names in the plan is often the only thing standing between a coordinated response and a chaotic, costly scramble.

VI. Final Take – No Diligence Provider? This is the Minimum Checklist

The “Fast Five” aren’t a replacement for cyber diligence… but they are a good alternative to skipping it. Think of them as your last line of defense when time, scope, or budget won’t support a full review. They’re not comprehensive but they’re focused.

They also serve another purpose: pressure-testing what you're being told. The answers you get to these questions won’t just reveal technical gaps – they’ll show you who’s really in charge, how risk is being managed, and whether there’s alignment between leadership and IT. That may be more revealing than anything you’d find in a formal diligence report.

In deals where you can't ask everything, ask the right things. The “Fast Five” won’t catch every risk – but they’ll help you feel a little more comfortable moving forward.

And if you’re tired of the traditional cyber diligence playbook… the bloated timelines, enterprise frameworks, and the 50-page reports that don’t align with anything you actually care about…you’re not alone. That’s exactly why we built our cyber screening approach. It’s not a shortcut. It’s a different model, entirely built for deal teams who want real insight, fast, and without the technical noise.

Fixing Cyber Diligence: Aligning Risk with M&A Realities

Traditional cyber due diligence is broken: it’s slow, expensive, and misaligned with M&A priorities. This article outlines a practical alternative and our firm's signature methodology.

Read Article

Data Room Security: Best Practices for Protecting Your M&A Deal Data

Learn how to improve data room security using advanced logging, 2FA, DRM controls, and other best practices.

Read Article

Executive Privacy Guide: How Private Equity and Corporate Leaders Can Reduce Digital Risk

This playbook offers practical, no-fluff guidance for private equity and corporate leaders to reduce personal digital exposure. It covers clear and actionable steps that non-technical leaders can take.

Read Article

Portfolio Risk Benchmarking: The Foundation for More Informed Cyber Diligence

Portfolio Risk Benchmarking gives private equity firms a clear, consistent lens to assess cyber maturity and exposure across all holdings. It lays the groundwork for faster, smarter diligence by turning fragmented data into actionable insights grounded in financial impact and deal context.

Read Article
01/04

FAQ

What is the Fast Five cyber diligence framework?
Why does cyber risk matter in M&A if I already have R&W insurance?
What are the most important cyber controls to assess during due diligence?
How is this different from traditional cyber diligence?