SCF Free Content

MA&D — Mergers, Acquisitions & Divestitures

The SCF MA&D framework provides structured cybersecurity and data privacy guidance for every phase of a merger, acquisition, or divestiture — from due diligence through integration or separation. Built on the Common Controls Framework™ and designed for deal teams, security leaders, and GRC practitioners.

Transaction Types

Deal Phases

Domains Assessed

FREE

Creative Commons

⬇ Download the MA&D Explore Additional SCF Content

Common Controls Framework™

The SCF is the exclusive, trademarked Common Controls Framework™ (CCF™) — a Living Control Set with 33 domains, 1,400+ controls, and mappings to 200+ laws, regulations & frameworks. SCF MA&D applies the CCF™ to M&A and divestiture transactions — providing cybersecurity due diligence, risk quantification, and integration/separation guidance. Free. Always.

SCF MA&D integrates with the CDPAS assessment methodology, Evidence Request List (ERL), and SCR-CMM maturity scoring — delivering a complete cyber due diligence and integration/separation toolkit at no cost.

About SCF MA&D

Cybersecurity Is a Material M&A Risk — Treat It That Way

Cybersecurity has become a material risk in every M&A transaction — yet most deal teams still treat cyber due diligence as an afterthought. Undetected breaches, legacy vulnerabilities, regulatory non-compliance, and inadequate security programs have derailed acquisitions, triggered price adjustments, and generated post-close liability that destroys deal value.

The SCF MA&D framework provides a structured, repeatable approach to cybersecurity and data privacy in M&A transactions — covering all three transaction types (mergers, acquisitions, and divestitures) across all five deal phases. It applies the SCF CCF™ control catalog as the consistent standard for evaluating target organizations, quantifying cyber risk, and planning integration or separation.

For divestitures, SCF MA&D addresses the often-overlooked complexity of security separation — disentangling shared systems, identities, data, and controls without creating gaps in either the seller's remaining environment or the carved-out entity.

Volunteer-Driven. Creative Commons Licensed.

SCF MA&D is developed by volunteer cybersecurity practitioners with direct M&A transaction experience and released at no cost under Creative Commons Attribution 4.0.

Three Transaction Types — Distinct Cyber Considerations

Mergers, acquisitions, and divestitures each create different cybersecurity risks and obligations. SCF MA&D provides tailored guidance for all three — with a common control framework baseline enabling consistent risk comparison.

Transaction Type 1

Mergers

Two organizations combining into a single entity — requiring full cybersecurity program integration. Both organizations' MCR obligations, control environments, and compliance postures must be reconciled. The combined entity inherits all regulatory obligations of both predecessors.

Transaction Type 2

Acquisitions

The acquiring entity (buyer) assumes cybersecurity responsibility for the target at close. The buyer inherits the target's security posture — including any undisclosed breaches, regulatory exposure, technical debt, and legacy vulnerabilities. Due diligence determines what the buyer is actually buying.

Transaction Type 3

Divestitures

Separating a business unit, subsidiary, or asset from the parent — the most technically complex of the three types. Requires disentangling shared infrastructure, identity systems, networks, and data without creating security gaps in either the retained entity or the carved-out business.

SCF MA&D Standards

Eight Standards — Governing MA&D Assessment Services

SCF MA&D defines eight principal standards covering professional conduct, secure practices, due diligence, due care, quality control, and conformity designation — each with specific substandards that govern cybersecurity and data protection assessment services.

#	Standard	Substandards
1	Professional Duty of Care	• 1.1. Ethical Conduct • 1.2. Independence • 1.3. Subject Matter Competency • 1.4. Conflict of Interest (COI) Avoidance
2	Secure Practices	• 2.1. Security & Data Protection by Design & by Default • 2.2. Statement of Work (SOW) • 2.3. Assessment-Specific Data Protection Impact Assessment (DPIA) • 2.4. Intellectual Property (IP) Protections • 2.5. Protection of Assessment Information • 2.6. Use of Assessment Information • 2.7. Disposal of Assessment Information
3	MA&D Due Diligence - MA&D Due Care - EBA & AE	• 3.1. Adherence To Data Protection Requirements • 3.2. Assessment Boundary Demarcation • 3.3. Graphical Representation of Assessment Boundary • 3.4. Stakeholder Identification • 3.5. Control Reciprocity • 3.6. Control Inheritance • 3.7. Defined Cybersecurity and/or Data Privacy Controls • 3.8. Defined Risk Tolerance • 3.9. Defined Maturity Level • 3.10. Defined Materiality Threshold • 3.11. Material Risk Designation • 3.12. Material Threat Designation • 3.13. Material Incident Designation • 3.14. Internal MA&D Assessment • 3.15. Implemented Capability • 3.16. Virtual Data Room (VDR) • 3.17. Post-Close Integration Security Plan (PCISP)
4	MA&D Due Diligence – Third-Party Assessors	• 4.1. Agreed Upon Control Set • 4.2. Formalized Assessment Plan • 4.3. Defined Assessment Boundaries • 4.4. Validate Control Applicability • 4.5. Defined Evidence Request List (ERL) • 4.6. Explicit Authorization For Testing • 4.7. First-Party Declarations (1PD) - Control Inheritance • 4.8. Third-Party Attestations (3PA) - Control Inheritance & Reciprocity • 4.9. Stakeholder Validation
5	MA&D Due Care - EBA	• 5.1. Proactive Governance • 5.2. Non-Conformity Oversight
6	MA&D Due Care – Third-Party Assessors	• 6.1. Assessment Methods • 6.2. Assessment Rigor • 6.3. Assessing Based On Control CDPAS Applicability • 6.4. Assessment Objectives (AOs) • 6.5. Control Designation • 6.6. Objectivity Through Reasonable Interpretation • 6.7. Adequate Sampling • 6.8. Assessment Tools & Automation
7	Quality Control	• 7.1. MA&D Assessment Findings • 7.2. Objective Peer Review
8	Conformity Designation	• 8.1. Report On Conformity (ROC) • 8.2. MA&D Assessment Finding Challenges • 8.3. Projected MA&D Remediation Costs

Transaction Lifecycle

Plan-Do-Check-Act (PDCA) in M&A

The SCF MA&D framework operates within a PDCA cycle applied to the full transaction lifecycle — ensuring that cyber risk is systematically identified, addressed, validated, and incorporated into the merged or separated organization's ongoing program.

Assessment Lifecycle

PLAN

Define due diligence scope. Select CDPAS assessment type. Map target's applicable MCRs. Build ERL-based evidence request. Develop Day-1 security plan and integration/separation roadmap before close.

Assessment Lifecycle

DO

Execute CDPAS due diligence assessment. Collect and validate evidence. Score using SCR-CMM. Quantify cyber risk for deal structuring. Execute Day-1 plan at close. Begin integration or separation workstreams.

Continuous Improvement

CHECK

Validate pre-close remediation requirements were met. Verify Day-1 security controls are operating. Monitor integration or separation progress against the plan. Conduct follow-on CDPAS assessment to measure maturity improvement.

Continuous Improvement

ACT

Complete remaining integration or separation workstreams. Achieve unified SCF-based security program. Complete MCR compliance convergence. Transition from deal-mode security management to the organization's standard PDCA cycle.

Creative Commons — No Cost — No Registration Required

Download SCF MA&D — Free

SCF MA&D is included in the SCF download — the complete cyber due diligence, risk quantification, integration, and separation framework built on the Common Controls Framework™. One download, complete M&A toolkit.

⬇ Download the MA&D

CDPAS Assessment

Evidence Request List

Explore Additional SCF Content

Licensed under Creative Commons Attribution 4.0. Volunteer-driven by the SCF Council. No registration required.

Due Diligence Checklist

SCF MA&D Due Diligence — Key Assessment Areas

The SCF MA&D due diligence framework structures cyber due diligence across eight critical assessment areas — each mapped to the relevant SCF control domains and ERL evidence requirements.

Assessment Area	SCF Domains	Key Questions	Risk Level
Incident & Breach History	IRO, MON	Undisclosed breaches? Active threat actor presence? Pending regulatory investigations? Open incident response actions?	Critical
Regulatory Compliance Status	CPL, GOV, PRI	All applicable MCRs identified and mapped? Current compliance status? Outstanding enforcement actions? Privacy law compliance (GDPR, CCPA, HIPAA)?	Critical
Identity & Access Management	IAC	MFA deployed? Privileged access management in place? Joiners/movers/leavers process effective? Directory structure and federation complexity?	High
Data Classification & Handling	DCH, CRY, PRI	Data inventory current? Sensitive data types and locations identified? Encryption at rest and in transit? Data retention and deletion processes?	High
Network & Infrastructure Security	NET, CFG, END	Network segmentation architecture? Legacy systems and end-of-life technology? Vulnerability management cadence and patch levels? Cloud security posture?	High
Third-Party Risk	TPM	Critical vendor inventory? TPRM program maturity? Fourth-party risk exposure? Vendor contracts with appropriate security clauses?	Medium
Security Governance & Program Maturity	GOV, HRS, SAT	CISO / security leadership in place? Security policies current? Security awareness training? Board-level security reporting?	Medium
Business Continuity & Recovery	BCD	BCP/DR plans tested? Recovery Time Objectives (RTOs) documented? Backup architecture verified? Ransomware recovery capability?	Medium

Cyber Risk Quantification

Translate Cyber Findings Into Deal Economics

A due diligence finding that says "MFA is not fully deployed" is not useful to a deal team or investment committee. SCF MA&D provides guidance for translating CDPAS assessment findings into the financial and contractual terms that M&A transactions require.

Using the SCF proposed control weightings and SCR-CMM maturity scores, cyber findings can be expressed as residual risk exposures — enabling comparison to breach cost databases and cyber insurance premium benchmarks to produce defensible order-of-magnitude risk estimates for deal structuring.

$ Purchase Price Adjustment

Quantify estimated remediation cost for critical and high-severity gaps. Negotiate a corresponding price reduction or escrow holdback to fund post-close remediation.

$ Representations & Warranties (R&W) Insurance

Cyber findings inform the R&W insurance application. Disclosed material cyber risks are typically excluded; undisclosed risks may remain covered depending on policy terms.

$ Indemnification Provisions

Pre-close compliance failures and undisclosed breaches should be subject to seller indemnification — with MCR gaps particularly important as they represent defined legal liability.

$ Pre-Close Remediation Obligations

Require the seller to close identified critical MCR gaps before deal close as a condition of closing — reducing the buyer's inherited liability.

MCR Gaps Are Non-Negotiable

Unlike security gaps where a buyer might accept residual risk, MCR compliance failures represent defined legal liability that attaches to the entity — not the deal structure. MCR gaps in the acquired entity become the buyer's compliance obligations at close. Price them accordingly.

Divestiture Security Separation

The Complexity of Security Separation

Divestitures present unique cybersecurity challenges that acquisitions do not — particularly the technical complexity of safely separating two entangled security environments without creating gaps in either the retained or divested entity.

Key Separation Workstreams

SCF MA&D organizes divestiture security separation into five parallel workstreams — each requiring specific SCF control domain activity and sequencing to execute safely.

Identity & Access Separation (SCF IAC): Disentangle shared Active Directory / identity providers. Provision new identity infrastructure for the carved-out entity.

Network Separation (SCF NET): Segment and then fully separate shared network infrastructure. Establish independent internet egress, DNS, and VPN.

Data Classification & Migration (SCF DCH): Identify all data that belongs to the carved-out entity. Migrate to new infrastructure. Verify no data leakage.

Application Separation (SCF AST, CLD): Identify shared applications. Determine which are carved out vs retained. License new instances or negotiate TSA terms.

MCR Separation (SCF CPL): Determine which regulatory obligations transfer with the carved-out entity vs remain with the retained entity. Ensure independent MCR compliance capability at close.

Transition Service Agreement (TSA) Security Requirements

During a divestiture, the seller often provides transitional IT services to the buyer under a TSA — maintaining shared access and infrastructure for a defined period post-close. TSAs create ongoing security risk for both parties.

SCF MA&D defines minimum security requirements for the TSA period:

✓ All TSA-period access is formally documented and time-bounded

✓ TSA access is monitored and auditable by both parties

✓ Data flows between entities during TSA are explicitly defined and restricted

✓ Incident response obligations during TSA are clearly assigned

✓ TSA security requirements are contractually enforceable

✓ TSA exit criteria include security separation verification

TSA Duration Best Practice

Keep TSA periods as short as operationally feasible. Shared infrastructure creates ongoing security exposure for both parties. Plan and resource separation activities to achieve independence as quickly as possible.

Transaction Lifecycle

Plan-Do-Check-Act (PDCA) in M&A

Assessment Lifecycle

PLAN

Define due diligence scope. Select CDPAS assessment type. Map target’s applicable MCRs. Build ERL-based evidence request. Develop Day-1 security plan and integration/separation roadmap before close.

Assessment Lifecycle

DO

Continuous Improvement

CHECK

Continuous Improvement