Why 72 hours is the New Standard for M&A Cyber Due Diligence

A decade ago, cyber due diligence sat somewhere between “nice to have” and “we’ll deal with it post-close.” That world no longer exists.

In today’s M&A market, speed defines outcomes, and deals are shaped earlier, LOIs are signed faster, and valuation assumptions are established long before technical teams are invited into a data room. Against that backdrop, 72 hours has quietly become the practical standard for identifying material cyber risk - not because it’s ideal, but because it’s all the market now allows.

This shift is being driven by three forces that now converge on every transaction.

Compression of the deal timeline

Private equity and corporate acquirers operate in an environment where competitive tension is engineered from day one. Early diligence windows have collapsed, and sellers expect indications of value before full access is granted.

If material exposure exists (latent ransomware, unmanaged cloud assets, a brittle supplier ecosystem) it will surface eventually. The question is whether it appears before valuation is fixed, or after capital is deployed.

In practice, most deal teams now have roughly 72 hours between the first serious engagement and internal alignment on price. Any risk that can’t be surfaced within that window is effectively invisible until post-close - when leverage disappears and remediation costs become unavoidable.

Regulation has removed the margin for error

Regulators now treat cyber incidents as financially material events, not technical mishaps. The SEC’s disclosure rules, the UK’s expanding oversight expectations, and data protection regimes, such as India’s DPDP Act, have moved the goalposts.

Boards are now expected to demonstrate prior awareness of cyber exposure. “We didn’t know” is no longer a credible excuse, and “we didn’t have time” is no longer an acceptable one.

The financial impact is also well understood. IBM’s 2025 Cost of a Data Breach Report puts the average UK incident at £3.82 million. For an investment committee, failing to identify a significant liability within 72-hours can often lead to catastrophic valuation "haircuts" post-close.

Why traditional cyber due diligence is no longer practical

Despite this new 72-hour reality, many M&A processes still rely on models built for a slower era: lengthy questionnaires, cooperative targets, and weeks of review – and this approach fails when it is most needed - before trust, access, or exclusivity exist.

Instead, firms are increasingly adopting at a minimum of what practitioners now refer to as zero-touch recon - or the ability to form a defensible view of cyber posture without asking the target to lift a finger.

This isn’t about “scanning and guessing” it’s about observing what the organisation has already exposed to the world - its infrastructure, its digital dependencies, its operational footprint - and drawing conclusions that are both technically sound and financially relevant.

Within a 72-hour window, this new approach allows deal teams to answer the questions that actually matter:

• Is there evidence of existing compromise or ransomware pre-positioning?
• How much unmanaged technical debt exists, and what will it cost to unwind?
• Has the target managed its external technology footprint, are there indications of potential legacy technology use?
• Are critical suppliers potentially introducing regulatory or operational fragility?
• Is cyber risk likely to surface as a post-close surprise, or has it already been priced in?

Turning cybersecurity into an enabler

There’s a persistent myth in M&A that cyber teams slow deals down. But, in reality, it’s uncertainty that really slows deals down – not fast, effective oversight.

When early-stage cyber diligence is automated, repeatable, and - crucially - fast, it gives investment committees confidence, reducing last-minute renegotiation, and allowing remediation to be planned and factored in, rather than improvised. The focus for a partner working with PE should be on providing deal-focused analysis of cybersecurity. The audience, context, and risks are fundamentally different from those an inexperienced cybersecurity professional will understand.

Thomas Murray designed Orbit Intelligence specifically to address this need. Automated discovery establishes the external risk baseline, while the company’s managed service team handles the deeper validation and the inevitable back-and-forth that often puts pressure on a firm’s internal resources.

By the second day of a transaction, deal teams are no longer debating whether there might be a problem, they’re deciding how to treat it - through price, warranties, or through a first and final 100-days plan. The rapid implementation of critical cybersecurity controls will counter the increase in attacks that often arise as a result of an deal announcement.

Cyber oversight is now a fiduciary obligation

Boards and LPs no longer ask whether cyber due diligence has been performed – they ask how consistently, how early, and against what standard.

A firm that cannot demonstrate a repeatable, time-bound approach to cyber risk is exposed - not only to incidents, but to questions about governance and oversight. In that context, a 72-hour standard is not aggressive, it’s defensive – and it should be viewed as the first hurdle that unearths significant risks that could justify more investigation.

This standard ensures that no acquisition begins with an unknown, multi-million-pound liability hidden beneath the surface. It ensures that cyber risk is treated with the same discipline as financial and legal exposure. And it ensures that speed does not come at the expense of judgement.

The market has already decided

Whether formally acknowledged or not, the market has already set the pace. Deals move in days, not weeks, and risk crystallises early.

The only open question is whether your cyber due diligence process is designed for that reality or for one that no longer exists.

72 hours is now the minimum viable standard

Firms that understand this will continue to price risk accurately, protect returns, and avoid the kind of post-close surprises that destroy trust long after the deal is done.

By partnering with Thomas Murray, you gain the "standardised scorecard" that LPs and regulators now expect, proving that your cybersecurity for private equity strategy is both proactive and scalable.