Get Secured
← All Posts Security Governance

Crypto Security Due Diligence for M&A: Assessing the Security Posture of a Web3 Acquisition Target

Security due diligence in crypto M&A goes beyond policy documents. This guide covers what to assess in a target's key management practices, incident history, people risk, compliance status and how to structure findings for non-technical decision-makers.

When a corporate development team runs due diligence on a crypto or Web3 acquisition target, the workstreams that get the most attention are almost always financial and legal: cap table integrity, revenue recognition, token treasury accounting, contractual liabilities, litigation exposure. Security due diligence, when it happens at all, is frequently reduced to a questionnaire circulated by outside counsel and a request for a SOC 2 report. That approach might be adequate for a SaaS acquisition. It is not adequate for a business whose core asset is often a set of private keys, a smart contract with upgrade authority, or a treasury that can be moved irreversibly in seconds by whoever controls the signing infrastructure.

This is a practical guide for the people who actually have to sign off on a crypto acquisition: the CISO asked to validate a target's security posture in three weeks, the general counsel drafting representations and warranties around cyber risk, the corporate development lead building the data room request list, and the institutional investor deciding whether the deal terms reflect the real risk being acquired. It sets out what to request, what to assess, and how to communicate findings to people who are not security specialists but who are making the final decision.

Why Security Due Diligence Is Different in Crypto M&A

In a conventional technology acquisition, a security incident usually means a breach of data: customer records exposed, intellectual property exfiltrated, systems taken offline. These are serious but generally recoverable harms. Insurance exists, remediation timelines exist, and the business can usually continue operating while the incident is contained.

In a crypto business, the equivalent failure mode is different in kind, not just degree. If a target's multisignature wallet is compromised, or a single developer's laptop holds a signing key with no compensating control, the result is not a data breach. It is the irreversible loss of the asset itself: the treasury, the protocol's upgrade authority, the liquidity backing a stablecoin. There is no chargeback, no data restoration from backup, and frequently no realistic path to recovery once funds have left the chain. This changes the calculus for an acquirer substantially. A target can have excellent financials, a defensible product, and a clean cap table, and still represent an unacceptable acquisition if its operational security around key custody is weak, because the value being acquired can evaporate in a single transaction signed by the wrong person or extracted through the wrong compromised device.

Security due diligence in this context has to answer three distinct questions that go beyond a conventional cyber risk assessment. First, could this target lose its core assets tomorrow because of how it currently manages access and keys. Second, has it already had incidents that reveal how its security culture actually behaves under pressure, as opposed to what its policy documents claim. Third, once the acquirer's name and infrastructure are attached to this target, what new liability does the acquirer inherit, including notification obligations, contractual SLAs with exchanges or custodians, and regulatory registrations tied to specific control frameworks. This is a fundamentally different exercise from general counterparty due diligence conducted before entering a commercial relationship, which is covered in our broader guide to crypto security due diligence. M&A diligence goes deeper because the acquirer is not just transacting with the target, it is absorbing the target's entire security posture, including its historical failures and its people.

Acquirers routinely spend weeks on financial and legal due diligence and treat security as a box-ticking exercise, a single questionnaire and a SOC 2 report skimmed by counsel. It is only after the deal closes that they discover the target's key management practices, or the absence of them, create liabilities that make the acquisition price look like it was calculated for a different, less exposed business.

The Security Data Room Checklist: What to Request

The security workstream needs its own structured request list within the data room, distinct from the general IT and cyber security items that legal counsel typically ask for. The following items should be requested at the outset, before management interviews, so that the security team can identify gaps and prepare targeted questions rather than discovering gaps during live sessions.

  • Security policies and procedures. Not a generic policy template, the actual internal documents governing access control, key management, incident response, change management and vendor risk, along with evidence of when they were last reviewed and by whom.
  • Penetration test reports covering the last 24 months. Both infrastructure and application-layer tests. Look for the full report, not an executive summary, and check whether findings were remediated and re-tested or simply acknowledged.
  • Smart contract and infrastructure audit reports. All audits performed on deployed contracts, including audits of versions that have since been superseded. Superseded audit reports still matter because they reveal what auditors previously flagged and whether those issues recurred in later versions.
  • The incident log. A complete record of security incidents, near misses and anomalies, not just events that were publicly disclosed. The gap between the incident log and public disclosures is itself a data point.
  • Access control records. Current access lists for production systems, signing infrastructure and treasury systems, along with a history of access grants and revocations over the past 12 to 24 months.
  • Vendor contracts with security SLAs. Custody providers, cloud infrastructure, HSM vendors, monitoring providers. Review the SLA terms themselves, not just the vendor list, since an SLA without meaningful remedies is not a control.
  • Insurance certificates. Crime and cyber insurance policies, including exclusions relevant to digital asset theft, which are frequently narrower than they first appear.
  • Key management documentation. Key generation ceremony records, custody architecture diagrams, signer lists for multisignature wallets, and rotation history. This is covered in detail in the following section given how often it is where diligence uncovers the most serious risk.
  • Backup and recovery procedures. For both operational infrastructure and, separately, key material and seed phrase custody. These are frequently conflated in target documentation when they should be entirely separate control domains.

A useful discipline is to request these items with an explicit deadline and to treat delay or partial production as a finding in itself. A target that cannot produce a current access control list within a week either does not maintain one, which is a material gap, or maintains it in a form that is not readily auditable, which is nearly as concerning.

Assessing Key Management Practices: The Highest-Risk Element

Of everything in the data room, key management practices deserve the most scrutiny, because they represent the single point at which a Web3 business's entire value can be destroyed by one person, one device, or one process failure. Financial statements can be restated. A compromised multisignature wallet cannot be un-compromised once funds have moved.

The assessment should establish, precisely, where every key that controls material value or contract authority actually lives, who can access it, and what has to happen for a transaction to be signed. This sounds straightforward and is rarely straightforward in practice, because target organisations often cannot produce a complete answer without being pushed, particularly if key custody has evolved informally as the business has grown.

Specific red flags to look for include the following, each of which should be treated as a material finding requiring remediation before or immediately after close, not a note for a future roadmap:

  • Private keys stored in a cloud secrets manager with no hardware security module. A cloud KMS or secrets manager is a reasonable component of a layered architecture, but if it is the sole protection for keys controlling material treasury value, that is a single point of failure sitting behind credentials that can be phished, leaked, or misconfigured. Proper practice separates key generation and signing operations into dedicated hardware, a topic covered in depth in our guide to HSM private key management.
  • Signing keys present on developer laptops. Any finding that a hot key or signing credential has ever resided on a general-purpose developer workstation, even temporarily during initial setup, indicates the key should be considered potentially exposed and a candidate for immediate rotation regardless of whether any compromise is known to have occurred.
  • Multisignature configurations with co-located signers. A three-of-five multisig where three of the signers work from the same office, use the same corporate laptop image, or report to the same manager does not provide the independence that a multisig arrangement is meant to guarantee. Geographic, organisational and infrastructure separation between signers is the entire point of the control.
  • No documented key rotation schedule. If the target cannot produce evidence of when keys were last rotated, or state a policy for when rotation should occur, this indicates that key lifecycle management is not an operating discipline, which tends to correlate with other gaps.
  • No key ceremony record. A formal key generation ceremony, witnessed, documented and ideally recorded, is standard practice for keys of material value. Its absence means there is no verifiable chain of custody from the moment the key was created, which makes it impossible to rule out that unauthorised copies exist.

Where any of these red flags are present, the acquirer should quantify the value currently exposed under the existing arrangement and treat re-architecture of key management as a pre-close condition or a Day One priority, not a nice-to-have improvement to schedule for later in the integration roadmap.

Incident History Review: What Past Events Reveal About Security Culture

A target's incident history is one of the most reliable indicators of how its security programme actually functions, as distinct from how its policies describe it functioning. Policy documents describe intent. Incident response reveals behaviour under pressure, which is what matters when the acquirer inherits the same team and the same systems.

The review should extract a small number of concrete facts from every logged incident, near miss and anomaly over the target's operating history, not just from events that reached the level of public disclosure:

  • Frequency and severity. How many incidents occurred, and what was the actual or potential financial impact of each. A pattern of low-severity incidents recurring in the same subsystem often points to an unresolved root cause rather than genuinely independent events.
  • Time to detect. How long elapsed between the incident occurring and the target becoming aware of it. Detection times measured in days or weeks, rather than hours, indicate weak or absent monitoring on the systems involved.
  • Time to respond. How long elapsed between detection and effective containment. This is a direct measure of whether the incident response plan on paper actually functions when invoked.
  • Whether root causes were addressed. Request the post-incident review for each event and check whether recommended remediations were implemented and verified, or simply logged as accepted risk. A target with a habit of accepting rather than closing findings is telling the acquirer how it will behave with the acquirer's findings too.
  • Regulatory notifications. Whether any incident triggered a notification obligation to a regulator, and whether that notification was made within required timeframes. A missed or late notification is both a historical compliance failure and a potential source of ongoing regulatory exposure that transfers to the acquirer.

It is worth stating plainly that a target having had incidents is not automatically disqualifying. Every operating business of meaningful size has had security incidents. What matters is whether the organisation detected them promptly, responded competently, fixed the underlying cause, and met its disclosure obligations. A target with two well-handled incidents and thorough remediation records is often a lower risk acquisition than one with a clean incident log that, on inspection, reflects an absence of monitoring rather than an absence of problems.

People Risk Assessment: Insider Threat and Key Personnel Dependencies

Security posture is not solely a function of systems and documentation. It depends on specific individuals, and M&A diligence has to assess that dependency directly, since the acquirer will either retain or lose these individuals as part of the transaction.

Key areas to assess include:

  • Key person dependency on security knowledge. Identify whether critical security functions, particularly key management, infrastructure architecture and incident response, depend on the institutional knowledge of one or two individuals with no documented succession or knowledge transfer. If that person's departure at or shortly after close would leave the acquirer unable to operate the security programme, this is a material integration risk that should factor into retention planning and deal structure.
  • Contractor access to sensitive systems. Review which contractors and external consultants have or have had access to production systems, signing infrastructure or customer data, and whether that access was time-bound, logged and revoked on schedule. Contractor relationships are frequently where access control discipline is weakest.
  • Recent departures from the security team. A wave of security or engineering departures in the months preceding a transaction warrants direct investigation. This can reflect ordinary attrition, but it can also indicate that departing staff identified problems, cultural or technical, that they did not believe would be fixed. Exit interview records, where they exist, are worth requesting specifically for this purpose.
  • Insider threat indicators in access logs. Look for patterns such as access outside normal working hours with no operational justification, access to systems outside an individual's role scope, or bulk data exports shortly before a departure. These do not need to indicate wrongdoing to be worth flagging, but they should be explained.

Vetting standards for personnel with privileged access are a meaningful predictor of people risk, and reviewing the target's hiring and background check practices for security-sensitive roles, as covered in our guide to employee security vetting, should be a standard part of this workstream rather than an afterthought.

Compliance and Regulatory Status Assessment

The acquirer inherits the target's regulatory footprint, including registrations, licences, and any outstanding examination findings or enforcement history. This assessment should map cleanly onto the target's actual operating jurisdictions rather than relying on generic compliance claims.

Items to assess include the status of any money transmitter, virtual asset service provider or equivalent licences the target holds, the currency of any AML and sanctions screening programme and evidence it is actually applied to transactions rather than existing only as policy, the history of regulatory examinations and whether findings from those examinations were remediated and closed, and any open investigations or enforcement actions, including informal inquiries that have not yet become public.

Third-party audits of smart contracts and infrastructure security are increasingly treated by regulators and institutional counterparties as evidence of a functioning security programme, and reviewing how the target manages its audit relationships, including whether findings from previous audits were tracked to closure, is a useful proxy for overall security governance maturity. Our guide to third-party audit management sets out what a properly managed audit lifecycle looks like and is a useful benchmark against which to assess a target's practice.

Where the acquirer operates in a different regulatory posture than the target, for example a regulated financial institution acquiring a less regulated Web3 startup, the assessment should also identify which of the acquirer's existing regulatory obligations will now extend to the target's operations, since this is frequently where post-close surprises originate.

Post-Acquisition Integration Security Plan

Due diligence findings only create value if they translate into an integration plan with clear sequencing. Security integration should not wait for the broader IT integration roadmap, because the highest-risk items, principally key custody and access, need to be addressed within days of close, not months.

Immediate priorities, to be actioned in the first days after close, should include rotation of all keys identified as high risk during diligence, particularly any key that has ever resided outside a hardware security module or on a general-purpose device. Access revocation for any employee, contractor or advisor whose role changes or ends as a result of the transaction should also happen immediately, since M&A announcements are a well understood trigger point for insider risk and departing personnel retaining live access is one of the most common post-acquisition failures. Establishing a documented access control policy that governs the combined entity from Day One, rather than allowing the target's legacy practices to persist by default, closes one of the most common gaps. Our framework for building this is set out in our guide to access control policy.

Medium-term priorities, typically addressed over the first 90 days, should include consolidation of security tooling so that monitoring, logging and alerting cover the combined estate under a single operational view rather than two parallel and potentially blind-spotted systems, and integration of incident response plans so that both organisations' teams are operating from one playbook with clear escalation paths and a single point of accountability, rather than discovering during a live incident that the two entities have conflicting response procedures.

Because security findings during M&A diligence are often technical and numerous, they need to be communicated to decision-makers, boards and investment committees who are not security specialists, in a form that supports a go or no-go decision rather than burying the signal in a long findings list. A simple three-tier risk rating applied to every material finding works well for this purpose:

  • Green: Control is adequate and consistent with good practice. No action required before close.
  • Amber: Gap exists but is not immediately exploitable or does not expose material value. Requires a remediation plan with a defined timeline, but does not need to block closing.
  • Red: Gap creates immediate exposure to material loss, regulatory breach, or an unrecoverable security failure. Requires remediation before close, a price adjustment, an escrow holdback tied to verified remediation, or in some cases should cause the acquirer to reconsider the transaction entirely.

Every finding rated Amber or Red should be accompanied by a one-line business impact statement in plain language, for example the specific dollar value exposed and the specific mechanism by which it could be lost, so that a general counsel or investment committee member with no security background can weigh it correctly against the rest of the deal terms.

Frequently Asked Questions

How is security due diligence in crypto M&A different from a standard IT security audit?

A standard IT security audit assumes conventional infrastructure: servers, endpoints, network perimeters. Crypto M&A due diligence must additionally assess irreversible-value systems, principally private key management, multisignature configurations, smart contract upgrade authority and on-chain treasury controls, where a single misconfiguration or compromised individual can result in total, unrecoverable loss of funds rather than a contained data breach.

Who should conduct the security workstream in a crypto acquisition?

The workstream should be led by specialists with direct Web3 operational security experience, not generalist IT auditors or the acquirer's existing security team unless that team has specific blockchain infrastructure expertise. Findings should be reviewed jointly with legal and corporate development so that technical risk translates into contractual protections.

What is the single most common security red flag found during crypto M&A diligence?

Inadequate key management is the most frequent and most serious finding. This includes private keys held outside hardware security modules, multisignature setups where signers share physical location or employer, and an absence of documented key rotation or key ceremony records.

Can security findings actually change the terms of a crypto acquisition?

Yes. Material security findings routinely lead to price adjustments, escrow holdbacks tied to remediation milestones, indemnification carve-outs, or a requirement that key management be re-architected before closing. In some cases, unresolved key custody risk has caused acquirers to walk away entirely.

How long does a thorough crypto security due diligence process typically take?

For a mid-sized Web3 target with an operating protocol or exchange function, a proper security workstream typically takes two to four weeks once data room access is granted, assuming responsive cooperation from the target. Complex multi-chain treasuries or targets with prior incidents can extend this considerably.

Get Security Due Diligence Right Before You Close

Book a Security Review