Mergers & Acquisitions Cybersecurity Risk Questionnaire
1. Company Information
Company Name
Address
Primary Contact Name
Primary Contact Email
2. Security Governance
Does the company have a documented cybersecurity policy?
Yes
No
Is there a designated person or team responsible for cybersecurity?
Yes
No
List relevant cybersecurity certifications or frameworks followed:
3. Risk Management
When was the last cybersecurity risk assessment conducted?
Are any known significant risks or vulnerabilities currently unaddressed?
Yes
No
If yes, please describe:
4. Data Protection
Types of sensitive data managed (e.g., PII, PHI, PCI):
Are there data encryption measures in place?
Yes
No
Briefly describe data retention and deletion policies:
5. Access Control
Are multi-factor authentication (MFA) mechanisms implemented?
Yes
No
How is user access reviewed and updated?
6. Incident Management
Is there an incident response plan in place?
Yes
No
When was the last security incident or breach?
Summary of recent incidents (if any):
7. Third Party & Supply Chain Security
Are third-party vendors required to meet minimum cybersecurity standards?
Yes
No
Describe the process for managing vendor risk:
8. Additional Information
Other comments or risks to be disclosed: