Cyber due diligence should occur early in the transaction lifecycle—ideally during the initial diligence phase—before terms are finalized. Early identification of cybersecurity risk allows buyers to adjust valuation, negotiate remediation, or include protections in the purchase agreement.