The Cybersecurity Blind Spot Undermining M&A Value | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

Deal activity places organizations under pressure to move quickly while aligning multiple stakeholders and workstreams. In that environment, cybersecurity is acknowledged as important, yet often not examined with the same rigor as financial or legal diligence.

This creates a gap that forms early and widens as the transaction progresses.

In FTI Consulting’s Navigating Cybersecurity Risks in Transactions report, based on a survey of CISOs, M&A leaders, and general counsels, this gap is examined across the full deal lifecycle.

The findings show that cybersecurity is often not embedded early in decision-making. Coordination challenges continue through execution and into post-close integration, allowing risk to carry through the transaction instead of being addressed upfront.

Why It Matters: Cybersecurity risk directly affects valuation, deal certainty, and post-close performance. It shapes how assets are priced and influences how confidently a transaction can move forward, while also affecting how well organizations integrate after closing. When it is not addressed early and consistently, risks identified during diligence can carry into execution and later surface as financial loss or operational disruption.

• Cyber Incidents Cluster Around Deals: Nearly 1 in 4 organizations experience a cyber incident during or shortly after a deal, and 2 in 3 of those incidents involve serious events such as data theft or extortion. During transactions, sensitive data is widely shared and systems are actively changing, which divides attention and increases exposure. This combination creates a clear opening for threat actors to take advantage of timing and disruption.

• Financial Impact Is Immediate and Material: Among those affected, 69% report negative impact on the transaction. This includes 42% seeing reduced deal value, 58% falling short of financial targets, and 20% experiencing delays or pauses. In addition, 86% report indirect costs such as reputational damage or regulatory scrutiny, showing how quickly cyber issues translate into business impact.

• CISO Involvement Remains Limited: While 69% of executives recognize cybersecurity as important in transactions, only 34% of CISOs report strong involvement in decision-making. Many are not included early in diligence, and 1 in 3 do not believe they have the authority to stop a deal when risk is too high. This leaves critical expertise underutilized at key decision points.

• Deal Pressure Weakens Diligence and Coordination: Pressure to close quickly is cited by 41% of respondents as a factor that increases cyber risk. 33% of CISOs say shorter timelines raise exposure, while 40% report that threats increase during the transaction period. Despite this, collaboration remains limited. Only 17% of CISOs report stronger coordination with deal teams, compared with higher rates reported by legal and M&A leaders. This gap creates inconsistent understanding of risk and weakens response planning.

• Post-Close Risk Is Underestimated: Around 40% of organizations lack a defined cybersecurity or IT integration plan after closing. In addition, 84% report difficulty aligning systems and policies, and only 23% take a proactive approach to managing cyber risk post-close. As systems, users, and access points are combined, the attack surface expands. At the same time, attention to risk often declines, leaving organizations exposed during a critical transition period.

Go Deeper -> CISO Redefined: Navigating Transactions and the Cybersecurity Landscape – FTI Consulting